Malware/Dynamic analysis

From CSRRT-LU

For the dynamic analysis the foreign binary is executed.

[edit]

First tests with Ida pro

A sample c program listed below is compiled and linked with gcc. In a next step it is stripped. Finally it is opened with Ida pro.

[edit]

Example

The program asks the user a password, then it checks the password. In case the password is correct it displays that the password is correct and create a file on disk. 

#include <stdio.h>
#define PASSLEN 10
int main(){
 char password[PASSLEN];
 FILE* fp;
 
 printf("Enter your password\n");
 fread(&password,PASSLEN, 1, stdin);
 password[PASSLEN-1]='\0';
 if (strncmp(password,"gerardwag",PASSLEN) == 0){
   printf("Password == ok\n");
   fp = fopen("test.txt","w");
   fwrite("I was here\n",11,1,fp);
   close(fp);
 } else{
   printf("password != ok");
 }

 return 0;

}

The stripped binary is disassembled with Ida pro. The listing below shows the interesting part. The goal of this trial is to impose or modify some conditions during execution. Suppose we do not know the password. We add a break point before the test eax, eax instruction. The strncmp function is called before and indicates that the two strings are not matching. It stores its result in the eax register. Just after the strncmp function we modify the register eax manually to 0 which has the meaning that the two strings are matching. Next we continue the program. The result is that the program has shown its behaviour when the password is correct. 

.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;      This file is generated by The Interactive Disassembler (IDA)        
.text:00401000 ;      Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com>        
.text:00401000 ;                            Evaluation version                            
.text:00401000 ; +-------------------------------------------------------------------------+
...
.text:00401383                 push    eax             ; char *
.text:00401384                 call    strncmp
.text:00401389                 add     esp, 10h
.text:0040138C                 test    eax, eax
.text:0040138E                 jnz     short loc_4013E5
.text:00401390                 sub     esp, 0Ch
.text:00401393                 push    offset aPasswordOk ; "Password == ok\n"
.text:00401398                 call    printf
...
[edit]

TODO

  • execute Ida pro via external programs.
  • test other cases! Here only the return value has been modified
  • extract other usefull techniques and information from this example
  • how can parameters of a function been modified? (or the stack)
  • interpret calls -> when the hardisk (image) needs to scanned to detect changes? (fprintf, ...)
  • tests with win32 programs -> how do win32 programs work?
Retrieved from "http://www.csrrt.org/wiki/index.php/Malware/Dynamic_analysis"