Demystifying Debugging and Disassembling Applications

1 SESSION ID:SESSION ID:#RSACJ ames LyneDemystifying Debugging and Disassembling ApplicationsHTA-T10 RGlobal Head of Security ResearchSophos & SANS@JamesLyneStephen SimsSecurity ResearcherSANS Institute@Steph3nSims#RSACPart One: IntroductionDisassembly, Disassemblers, and Debuggers#RSACP urpose3 Disassembly and Debugging is used by Application Developers, Security Researchers, Attackers, Malware experts, Disassembly allows you to interpret machine code and map it to its mnemonic representation to perform static analysisDebugging allows you to monitor application behavior in a controlled manner, offering the ability to pause, patch, and examineDecompilationgoes even further, converting disassembly back to source codeExpertise in this area can offer new opportunitiesSecurity experts who are adept in reverse engineering are highly sought afterExploit sales can quickly yield into the six figures#RSACP rofiting4 Exploit SalesRemote browser or document-based exploits can go for >$10K USDR emote windows kernel bugs can go for >$100K USDZ erodiumpaid $1M USD to a group who disclosed a iOS remote jailbreak exploit - Bounty Examples:United Airlines Will pay up to 1 million award miles for disclosures Will pay various amounts depending on the severity of the bug Will pay up to $100K USD for exploitable bugs and exploit mitigation bypass techniques Annual conference and challenge in Vancouver, CA offering high-priced bounties #RSACLet s get right to it!

2 What is disassembly? 5#RSACT ools for Disassembly6 IDA (Interactive Disassembler)Available from Hex-Rays at product with different pricing optionsSeen as the de facto tool for disassemblyradare2 Available at open source reverse engineering frameworkOffers disassembly, Debugging , and many other featuresMany other tools available such as hopper and vivisect#RSACWhat is Debugging7 Debugging allows us to:Validate and confirm findings made during reverse engineering and static analysisModify program flow and behaviorSet breakpoints at various locations within a program for analysis Determine the exploitability of a potential vulnerabilityWeaponize and validate the working order of an exploitLearn about application and OS changes made in relation to exploit #RSACC ommon Tools for Debugging8 WinDbg An x86/x64 ring0 and ring3 debugger offered by Microsoft at Debugger An x86 debugger for windows maintained by Immunity Security at An x86 debugger for windows maintained at An open source debugger for UNIX systems available at #RSACIDA9 Interactive Disassembler (IDA)IlfakGuilfanov Founder/CEO, Chief Architect, Lead DeveloperCurrently maintained by Hex-Rays in Decompileralso available to convert compiled C & C++ code back to sourceRecommended.

3 The IDA Pro Book The Unofficial Guide to the World s Most Popular Disassemblerby Chris Eagle#RSACIDA Basics10 Recursive Descent DisassemblerMuch more complex and effective approachCan tell instructions from dataHandles branches such as jumps and callsDefers branch target instructions based on a conditionSupports multiple debuggers and techniques, including WinDbg, GDB, Bochsemulator, many processor architectures including ARM, x86, AMD, Motorola, many different graphical and structural views of disassembled codeReads symbol libraries#RSACC onditions11 Jump on Zero (JZ) and similar instructionsGreen Arrow Jump Red Arrow Don t Jump #RSACI ntroduction to IDA Demonstration12 Understanding the basic features of IDA#RSACS cripting with IDA13 IDA Scripting Language (IDC)Proprietary C-like language to interact with the IDA SDKIDAP ythonPlugin allowing Python scriptingIDAP ythonis led by GergelyErdelyiand available at interface to the IDA SDK and easy to use!

4 IDA PluginsIDA plugins are compiled C++ programs that perform actions using the IDA APIs and allow you to greatly expand IDA s capabilities#RSACIDAP ythonDemonstration14 Using IDAP ythonto locate banned functions in a program#RSACPart Two: Patch ReversingDiscovering 1-Day Exploits#RSACP atch Diffing and Reverse Engineering16 What are 1-day exploits?Many researchers and attackers download security patches as soon as they become availableQuick bug discovery can lead to exploit development and a large return on investmentMicrosoft started Patch Tuesday in the early 2000 sIt serves as a way for windows administrators to prepare for , Microsoft seems to be heading towards mandatory updatesCumulative patches began in October, 2016 windows as a Service (WaaS) for windows 10#RSACIn the obtain security patches you could simply visit Microsoft TechNetChoose the desired patch, download, and grab the prior updateDownload the new patch hereDownload the old patch here#RSACC umulative Updates18 Now patches are rolled up for the entire year and the files are very largeCumulativeLarge Files#RSACP atchExtract& PatchClean19 Making sense of the way Microsoft is forcing cumulative updates can be a challengeGreg Linares (@Laughing_Mantis)

5 Wrote tools to help make sense of the cumulative patchesPatchExtractextracts all updates from a cumulative update organizes themPatchCleanmoves any file older than a month into a subdirectory to allow for focus on recently changed filesMapping updated files to their Knowledge Base (KB) number is still a manual process#RSACP atchExtractDemonstration20 Extracting the patches from the February, 2017 Patch Tuesday Update #RSACR eversing Patches to Find Vulnerabilities21 Reversing patches can help a research in various waysQuick discovery and weaponization of the patched vulnerability to a driver or DLL can be extremely lucrative as many organizations fail to patch in a timely mannerAn understanding of how fixes are made to vulnerabilities can help with 0-day vulnerability discoveryUsing tools available to identify changes between two versions of the same file can greatly decrease analysis time Many tools are a available to help#RSACP atch Diffing Tools22 The following is a list of well-known binary diffing tools:Zynamics/Google s BinDiff: Free as of March 18, 2016!

6 Core Security s turbodiff:Free DarunGrim4 by JeongwookOh:Free patchdiff2 by Nicolas Pouvesle: Free Diaphoraby JoxeanKoretThere are moreEach use different techniques and heuristics to identify changes#RSACP atch Reversing Demonstration23 Reverse engineering a Microsoft security update to locate a vulnerability#RSACPart Three: Ring 0 DebuggingDebugging Drivers and the windows kernel #RSACThe windows Kernel25 The modern windows kernel is very complex, requires intermediate to advanced Debugging experience, and preferably low level programming experienceThe majority of the native services and underlying functionality is undocumentedYou know you re onto something when you Google a symbol and get 0 hits!Much of the kernel is documented on the undergroundMost operating systems have a two-ring processor access mode architecture: Ring 0 ( kernel ) and Ring 3 (User)#RSACW indows Internals in One Slide26To gain proficiency of the windows kernel and OS internals, you would need to spend countless months studying and reversingA quick list of some key items you d need to ramp up quickly on.

7 kernel Executive, SRM, Subsystems, System Calls, kernel ObjectsKernel Structures such as EPROCESS, KPROCESS, ETHREAD, KTHREAD, TLS, KPRCB, KPCRThe Hardware Abstraction Layer (HAL)Mutexesand SpinLocksDriver behavior (IOCTL, IRP, Bus)#RSACM ethods for windows kernel Debugging27 VirtualKDby SysProgs A powerful tool to improve and simplify kernel Debugging on WindowsAvailable at ports through virtualization Applications such as VMware Cable-based kernel debuggingEthernet, Null modem, IEEE 1394 (FireWire), USBL ocal Debugging #RSACA ttacking the Kernel28#RSACE xploit Mitigations29 Historically, user mode has seen more advances in exploit mitigations; however, the kernel has become much more hardenedExamples of modern mitigations:Control Flow Guard (CFG) Aimed at stopping Return Oriented Programming (ROP)Browser Specific Controls: MemGCand Isolated Heaps Aimed at stopping Use After Free (UAF) exploitationKernel Specific Controls: Guard Pages, kernel Pool Cookies, Null PtrDerefProtProposed Mitigations: Shadow Stacks and Control Flow Integrity (CFI)Oldies but Goodies: ASLR, DEP, Canaries, Safe Unlink, LFH, EMET** **Microsoft to retire in 2018 #RSACK ernel Debugging Demonstration30 Connecting to the windows kernel using VMware and VirtualKD#RSACHow to Apply Today s Subject Matter31 When returning to work.

8 Audit the patch management program in your organization and ensure critical patches are quickly and safely applied This applies to non-Microsoft products as well, which are often more difficult to manage in relation to patch awarenessIdentify members of your security staff who have skills in reverse engineering and Debugging Understand how they are currently using these skills and look for opportunities for improvementInform others as to the risks of delaying security updates Demonstrations can greatly help to gain support #RSACQ uestions?32 Thank You!James Lyne@JamesLyneStephen Sims@Steph3nSims