From Collaborative RCE Knowledge Library

Jump to: navigation, search

Anti Reversing Articles


Item name: Manual binary mangling with radare
Rating: 4.0 (1 vote)
Author: pancake                        
Home URL: http://rada.re/
Last updated: November 6, 2009
Version (if appl.):
Direct D/L link: http://phrack.org/issues/66/14.html
Description: 1 - Introduction
1.1 - The framework
1.2 - First steps
1.3 - Base conversions
1.4 - The target

2 - Injecting code in ELF
2.1 - Resolving register based branches
2.2 - Resizing data section
2.3 - Basics on code injection
2.4 - Mmap trampoline
2.4.1 - Call trampoline
2.4.2 - Extending trampolines

3 - Protections and manipulations
3.1 - Trashing the ELF header
3.2 - Source level watermarks
3.3 - Ciphering .data section
3.4 - Finding differences in binaries
3.5 - Removing library dependencies
3.6 - Syscall obfuscation
3.7 - Replacing library symbols
3.8 - Checksumming

4 - Playing with code references
4.1 - Finding xrefs
4.2 - Blind code references
4.3 - Graphing xrefs
4.4 - Randomizing xrefs

5 - Conclusion
6 - Future work
7 - References
8 - Greetings

"Reverse engineering is something usually related to w32 environments where
there is lot of non-free software and where the use of protections is more
extended to enforce evaluation time periods or protect intellectual (?)
property, using binary packing and code obfuscation techniques.

These kind of protections are also used by viruses and worms to evade
anti-virus engines in order to detect sandboxes. This makes reverse
engineering a double-edged sword..."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Internals Articles, Linux Protection Technique Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Silver Needle in the Skype
Rating: 4.0 (1 vote)
Author: Philippe Biondi, Fabrice Desclaux                        
Home URL: http://www.secdev.org
Last updated: March 2, 2006
Version (if appl.):
Direct D/L link: http://www.secdev.org/conf/skype_BHEU06.pdf
Description: Phillipe Biondi and Patrice Desclaux from EADS completely reversed Skype.
In 3 steps (binary analysis, network analysis, advanced skype manipulation) they show you the beast and how clever it was designed. But it also shows negative points: a security policy with skype is nearly impossible, it can be exploited as a botnet, it is very difficult to monitor its traffic to prevent the bad from the rest. A must read.
Also listed in: Generic Anti Reversing Articles, Generic Protection Technique Articles, Generic Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Anti-Anti Dump and Nonintrusive Tracers
Rating: 0.0 (0 votes)
Author: deroko                        
Home URL: http://www.accessroot.com/
Last updated:
Version (if appl.):
Direct D/L link: http://185.62.190.110/accessroot/arteam/site/download.php?view.10
Description: "A novel method to manage new anti-dump buffer-based protections used by latest protectors as AsProtect SKE, Armadillo etc (sources included)"
Also listed in: Windows Anti Reversing Articles, Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Beginners Guide to Basic Linux Anti Anti Debugging Techniques
Rating: 0.0 (0 votes)
Author: M. Schallner                        
Home URL: http://home.pages.at/f001/
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://www.codebreakers-journal.com/downloads/cbj/2006/CBM_3_1_2006_Schallner_Beginners_Guide_to_Basic_Linux_Anti_Anti_Debugging_Techniques.pdf
Description: This article from CodeBreaker's Journal is inspired from _mammon's tales and Silvio Cesare's work.

"Anti-debugging techniques are a common method for protecting software applications. Meanwhile such kind of protection tricks are often used, several approaches work against such kind of protection. One known method are anti-anti tricks which circumvent the mentioned protection schemes. This paper confines to techniques and methods used for Linux platform applications, especially dealing with the operation platforms specific tools."
Also listed in: Linux Anti Reversing Articles, Linux Protection Technique Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Code Obfuscation and Malware Detection by Abstract Interpretation
Rating: 0.0 (0 votes)
Author: Mila Dalla Preda                        
Home URL: http://profs.sci.univr.it/~dallapre/
Last updated: February 2007
Version (if appl.):
Direct D/L link: http://profs.sci.univr.it/~dallapre/MilaDallaPreda_PhD.pdf
Description: This Ph.D thesis deals with code obfuscation and malware detection focus, through a formal approach based on program semantics and abstract interpretations.
Also listed in: Generic Anti Reversing Articles, Generic Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Cryptexec: next-generation runtime binary encryption
Rating: 0.0 (0 votes)
Author: Zeljko Vrba                        
Home URL: http://www.phrack.org
Last updated: 2005
Version (if appl.):
Direct D/L link: http://phrack.org/issues/63/13.html#article
Description: 1 Introduction
2 OS- and hardware-assisted tracing
3 Userland tracing
3.1 Provided API
3.2 High-level description
3.3 Actual usage example
3.4 XDE bug
3.5 Limitations
3.6 Porting considerations
4 Further ideas
5 Related work
5.1 ELFsh
5.2 Shiva
5.3 Burneye
5.4 Conclusion
6 References
7 Credits
A Appendix: source code
A.1 crypt_exec.S
A.2 cryptfile.c
A.3 test2.c

"What is binary encryption and why encrypt at all? For the answer to
this question the reader is referred to the Phrack#58 [1] and article
therein titled "Runtime binary encryption". This article describes a
method to control the target program that doesn't does not rely on
any assistance from the OS kernel or processor hardware. The method
is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling
method is devised, it is relatively trivial to include on-the-fly
code decryption."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: DEX EDUCATION 201 ANTI-EMULATION
Rating: 0.0 (0 votes)
Author: Tim Strazzere                        
Home URL: N/A
Last updated:
Version (if appl.):
Direct D/L link: http://hitcon.org/2013/download/Tim%20Strazzere%20-%20DexEducation.pdf
Description: This is actually in continuance to http://www.woodmann.com/collaborative/knowledge/index.php/Dex_Education:_Practicing_Safe_Dex
The previous article is about Anti-Reversing against some of the Android Malware Analysis tools.
This paper is about Anti-Emulation for Android.
Also listed in: Android Anti Reversing Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Dex Education: Practicing Safe Dex
Rating: 0.0 (0 votes)
Author: Tim Strazzere                        
Home URL: N/A
Last updated:
Version (if appl.):
Direct D/L link: http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf
Description: This is probably the first public publication on how Tim deconstruct some of the intricacies of the dex file format and analyze how some of the Android tools parse and manage the dex format. Along the way he observed a number of easily exploitable functionality, documenting specifically why they fail and how to fix them. A proof of concept tool - APKfuscator - that shows how to exploit these flaws.
It introduces some of the basic Anti-Reversing against some of the Android tools that Malware Analyst use to analyse Android Malware.

You can find his POC here.
https://github.com/strazzere/APKfuscator

Also listed in: Android Anti Reversing Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Infecting the Mach-O object format
Rating: 0.0 (0 votes)
Author: Neil Archibald                        
Home URL: http://www.suresec.com
Last updated: April 8, 2007
Version (if appl.):
Direct D/L link: http://felinemenace.org/~nemo/slides/mach-o_infection.ppt
Description: Disclaimer: This document is NOT intended to be a HOW-TO guide for Apple virus writers, but rather explore the Mach-o format and illustrate some ways in which infection can occur.

Through these slides Neil Archibald (felinemenace.org) invites you in the Mach-o file format, covers native OS anti debugging techniques and universal binaries.
Also listed in: Mac OS Anti Reversing Articles, Mac OS Internals Articles, Mac OS Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux anti-debugging techniques (fooling the debugger)
Rating: 0.0 (0 votes)
Author: Silvio Cesare                        
Home URL: http://virus.beergrave.net
Last updated: January 1999
Version (if appl.):
Direct D/L link: http://www.phiral.net/other/linux-anti-debugging.txt
Description: TABLE OF CONTENTS
-----------------

INTRODUCTION
FALSE DISASSEMBLY
DETECTING BREAKPOINTS
SETTING UP FALSE BREAKPOINTS
DETECTING DEBUGGING


"This article describes anti debugger techniques for x86/Linux (though some of
these techniques are not x86 specific). That is techniques to either fool,
stop, or modify the process of debugging the target program. This can be
useful to the development of viruses and also to those implementing software
protection."
Also listed in: Linux Anti Reversing Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The "Ultimate" anti debugging reference
Rating: 0.0 (0 votes)
Author: Peter Ferrie                        
Home URL: http://pferrie.host22.com
Last updated: 2004
Version (if appl.):
Direct D/L link: http://pferrie.host22.com/papers/antidebug.pdf
Description: A debugger is probably the most commonly-used tool when reverse-engineering (a disassembler tool such as the Interactive DisAssembler (IDA) being the next most common). As a result, anti-debugging tricks are probably the most common feature of code intended to interfere with reverse-engineering (and anti- disassembly constructs being the next most common). These tricks can simply detect the presence of the debugger, disable the debugger, escape from the control of the debugger, or even exploit a vulnerability in the debugger. The presence of a debugger can be inferred indirectly, or a specific debugger can be detected. Disabling or escaping from the control of the debugger can be achieved in both generic and specific ways.

What follows is a selection of the known techniques used to detect the presence of a debugger, and in some cases, the defences against them.
Also listed in: Windows Anti Reversing Articles, Windows Protection Technique Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views