Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
46
-
Upload
area41 -
Category
Technology
-
view
254 -
download
1
description
Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution. With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases. Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, he’s a member of The Honeynet Project, and he’s also one of the Core Developers of Cuckoo Sandbox. Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. Pölten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. "
Transcript of Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
The Disease
Your Researchers Today
Jurriaan BremerCuckoo Sandbox, Freelancer
Marion MarschalekCyphort Inc.
Back in
time...
Visual Basic 6.0
Microsoft, 1998
Object-based / event-driven
Rapid Application Development
Replaced by VB .NET in 2002
End of support in 2008
Google agrees.
2000: Pikachu Worm
• pikachupokemon.exe – „Pikachu is your friend!“
• Modifies AUTOEXEC.BAT
to remove C:\WINDOWS and
C:\WINDOBadWS\system32
• Bad coding...
2005: Kelvir Worm
• Spreads through MSN Messenger by
„lol! see it! u'll like it” message
• Message points to omg.pif on
home.earthlink.net
• Spreads further & downloads
and executes other malware
2009: Changeup Worm
• Polymorphic
• Spreads through removable media and shared
folders by 'LNK/PIF' Files
Automatic File Execution
Vulnerability
• Downloads other malware
So.. why are we here?
VB6 IS NOT DEAD
VB6 101
1991: Visual Basic born
1998: Visual Basic 5.0/6.0 p-code and native code
2002: VB.NET and MSIL byte code
NATIVE CODE
PSEUDO CODE
P-Code Translation
P-code mnemonics
interpreted
by msvbvm60.dll
handler13:ExitProcHresult...
handler14:ExitProc...
handler15:ExitProcI2...
... FC C8 13 76 ...
ProcCallEngine Jumptables
Instruction Handler
pushes integer onto the stack
Instruction Handler
pushes integer onto the stack
Instruction Handler
pushes integer onto the stack
Hello World!
Hello World!
Hello World!
Ou lá lá... HELLOU WORLD ^^
Classical Analysis Approaches
DONT WORK.
Existing VB Stuff
•VB Decompiler
•Tequila Debugger
•IDA Scripts
•Peter Ferrie, Masaki Suenaga
Most Advanced Sophisticated Private Cloud-based Big Data Intelligence Cyber
Solution! (tm)
MASPCbBDICS FAIL COMPILATION
Everything that didnt work...
DYNAMIC
ANALYSIS
DECOMPILATION
ADVANCEDSTATIC
ANALYSIS
DEBUGGING
DEBUGGING
DEBUGGING
V00D00 MAGIX
Most Advanced Sophisticated Private Cloud-based Big Data Intelligence
Cyber Solution
See which instructions are executed.
Monitor interesting events as they happen.
Inspect referenced strings, memory, and x86 code.
VB6 Instrumentation
Patch the 6 jumptables!
GenericInstrument everything
Capture everythingCreate Statistics
SpecificImplementing specific instruction handlers
“OpenFile” - filename
Patching A Function HandlerPatch original address with our custom assembly stub
1. Store current register / stack state
2. Call custom instruction handler
3. Pass registers as parameters
4. Do STUFF
5. Restore original state
Jump to original function handler.
Life goes on.
Tailored Reporting For VB6
Custom printf()
•BSTR unicode string with its size prepended
•VARIANT generic wrapper around int, str, etc.
Custom hexdump() to aid debugging
Slightly modified Cuckoo Sandbox
Execute the sample with our custom DLL
Cuckoofy It
VB6 ANALYSISObfuscation and garbage
Anti-X features
Three ways to call external functions
The Somewhat Peculiar Results aka. Disease
Import Address Table (IAT)Only legitimate VB6 VM methods
Dynamically Resolved FunctionsVB6 feature: DllFunctionCall
Runtime decryption of API names
WesumeThread, ZwWriteQirtualMemory,
TetExitCodeThread
Execute native x86
x86 to call CreateThread()
other x86 code in a new thread
The Yet To Be Identified Infamous Anti-Cuckoo Feature (c)
Thank You!
Project @ https://github.com/jbremer/vb6tracer
