๐ช Reverse Engineering
๐ Basics
During forensics investigation it’s sometimes needed to reverse engineer some suspicious piece of code. This section is a reverse engineering dive-in section.
Librariries and Methods
| Library | common use |
|---|---|
kernell32.dll, advapi.dll, ntdll.dll |
These three libraries are used for communicating with the kernel and basic functions, like openinng files, creating proccessing, manipulating hardware etc. advapi.dll is for advanced functionality like registry and service manager. ntdll.dll is pretty much the same as kernell32.dll (since the latter used the former in its imports) but more low-level and advanced. It’s rarely imported directly, usually, kernell32.dll imports it. Its direct import might be an indicator of hiding functionality. |
user32.dll, gdi32.dll |
These are for GUI. user32.dll is for buttons and stuff, while gdi32.dll is for general graphics settings. |
WSock32.dll, ws2_32.dll, wininet.dll |
WSock32.dll and ws2_32.dll are for general networing functionality like opening sockets, while wininet.dll is more high-level (FTP, HTTP, NTP protocols etc). |
Naming conventions
- On Windows systems some functions have a suffix
AorW. These indicate that this function accepting ASCII or wide character string as an argument respectively. - On Windows systems some functions have a suffix
Exor evenExEx. These indicate that Windows has released a new version of a function which is not compatible with older ones, since older ones must be supported.
๐ฉป Anatomy Of Executables
๐ Packed Executables And Unpacking
There are several indicators that the executable is packed. Here they are (this list will be growing as I encounter new indicators):
- Few imports and among these imports are functions like
GetProcessAddressorLoadLibrary - Weird names for PE sections
- Empty Physical addresses for sections (while VA is not empty). More about
Unpacking techniques
A piece of software cannot just run packed (what a challenging world that would be! ๐ณ ). The thing is that whatever the packing algorithm is, however complex ๐งถ it might be, the real code needs to be unpacked into memory first. So, even with the most sophisticated protection techniques, it all really comes down to waiting for the executable to get unpacked into memory, from where it can be gently and dearly dumped like a ๐ hive from a tree ๐ณ full of hungry and pretty aggressive wild bees with a big and heavy bat ๐โโ๏ธ. We might want to do some minor other stuff afterwards but let’s keep it for now.
๐ฑ Symbolic and Concrete Execution