[caption id="" align="aligncenter" width="240" caption="TitanMist Logo"][/caption]
The intended audience for this brief tutorial requires knowledge on using Windows command line tools and some basic debugging. It also requires installation of the following free tools or applications.
- Python 2.7 (http://www.python.org/ftp/python/2.7/python-2.7.msi)
- TitanMist 2.0 (http://www.reversinglabs.com/download/TitanMist.rar)
- OllyDbg 2.0 (http://www.ollydbg.de/odbg200.zip)
- MPRESS 2.17 packer (http://www.matcode.com/mpress.217.zip)
- Host File: Win XP calc.exe (C:\Windows\System32\calc.exe)
There are two parts in creating a pattern for TitanMist, the first part is to create a signature for detecting the file and the last part is to create an unpacker to extract the host file but first we need to set our environment.
Setting The Environment
Install Python in its default directory and extract or copy all the rest to C:\TitanMist folder. We will use Windows XP’s calc.exe as our host file and all the indicated virtual addresses will be based from it. Create another copy of calc.exe in the same directory as calc2.exe. With all the tools and applications ready in TitanMist folder, the folder should look like below.
[caption id="" align="aligncenter" width="414" caption="Titanmist Working Folder"][/caption]
In order to create a TitanMist detect and unpack patterns, first, we need to have a protected or packed executable. We will use MPRESS packer, a free tool from Matcode Software. Open a command window in C:\TitanMist folder. Pack the host file with MPRESS packer using the command line below:
[plain]mpress.exe calc.exe[/plain]
It should have the expected output as displayed below:
[caption id="" align="aligncenter" width="492" caption="Mpress Syntax"][/caption]
This will shrink calc.exe’s file size from 112 KB down to 55 KB. Open calc.exe and calc2.exe on two separate OllyDbg windows. Notice the difference between the two. Looking at the image below, the one on the left (calc2.exe) is the original version of calc.exe while the one in the right is packed with MPRESS.
[caption id="" align="alignnone" width="1024" caption="OllyDbg Comparison"][/caption]
Some useful commands for OllyDbg can be found at Appendix A.
Creating a Detection
Detection for MPRESS packer is made by packing many samples and getting the packer code that are common among them. Comparing calc.exe with other MPRESS packed files, you will notice that there are 41 bytes which are common from the entry point. Open calc.exe in OllyDbg then select the codes from 0101F16F to 0101F19C. Copy the codes by pressing CTRL+Insert (binary copy) and paste them over to your favorite text editor, save the code as code.txt for later use (see image below).
[caption id="" align="aligncenter" width="458" caption="Code from the packed File"][/caption]
Now open the TitanMist database file (C:\TitanMist\TitanMist \db.xml) with the same editor used for code.txt. The database file is an XML file containing all the signatures to detect the packer or protector that loads the corresponding unpack pattern. Looking at some of the detect patterns , we get the idea of how the detection works. Copy the entry element with the name attribute tELock and paste them below the last element.
We will replace some of the copied tELock’s entry attributes. Change the name from tELock to MPRESS and the author to Matcode Software. The above changes are required to give users information on the executable being scanned on the command window. Since we are making a TitanScript unpacker, the type attribute of unpacker element should be changed from native to titanscript and the value should be mpress.txt instead of MisttElock.dll. This will load mpress.txt if our signature matches the file.
Going to the signature element, we will retain the start attribute of ep since we require our unpacker to start from entry point (ep). Change the version attribute to 2.17 - the version of the MPRESS we’re going to unpack. Replace the signature value with the contents of code.txt. The four bytes starting from the 9th byte, which is 5A 0B 00 00, is specific to calc.exe. In order for us to detect other MPRESS packed file, we’ll replace this with a 4 byte wildcard ?? ?? ?? ?? (see image below).
[caption id="" align="aligncenter" width="625" caption="Mpress Detection"][/caption]
Creating an Unpacker
So let’s start debugging and see what unpack pattern we can produce. It is recommended that you have another packed file opened in OllyDbg along side calc.exe. This way we won’t get signature that is specific to calc.exe. Open C:\TitanMist\TitanMist\unpackers\titanscript folder using Windows explorer and create a text file named mpress.txt.
The first goal was to find where MPRESS jumps to the original entry point. Experience tells us that there are packers whose return code is at the end of a function or the last code in the code section. In this exercise, two JMP instructions located at 0101F23D and 0101FCCA are candidates for inspection. Scroll down the OllyDbg window and click the address at 0101F23D. Press F4 to direct the instruction pointer (ip) to this address and it will automatically process the instructions in its path. Fortunately, 0101F23D points to our second address of 0101FCCA. Press F8 twice to allow us to single step these two JMP instructions, which will eventually lead us to a decrypted routine. Going to the last code of this routine, we can see that there is a JMP instruction at 010136A4 whose constants points to calc.exe’s original entry point of 01012475.
The code in Listing 1 is the resulting code that automatically does the step we did earlier. Copy the code to C:\TitanMist\TitanMist\unpackers\titanscript\mpress.txt, which we will test after some explanation.
[plain]
start:
find eip,#ABE80000000058#
mov target, $RESULT
add target, c
go target
sto
sto
find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61#
mov target, $RESULT
add target, 16
go target
sto
log eip
StopDebug
ret
[/plain]
Listing 1: Code to find OEP
The code find eip,#ABE80000000058# enables us to find the address of 0101F231 which is 12 bytes away from 0101F23D. The result for the find command is stored in $RESULT which is copied to target variable, where we subsequently added c which is hexadecimal for 12. The code go target is followed by two sto which represents doing F4 and two F8 in OllyDbg.
Same goes with find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61# which, from the decrypted routine, enables us to find 0101368E address which is 22 bytes away from our jump instruction leading to the original entry point 01012475. The go target and sto instructions direct us to the original entry point. The log eip provides a command output of the actual instruction pointer while we debug. The StopDebug is a TitanEngine API that stops the application from debugging while ret returns the control back to TitanMist.
[plain]TitanMist.exe -i C:\TitanMist\calc.exe[/plain]
Open a command window in C:\TitanMist\TitanMist folder. Using the command line above results to the output seen below:
[caption id="" align="aligncenter" width="492" caption="TitanMist Output"][/caption]
Now, we require the memory to be dumped to a file. With no time to RTFM, let’s open some existing patterns to get the idea of how TitanScript’s unpackers do their stuff. You’ll notice that all of the patterns end with the EntryJump procedure. The EntryJump procedure in rl.MEW.txt gives us the EntryJump template common to the existing TitanScript patterns. Copy this procedure, its variables, variable declarations and variable initializations. With some modification, the expected output should be in Listing 2.
[plain]
var cTrunkAddress
var cTargetAddress
var FileHandle
var FileSize
var FileMap
var FileMapVA
start:
GetPE32Data $INPUTFILE,0,ue_imagebase
mov fileImageBase,$TE_RESULT
ImporterInit 0C800,fileImageBase
gpi MAINBASE
mov fileLoadBase,$RESULT
find eip,#ABE80000000058#
mov target, $RESULT
add target, c
go target
sto
sto
find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61#
mov target, $RESULT
add target, 16
go target
EntryJump:
sto
mov epAddress,eip
gpi HPROCESS
mov hProcess,$RESULT
DumpProcess hProcess,fileImageBase,$OUTPUTFILE,epAddress
ImporterEstimatedSize
AddNewSection $OUTPUTFILE,".TEv2",$TE_RESULT + 200
mov mImportTableOffset,$TE_RESULT
add mImportTableOffset,fileLoadBase
StaticFileLoad $OUTPUTFILE,ue_access_all,false,FileHandle,FileSize,FileMap,FileMapVA
ConvertVAtoFileOffset FileMapVA,mImportTableOffset,true
ImporterExportIAT $TE_RESULT,FileMapVA
RealignPE FileMapVA,FileSize,2
mov FileSize,$TE_RESULT
StaticFileUnload $OUTPUTFILE,false,FileHandle,FileSize,FileMap,FileMapVA
MakeAllSectionsRWE $OUTPUTFILE
StopDebug
ret
[/plain]
Listing 2: Initial memory dump code
Having the TitanMist to unpack the file will give us a corrupted dump. Using a hex editor such as HIEW, we can verify if the import table in the dumped file was not restored properly. The problem is that the DLL and API references were virtual addresses from the runtime memory which the OS cannot use for loading the application. Going back to the calc.exe’s OllyDbg, the decrypted code that we saw earlier was actually the Import Table restoration used by MPRESS. The instructions at 01013654 are used to load the imported DLL while its APIs are extracted at address 0101367C. We need hooks after these addresses so that everytime the instruction pointer (ip) passes, we will be able to get the processed register values and use it to rebuild our own import table.
[plain]
find eip,#8BD8AC0AC0B0008846FF#
bp $RESULT
bpgoto $RESULT,GetImportedDll
find eip,#AB32C08846FFAC0AC075F6#
bp $RESULT
bpgoto $RESULT,GetImportedApi
GetImportedDll:
gstr esi,2
cmp $RESULT_1,0
je mpressExit
ImporterAddNewDll $RESULT,edi
jmp mpressResume
GetImportedApi:
mov cTargetAddress,esi
mov cTrunkAddress,edi
gstr cTargetAddress,2
cmp $RESULT_1,0
je mpressExit
ImporterAddNewAPI $RESULT,cTrunkAddress
jmp mpressResume
[/plain]
Listing 3: Breakpoint hooks and handles for our import table restoration
Getting some sigs from MPRESS’ import table restoration, we were able to add the following codes shown in Listing 3 to our pattern. We set some hooks on the instructions right below the addresses 01013654 and 0101367C with bp $RESULT. The bpgoto is used to pass the control to the assigned breakpoint handle. The gstr retrieves the string pointer which is passed to $RESULT while the string length is passed to $RESULT_1. The cmp, je, and jmp should speak for itself.
The only thing to highlight here is the use of TitanEngine’s APIs ImporterAddNewDll and ImporterAddNewAPI. The API ImporterAddNewDll copies the string from $RESULT while the edi is the address of the DLL in the host’s code before it was packed. Same goes with ImporterAddNewAPI except that it uses an API name that belonged to the DLL that is currently being referenced by ImporterAddNewDll. These two APIs depend on the ImporterInit, ImporterEstimatedSize and ImporterExportIAT used in Listing 2 to have a working import table.
Combining Listing 3 code with the main pattern, we will have a working MPRESS Unpacker below.
[plain]
/*
TitanMist
---------------------------------------------
Script: MPRESS 2.17 Unpacker
Author: zero1
Website: virusanalysts.blogspot.com
Date: 11/15/2010
Rev: 1.0
*/
var cTrunkAddress
var cTargetAddress
var FileHandle
var FileSize
var FileMap
var FileMapVA
start:
GetPE32Data $INPUTFILE,0,ue_imagebase
mov fileImageBase,$TE_RESULT
ImporterInit 0C800,fileImageBase
gpi MAINBASE
mov fileLoadBase,$RESULT
find eip,#ABE80000000058#
mov target, $RESULT
add target, c
go target
sto
sto
find eip,#8BD8AC0AC0B0008846FF#
bp $RESULT
bpgoto $RESULT,GetImportedDll
find eip,#AB32C08846FFAC0AC075F6#
bp $RESULT
bpgoto $RESULT,GetImportedApi
find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61#
mov target, $RESULT
add target, 16
bp target
bpgoto target,EntryJump
mpressResume:
run
jmp mpressResume
GetImportedDll:
gstr esi,2
cmp $RESULT_1,0
je mpressExit
ImporterAddNewDll $RESULT,edi
jmp mpressResume
GetImportedApi:
mov cTargetAddress,esi
mov cTrunkAddress,edi
gstr cTargetAddress,2
cmp $RESULT_1,0
je GetProcAddressIsNotString
ImporterAddNewAPI $RESULT,cTrunkAddress
jmp mpressResume
GetProcAddressIsNotString:
ImporterAddNewOrdinalAPI cTargetAddress,cTrunkAddress
jmp mpressResume
EntryJump:
sto
mov epAddress, eip
gpi HPROCESS
mov hProcess,$RESULT
DumpProcess hProcess,fileImageBase,$OUTPUTFILE,epAddress
ImporterEstimatedSize
AddNewSection $OUTPUTFILE,".TEv2",$TE_RESULT + 200
mov mImportTableOffset,$TE_RESULT
add mImportTableOffset,fileLoadBase
StaticFileLoad $OUTPUTFILE,ue_access_all,false,FileHandle,FileSize,FileMap,FileMapVA
ConvertVAtoFileOffset FileMapVA,mImportTableOffset,true
ImporterExportIAT $TE_RESULT,FileMapVA
RealignPE FileMapVA,FileSize,2
mov FileSize,$TE_RESULT
StaticFileUnload $OUTPUTFILE,false,FileHandle,FileSize,FileMap,FileMapVA
MakeAllSectionsRWE $OUTPUTFILE
StopDebug
ret
mpressExit:
StopDebug
error
ret
[/plain]
Listing 4: Final MPRESS unpacker
To test Listing 4, open a command window in C:\TitanMist\TitanMist folder again and use the command line below which will create an output file named calc.unpacked.exe:
TitanMist.exe -i C:\TitanMist\calc.exe
Conclusion
To sum up, TitanMist is a great addition to a malware analyst’s arsenal of reversing tools. In its later stage, it can make some of the usual tools irrelevant and obsolete. Reversing Labs did a great job creating an unpacker framework. It is ironic though that a company that aims to provide the best file analysis and reversing tools is producing superior protection tools. Who would use their protection tools when there is already an unpacker for it?
Still, it is a promising tool which even those who are new in the security industry can build their careers upon, to say the least. Its shortcomings just proved the need for people to collaborate in this project. If that happens and if people are actually supporting the company’s goals, who knows, TitanMist might actually pave the way to our reversing Nirvana.
Appendix A
Some useful OllyDbg Commands:
- Ctrl + G – locate entered address
- Ctrl + A – automatic analysis
- * (num key) – locate current instruction pointer
- F4 – go to highlighted address
- F8 – single step instruction
- Ctrl + F2 – restart debug session
References
- ReversingLabs Corporation, TitanEngine SDK References from http://www.reversinglabs.com/products/TitanEngine.php
- ReversingLabs Corporation, TitanMist References from http://www.reversinglabs.com/products/TitanMist.php
* All other trademarks, logos and copyrights are the property of their respective owners.
0 comments:
Post a Comment