An Opaque predicate is a line of code, or lines of code that are basically useless. They actually do something, but in terms of usefulness they don’t do anything. Does that even make sense? Anyway they are designed to make it appear as if the code was doing something to divert the attention of an analyst. The purpose of an opaque predicate is to add a layer of obfuscation into code that makes reversing the code more time consuming. As you sift through useless instruction you realize the code is more of a distraction than anything else. Opaque Predicates make static analysis more time consuming because they are often difficult to discover. You stumble upon a code block only to find after a few minutes that it’s dead.

So what does an opaque predicate look like?

In a high level language such as C/C++ we can have the most basic opaque predicate as a simple IF Insertion. Inserting IF statements to always come back true will surely not be effective on performance but in terms of static analysis it can throw off an analyst for a few minutes as they chase down a rabbit hole.

So we have something similar to this:

1
2
3
4
5
6
7
8
9

if(true)
{
Dosomething</code>
 
}
else
{
Dosomething
}

True will always come back as true. The first branch will always be the one chosen in actual execution. However, the code in the first branch and the second branch will be the same. This adds an additional branch to a graph in IDA, and adds more code the analyst must sort through. Just two are manageable, imagine if you had multiple if else’s in the code!

Ida Graph

And here is the deadlist

You can add an additional level of complexity to the code with math operations. An opaque predicate such as:

1
2
3
4
5
6

int    add,q = 2;</code>
 
if(((q+q^2)%2)==0)
printf("here");
else
add = 2+8;

Utilizes Dead code insertions. The else operation can be anything you want, for simplicity sake I chose the addition of two numbers and the assignment into a variable. However in real examples the code should be more complex. It should be dead code so that it may be functional but does not truly serve a purpose to the program. This will often lead the analyst down a path where they may spend anywhere from 10 minutes to an hour with their attention diverted from the real path. This type of predicate has the general layout of

1
2
3
4

if(math expression that always resolved)
Real work
Else
Dead code

In IDA this would graph similar to:
Graph
The dead listing would look like the following:
Dead List

These examples are rather simple, but adding complex junk code to them can often divert an analyst’s attention for a period of time. Especially if you make the junk or dead code seems more interesting then the code behind the real work!

A while back dean sent me some malware that he had been collecting off client systems. He didn’t ask me to do an analysis on them but I started doing it anyway. The first aspect of this malware was a delivery system that actually got some type of client side execution on the system.

The delivery has three aspects of it and is served via javascript.

First in the event javascript is disabled the visited page displays a link for the user to click. The title simply says “Please download”. If javascript works, it attempts to a function in MDAC by creating and ADODB stream and downloading the file. The file downloaded is then named svchosts.exe, and the shellexecute function is called with the svchosts.exe file name passed to it. On a Linux machine, an automatic save box is displayed within about 10 seconds. An example of the javascript decoded by dean can be found here. WARNING – It is set up to automatically download and launch a file called video.exe. I have copied a safe version of calc.exe to the web root so don’t get your pants in a bunch when it either launches, or attempts to downoad… If it does launch, you need to 1) stop using windows/internet explorer and 2) patch your system.

Dean was able to pull a copy of video1.exe from the server hosting this piece of malware. I took a look at it for analysis a few day’s ago. Initial tests for packing came up empty, but it would seem there is slight obfuscation in the code. There are many places where analysis fails, there are absolutely no strings, and some of the code seems to jump around to non existent addresses. I am still attempting to identify what type of encryption/packer was used on the code to optimize my disassembly. Until then I have barely any strings and only a few imports.

The few imports I do have lead me to recreate the file video1.exe. All of the imports came from Wininet which is the windows API for internet data. I set about researching a few of the api’s and pieceing together the logic and code behind video1.exe. I’ve concluded that it downloads and executes a file from another place using the functions in Wininet. Further preparing my infrastructure for penetration testing I wanted to create my own dropper for custom trojans and thinks beyond meterpreter.exe. I wanted something that would not be flagged by Anti Virus and that I can keep relatively small.

What I did was create Droplet. I finished the code last night and It’s pretty light weight. I did not encorporate any of the ftpGetFile, or Gopher functions from Wininet. I simply wanted a file dropper that would download code, copy it to a file and then execute it.

The basic flow of the program is

InternetOpen
InternetConnect
HttpOpenRequest
HttpAddRequestHeaders
HttpQueryInfo
HttpSendRequest
Either InternetReadFile or URLDownloadToFile

From this point if you are using InternetReadFile you can use the Windows API to create the file and copy the data too. I’m still working bugs out with this method.

URLDownloadToFile seems to be the better choice since it is designed to copy the data to a file instead of to a buffer. I think I might head out to the river this weekend but I’m hoping to have some time that I can play with the FTP Functions inside WinInet.

Anyway, Malware Analysis is pretty cool because you can learn how people smarter than you carry out nefarious biddings. Hopefully you learn from it and you can either apply it to your penetration testing, or for your own biddings!

-E

As many of the readers here know I’ve been on my grind lately in an effort to become really proficient in reverse engineering. Two of my associates have made comments regarding a skill gap they have in the field of reverse engineering. Everyone has a different learning curve, and everyone certainly has a different skill set. Some skill sets are more advanced than others but when you work in a team effort one skill set can often complement another. Groups from back in the day used to be pretty bad ass. Personally I was never part of a group, I guess I just never found my way into one. I really wish I had been part of one because I’d probably be bad ass right now instead of losing sleep at night in an effort to walk in the presence of some of the top guys in Austin and around the world. There are a lot of dude’s I look up to and often read their material. Indirectly, they are teaching me lots and I appreciate it!

I’ve been holding onto a book I picked up a while back from Wrox publishing titled “Professional Assembly.” The book is part of their programmer to programmer series. I originally found it two years ago when I was doing penetration testing and I figured it would help me out in my efforts to master exploitation. It really did give me a great understanding of functions, and the stack but beyond that I just could not wrap my attention around the book. I’ve finally got into the book and have been walking through many of the examples and creating my own in an effort to really nail down assembly language. I think I received a third rate education in Computer Science because assembly was never on our list of things taught, hell I don’t even think it was mentioned which is pretty sad.

How many times have you opened up a tutorial for reverse engineering or exploitation and saw something along the lines of “Basics of assembly language is assumed” or “No assembly knowledge necessary.” For many they browse over those lines and get lost somewhere in the second or third page. I’ll be honest I was one of them. I found myself referencing instructions far too often it was impeding my process. Now that I’ve read through the book and worked the examples not only do I find myself having the ability to optimize assembly (not that I need to in many cases) but I’ve also found I can breeze through disassembly in binaries a lot faster as I go after relevant code sections.

The morale of the story is don’t be like me and try to learn to reverse without learning assembly first. Get your assembly down packed, and many MANY concepts in reversing and exploitation will come together faster than you realize. As you read the book many concepts will click and you will go “ohhhhhh.”

Anyway, just wanted to mention the book, I found it awesome. The only con I found with it is the lack of exercises at the end of the chapters. I found myself googling for exercises and stealing many from colleges that offered assembly courses. Either way, I learned a lot from this book even recognizing certain code optimizations such as memcpy and strlen type functions. Check it out if you want to learn. Just make sure you do the exercises/examples.

Been working through PowerPC assembly and Mysql as of Late.

As I was browsing through the book store hanging out with my son I noticed a copy of the database hackers handbook for less than $9.00, Figured I can’t go wrong at that price. I never really had an interest in databases but as I flipped through the book I realized that aside from a general ability to run through SQL commands I didn’t really have a good understanding of database systems. I created a nice syllabus to run through Mysql for the moment. Towards the latter half I’ll actually get into SQL Injections so if you’ve got some decent tuts in your link base drop it!

Anyway, PowerPC assembly is Hot, still a bit vexing since I’m used to Intel. However I see how PPC is much cleaner and more efficient. For those interested I’ve been taking notes as I follow through a syllabus for learning PPC that I created. I modeled it off the Professional Assembly programming book by Wrox publishing (which mind you is an awesome book for the Intel architecture). Right now I’ve only dropped the architecture overview notes, I am working through Moving data around and Stacks. PPC is really interesting when you get to stacks since it doesn’t necessarily have hardware support for one. However, using registers and some instructions you can create a stack and manipulate it. However, there are no formally defined instructions for it such as Intel’s PUSH and POP.

Notes are in Here.