Notes - MCS
Reverse Engineering
Notes - MCS
Reverse Engineering
  • Reverse Engineering
  • Introduction to Reverse Engineering
    • What is Reverse Engineering (RE)
    • RE Concepts
    • When do we have RE activities?
    • Why RE is Relevant and Required
    • Limitations of RE
    • Legal Framework
    • What RE Recovers?
    • Software Reversing
    • Low-level languages
  • Files and Filetypes
    • Files
    • File extensions
    • File Signature
    • Content Type Obfuscation
  • Android – Static Analysis
    • Java Language
    • Application Entry Points
    • Application Structure
    • AndroidManifest.xml
    • Exercise 1
    • Exercise 2
    • Exercise 3
    • Exercise 4
    • Native Applications
    • Java Native Interface
    • Android Native Development Kit (NDK)
    • Android binary libraries
    • JNI Dynamic Linking
    • JNI Static Linking
    • Exercise 5 and 6
    • Web and Hybrid applications
  • Android – Dynamic Analysis
    • Dynamic Analysis
    • Logs
    • Network MiTM
    • Certificate Pinning
    • Dynamic Code Instrumentation
    • Dynamic Binary Instrumentation
    • FRIDA
  • Binary Analysis
    • Binary Objects
    • Executable Symbols
    • What is inside an Object File?
    • ELF Files
    • ELF Program Headers
    • Dynamic Linker
      • Example
    • Binary Analysis Process
    • Function detection
    • Calling Conventions
    • Common Logic Structures
    • C++ code
  • Emulation and Instrumentation
    • Dynamic Binary Analysis
    • Considerations
    • Processes
    • Dynamic Binary Instrumentation (DBI)
    • DBI with Qiling
  • Obfuscation Techniques
    • Obfuscation Techniques
    • Content Type Obfuscation
    • Code Obfuscation
  • Serial Communication
    • Comunicação paralelo
    • Comunicação série
    • Sincronização entre transmissor e recetor
    • Sincronização de relógio
    • Transmissão de dados
    • Topologias de comunicação série
    • Elementos de uma ligação série
  • A interface RS-232C
    • RS-232C
    • Estrutura da trama
    • Camada física
    • Taxa de transmissão (baudrate)
    • Receção de dados
    • Identificar parâmetros de comunicaçãoIdentificar parâmetros de comunicação
    • Encontrar a UART
    • Captura de sinais
  • Norma SPI
    • Introdução
    • Descrição geral
    • Operação
    • Simulação do master SPI
    • Arquiteturas de ligação
    • Tipos de transferências
    • Configuração de um master SPI
    • Procedimento para identificação dos sinais
    • Exemplo
  • Norma I2C
    • Introdução
    • Caraterísticas básicas
    • Exemplo de interligação num barramento I2C
    • Terminologia
    • Masters e Slaves
    • Sinalização
    • Endereçamento
    • Transferência de dados
    • Clock stretching
    • Múltiplos masters
    • Arbitragem
    • Endereços reservados
Powered by GitBook
On this page
  • Emulation
  • Instrumentation
  • Cross Platform and Cross Architecture
  • Loading an Elf
  • Overriding a library function
  1. Emulation and Instrumentation

DBI with Qiling

DBI tool that can perform:

  • Emulation: Executes binary code step by step, replacing instructions.

  • Binary instrumentation: allows injection of user-specified code.

  • Cross-platform and cross-architectural analysis: analyze one architecture or OS on another.

  • Sandboxing: I/O is redirected to fake devices (files, sockets).

  • On raw binaries: used to analyze blobs from binary devices or shellcode.

Emulation

Syscalls and interrupts are implemented in Python.

  • The program calls syscall/interrupt.

  • Qiling invokes a handler in Python, which mimics a standard system.

  • Implementations can be overwritten by the user.

Host OS is never called, and the result is provided by Qiling.

  • Advantages:

    • Great control over the execution.

    • Great isolation.

  • Disadvantages:

    • Not all calls are implemented.

    • Behavior mimics an ideal system and may deviate from reality.

Instrumentation

Users can define hooks to trigger callbacks on an event.

  • Because an emulator is translating code in real time, instruction-level hooks are possible.

Example:

  • Code execution reaches a specific address.

  • An address is written or read.

  • A function is called or is leaving.

  • An instruction is executed.

Cross Platform and Cross Architecture

Binary code is emulated, allowing cross-architecture execution.

  • Target architecture instructions are compiled into native instructions.

Because all syscalls and interrupts are emulated, the host platform can differ from the target platform.

  • As Qiling is based on Unicorn (Qemu), a wide range of possibilities is available.

Loading an Elf

Qiling has several loaders:

  • MBR

  • PE, ELF, MachO

  • Unstructured binary (shellcode)

The loader will make code available to be emulated on secure rootfs.

  • Calls to interrupts and syscalls are implemented in Python.

Overriding a library function

Functions can be overridden with custom implementations:

  • Code can access arguments of basic types (Strings, Ints, Floats).

  • Inside a function, other external functions can be called.

  • An entire set of registries and memory can be manipulated.

  • Return is provided to the calling function to be emulated on a secure rootfs.

  • Calls to interrupts and syscalls are implemented in Python.

Last updated 1 year ago