Notes - MCS
Reverse Engineering
Notes - MCS
Reverse Engineering
  • Reverse Engineering
  • Introduction to Reverse Engineering
    • What is Reverse Engineering (RE)
    • RE Concepts
    • When do we have RE activities?
    • Why RE is Relevant and Required
    • Limitations of RE
    • Legal Framework
    • What RE Recovers?
    • Software Reversing
    • Low-level languages
  • Files and Filetypes
    • Files
    • File extensions
    • File Signature
    • Content Type Obfuscation
  • Android – Static Analysis
    • Java Language
    • Application Entry Points
    • Application Structure
    • AndroidManifest.xml
    • Exercise 1
    • Exercise 2
    • Exercise 3
    • Exercise 4
    • Native Applications
    • Java Native Interface
    • Android Native Development Kit (NDK)
    • Android binary libraries
    • JNI Dynamic Linking
    • JNI Static Linking
    • Exercise 5 and 6
    • Web and Hybrid applications
  • Android – Dynamic Analysis
    • Dynamic Analysis
    • Logs
    • Network MiTM
    • Certificate Pinning
    • Dynamic Code Instrumentation
    • Dynamic Binary Instrumentation
    • FRIDA
  • Binary Analysis
    • Binary Objects
    • Executable Symbols
    • What is inside an Object File?
    • ELF Files
    • ELF Program Headers
    • Dynamic Linker
      • Example
    • Binary Analysis Process
    • Function detection
    • Calling Conventions
    • Common Logic Structures
    • C++ code
  • Emulation and Instrumentation
    • Dynamic Binary Analysis
    • Considerations
    • Processes
    • Dynamic Binary Instrumentation (DBI)
    • DBI with Qiling
  • Obfuscation Techniques
    • Obfuscation Techniques
    • Content Type Obfuscation
    • Code Obfuscation
  • Serial Communication
    • Comunicação paralelo
    • Comunicação série
    • Sincronização entre transmissor e recetor
    • Sincronização de relógio
    • Transmissão de dados
    • Topologias de comunicação série
    • Elementos de uma ligação série
  • A interface RS-232C
    • RS-232C
    • Estrutura da trama
    • Camada física
    • Taxa de transmissão (baudrate)
    • Receção de dados
    • Identificar parâmetros de comunicaçãoIdentificar parâmetros de comunicação
    • Encontrar a UART
    • Captura de sinais
  • Norma SPI
    • Introdução
    • Descrição geral
    • Operação
    • Simulação do master SPI
    • Arquiteturas de ligação
    • Tipos de transferências
    • Configuração de um master SPI
    • Procedimento para identificação dos sinais
    • Exemplo
  • Norma I2C
    • Introdução
    • Caraterísticas básicas
    • Exemplo de interligação num barramento I2C
    • Terminologia
    • Masters e Slaves
    • Sinalização
    • Endereçamento
    • Transferência de dados
    • Clock stretching
    • Múltiplos masters
    • Arbitragem
    • Endereços reservados
Powered by GitBook
On this page
  • Marketing, Branding and Usability
  • Explore users through social engineering
  • Increase the cost required for a reverse engineering task
  • Magic Headers
  1. Obfuscation Techniques

Content Type Obfuscation

Dissimulate one file type as another file type or as raw data.

  • Exploring how the file is processed

  • Exploring how users interact with it

  • Exploring how researchers and automatic tools process a file

Purposes (some):

  • Marketing, branding and usability

  • Exploit users through social engineering

  • Increase the cost required for a reverse engineering task

  • Carry a malicious payload while escaping manual analysis

  • Carry a malicious payload bypassing automatic filtering

Marketing, Branding and Usability

Aims to make a filetype more usable, or to make the brand present to the user

  • Benning and common usage

Approach: The file has one specific type, but uses another file extension

  • The environment has a configuration stating how to handle such file extension

  • Explores the fact that an Environment uses a fixed string to know how to open the file.

Impact: File explorers will present content based on the file extension, not based on the content.

For a PPTX file

  • File reports a zip file and magic is PK

  • DOCX and XLSX are similar

Explore users through social engineering

It aims to confuse users about the purpose of a file

  • Malicious and common in phishing campaigns and malware

Approach: The file has a filename and presentation that confuses users

  • Mail client or explorer presents a safe file with a known extension

  • But… icon is stored in the file metadata, and the file has two extensions (file.txt.exe)

Impact: The user thinks that a file is not malicious (e.g, it’s a Word document), while in reality, it executes a malicious code

Windows hides extensions of known file types

  • Sample.pptx becomes only Sample

Executable files may have an embedded icon

  • Freely defined by the developer

  • Explorer will show that icon

A file named Sample.pptx.exe will be shown as Sample.pptx

  • Users recognize the extension and may think the file is safe

In a RE task, a file may have bogus extensions

Increase the cost required for a reverse engineering task

Aims to disguise/manipulate files so that a RE task skips the file, or processes the file incorrectly

Approaches:

  • Hides content in file without extension, without headers or with modified headers

  • Mangles content to make it less human-friendly

  • Polyglots

Impact: Reversing or Forensics Analyst will not process the file, or will not process the file with the correct approach/tools

  • This may prevent the researcher from recovering the original file

Magic Headers

Besides extensions, most files can be recognized by a magic value in the file start/end

  • Manipulating headers can lead to incorrect detection and maybe processing

Some magic values:

  • Office Documents: D0 CF 11 E0

  • ELF: 7F E L F

  • JPG: FF D8

  • PNG: 89 P N G 0D 0A 1A 0A

  • Java class: CA FE BA BE

Headers are important to maintain compatibility with third-party software

Headers may be irrelevant for custom software

  • The software has the filetype hard coded

PyInstaller allows converting Python code to an executable.

  • It packs the pyc files into a container. The container is extracted on runtime and compiled python code is executed

  • Headers are omitted from pyc files. If a header is added, the extracted file executes as a standard pyc file

Last updated 10 months ago