Malware using good crypto
mheyman at gmail.com
mheyman at gmail.com
Tue Aug 4 13:24:22 EDT 2009
On Sat, Aug 1, 2009 at 11:52 PM, Udhay Shankar N<udhay at pobox.com> wrote:
> Interesting article. Anyone here have experience trying to
> reverse-engineer malware that uses really good crypto?
>
I haven't done this personally but I have worked with people who do.
Typically, the type of encryption isn't that important when you are
trying to de-obfuscate a binary, the obfuscation routines get treated
as a black box anyway. That is, you let the code do its own
de-obfuscation. This gets tricky because the fancier code knows when
you are looking at it or blocks you from looking at it (it looks to
see if a debug process is attached, or if it is running in a VM, or,
sometimes, it debugs itself so nobody else can).
Knowing the cryptographic algorithm can be useful. There is even a
plugin available for IDAPro that will look for tell-tale constants for
you and point out known cryptographic algorithms. Knowing the
cryptographic algorithm is more important after the de-obfuscated code
gets revealed because recognizing a cryptographic algorithm shortens
the reverse-engineering phase - describing a chunk of code as AES is a
lot easier and clearer then saying something like, "there are these
constant tables with these values and they are used on two buffers
passed in with xors and shifts to return a single buffer with a
different value but the logic is so convoluted I cannot really tell
you how the resulting buffer is related to the initial buffers." ;-)
-Michael Heyman
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list