Pokas X86 Emulator for Generic Unpacking

BLUE KAIZEN CENTER OF IT

SECURITY Cairo Security Camp 2010

Pokas x86 Emulator for Generic Unpacking

Subject : This document gives the user a problem, its solution concept, Previous Solutions, Pokas x86 Emulator, Reliability, Getting the Emulator, Pokas x86 Emulator Design, Usage steps, Debugger Conditions, Debugger Examples and TODO.

Author : Amr Thabet Version : 1.0 Date : July, 2010 Nb pages : 17 Pokas x86 Emulator for Generic Unpacking

By Amr Thabet [email protected] The Problem:

 Many packed worms : no time to reverse and step through the packer‟s code  Many polymorphic viruses around change their decryptor code and algorithm  Need to write a detection algorithm for such viruses The Solution Concept:

 We need an automatic unpacker  Static Unpacker : very sensitive of any changes of the packer  No Time for keeping up-to-date of every release of any Unpacker  Dynamic Unpacker: not sensitive of the minor changes.  It can unpack new packers.  We need a Program runs the packed application until it unpacked and stop in the real OEP  So we need a Debugger Why not a Debugger?

 Easily to be detected  Dangerous  Can‟t monitor the memory Writes  Allows only breakpoints on a specific place in memory Previous Solutions:

 OllyBone: dangerous if it‟s not a packer and could be fooled  It‟s not scriptable and semi-automatic  It could be easy detected  Ida-x86emu: doesn‟t monitor memory writes and no conditional Breakpoints  Pandora’s Bochs: hard to be installed, hard to be customized  very slow 200 secs for notepad.exe packed with PECompact 2 with a PC 3.14 GHz and 2.00 GB ram Pokas x86 Emulator  It‟s a Dynamic link library  Easily to be customized  Monitor all memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.  Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.  Support Dumping the PE File with correct File Alignment  Support adding new APIs  Has an assembler and a disassembler from and to mnemonics for debugging.  Support seh and support tib, teb, peb and peb_ldr_data  it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress,VirtualAlloc, VirtualFree and VirtualProtect  it's FREE and open source Reliability:

 It successfully unpack: 1. UPX 2. FSG 3. MEW 4. PECompact 5. Aspack 6. Morphine  It surely still contains bugs Getting The Emulator

 Download it from www.sourceforge.net/projects/x86emu/  x86emu-bin.zip files:  X86emu.dll : The Emulator itself ~ 580 kb  X86emu.h : The header file (should be included in any project uses the emulator  Pe.h , tib.h : included by x86emu.h and should be beside it. Pokas x86 Emulator Design Usage Steps

 1.Initialize your Emulated OS and Cpu  2.Manage the dlls and Apis  3.Emulate the undefined Apis  4.Adding the Stop Condition  5.Emulate your Process  6.Handle the Unhandled Exceptions  7.Waiting for your Breakpoints to be triggered  8.Dump your Process to a File Debugger Conditions:  Similar to C conditions  Not case-sensitive  Doesn‟t decrease the performance  Up to 10 Supported Functions inside the Debugger  Allow adding new Functions with different types of variables including string  You can Add up to 100 Breakpoint Debugger Examples

 Int3 Breakpoint or Hardware on Execution: “Eip==0x00401000”  Memory on Access or Write: “__lastaccessed()==0x00401000” “__lastmodified()==0x00401000”  Execution on Modified Data: “__isdirty(eip)”  In .text section only: “__isdirty(eip) && eip>=0x401000 && eip<=0x405000”  Anti-unpackers trick: write “ret” on the real OEP and calls to it: “__isdirty(eip) && (__read(eip) & 0xff) !=0xC3)”  API Hooking: “__isapi()” “__isapiequal(„Getprocaddress‟)” //not case sensitive in the api name Example : UPX  How Easy this Emulator is : int main() { EnviromentVariables* vars= (EnviromentVariables*)malloc(sizeof(EnviromentVariables)); memset( vars,0,sizeof(EnviromentVariables)); vars->dllspath="C:\\Windows\\System32\\"; System* sys=new System(vars); Process* c=new Process(sys,“upx.exe"); c->debugger->AddBp(“__isdirty(eip)"); int x=c->emulate(); if (x==EXP_BREAKPOINT){ PEDump(c->GetThread(0)->Eip,c,"test.exe"); } } Only 10 lines and very simple Example : PECompact 1.33  Multi-Layer unpacker  if we know the number of layers we can clear the dirty flag and continue  If not we can add this breakpoint: “__isdirty(eip) && Eip<=0x406000” // the .text size  Notepad.exe : take less than 30 secs  in a PC Intel Core 2 Duo 2.10 GHz with 2.00 GB ram TODO

 Support reconstructing the Import Table  Fixing the bugs  Create a Linux version  Add cmovcc ,setcc ,bts instructions  Support multithreading  Support ELF File Formats  Adding new Debugger Functions  Allow saving the state The End

By Amr Hassan Thabet [email protected] Any Questions?