From baee00e448528ae3e19f375ef19fc8cff412156a Mon Sep 17 00:00:00 2001 From: Amanda Rousseau Date: Fri, 17 Nov 2017 14:49:56 -0800 Subject: [PATCH] updating image paths --- RE101/dynamic.md | 34 +++++----- RE101/dynamic2.md | 2 +- RE101/fundamentals.md | 6 +- RE101/fundamentals2.md | 12 ++-- RE101/fundamentals3.md | 12 ++-- RE101/idacheatsheet.html | 136 +++++++++++++++++++-------------------- RE101/intro.md | 4 +- RE101/malware.md | 2 +- RE101/malware2.md | 8 +-- RE101/retools.md | 10 +-- RE101/static.md | 28 ++++---- RE101/triage.md | 14 ++-- RE101/x86.html | 2 +- 13 files changed, 135 insertions(+), 135 deletions(-) diff --git a/RE101/dynamic.md b/RE101/dynamic.md index 915b926..10c9581 100644 --- a/RE101/dynamic.md +++ b/RE101/dynamic.md @@ -7,7 +7,7 @@ title: Dynamic Analysis # Section 6: Dynamic Analysis # -![alt text](https://securedorg.github.io/images/hackerman.gif "hackerman") +![alt text](https://securedorg.github.io/RE101/images/hackerman.gif "hackerman") ## LAB 3 Dynamic analysis is a deeper analysis of the program to understand hidden functionality not understood statically. The static analysis will serve as a guide for stepping through the program in a debugger. @@ -22,7 +22,7 @@ Typically programs start at **004010000** but your debugger might start the prog Edit->Segements->Rebase Program. -![alt text](https://securedorg.github.io/images/dyn2.png "Victim and Sniffer") +![alt text](https://securedorg.github.io/RE101/images/dyn2.png "Victim and Sniffer") --- @@ -32,30 +32,30 @@ You will need to sync the debugger and disassembler addresses so you can follow * In IDA, open the functions tab and look for function xxxx1530. Where xxxx should match your rebase address ( If rebase is **0190**1000, then **0190**1530 ). * In x64dbg, CTRL+G to jump to a specific address xxxx1530. -![alt text](https://securedorg.github.io/images/dyn3.png "IDAmain") -![alt text](https://securedorg.github.io/images/dyn4.png "x64dbg Jump") +![alt text](https://securedorg.github.io/RE101/images/dyn3.png "IDAmain") +![alt text](https://securedorg.github.io/RE101/images/dyn4.png "x64dbg Jump") --- ### XOR Decode Function -Remember use the F2(breakpoint), F7(Step Into), F8(Step Over), F9(Run) keys to navigate through the debugger. If you accidentally run past the end the of the program you can always restart by clicking ![alt text](https://securedorg.github.io/images/restart.png "restart"). +Remember use the F2(breakpoint), F7(Step Into), F8(Step Over), F9(Run) keys to navigate through the debugger. If you accidentally run past the end the of the program you can always restart by clicking ![alt text](https://securedorg.github.io/RE101/images/restart.png "restart"). -![alt text](https://securedorg.github.io/images/dyn6.png "xordecode") +![alt text](https://securedorg.github.io/RE101/images/dyn6.png "xordecode") In **IDA**, get the offset of the XorDecode function you saved prior. -![alt text](https://securedorg.github.io/images/dyn8.png "xordecode") +![alt text](https://securedorg.github.io/RE101/images/dyn8.png "xordecode") In **x64bdg** find that same offset and add a comment that it is the Xor Decode function. Set a breakpoint using **F2** on that function. Then run the program until the breakpoint using **F9**. Step into that function using **F7**. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn5.gif "xordecode")](https://securedorg.github.io/images/dyn5.gif) +[![alt text](https://securedorg.github.io/RE101/images/dyn5.gif "xordecode")](https://securedorg.github.io/RE101/images/dyn5.gif) Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the same instructions shown below. Right click on the EBX register and select Follow in Dump. This location is where the decoded string will be stored. After you set your break points, press **F9** to get to the start of the loop, then step through the loops until you see the decoded string in the dump. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn9.png "xordecode")](https://securedorg.github.io/images/dyn9.png) +[![alt text](https://securedorg.github.io/RE101/images/dyn9.png "xordecode")](https://securedorg.github.io/RE101/images/dyn9.png) --- @@ -64,12 +64,12 @@ Navigate down to the loop that does the Xor Encoding. Place a breakpoint on the We want to manipulate the control flow instructions so that we can get to the network connection API call. We know that the program will first **copy** and then **delete** itself after it checks if the file doesn't exists using GetFileAttributes API. Continue to step to the **jne** (jump if not equal) instruction. By double clicking the **ZF flag** we can manipulate the result 1 to 0. This means it will make the jump past the Copfile API. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn10.gif "ZF Flag")](https://securedorg.github.io/images/dyn10.gif) +[![alt text](https://securedorg.github.io/RE101/images/dyn10.gif "ZF Flag")](https://securedorg.github.io/RE101/images/dyn10.gif) Once you get past the delete API, there is that weird string you saw during static analysis. Step over (**F8**) the XorDecode function and notice the EAX register. It is the URL that was in the internet traffic from the triage analysis. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn11.png "Nav to Internet")](https://securedorg.github.io/images/dyn11.png) +[![alt text](https://securedorg.github.io/RE101/images/dyn11.png "Nav to Internet")](https://securedorg.github.io/RE101/images/dyn11.png) --- @@ -78,7 +78,7 @@ Once you get past the delete API, there is that weird string you saw during stat The VM was not connected to the internet but instead InetSim. What will happen when you manipulate the control flow to get past the internet connection failure? Go ahead and step past the internet connection and manipulate the control flow flag ZF to do so. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn12.gif "Nav past Internet")](https://securedorg.github.io/images/dyn12.gif) +[![alt text](https://securedorg.github.io/RE101/images/dyn12.gif "Nav past Internet")](https://securedorg.github.io/RE101/images/dyn12.gif) It must have been a very funny joke. **l** **m** **a** **o** @@ -89,7 +89,7 @@ It must have been a very funny joke. **l** **m** **a** **o** It seems that the malware was waiting for the word **lmao** to display a message. Navigate to the Messagebox api. Set a breakpoint on and after the function call, this will ensure that it will prevent you from skipping any hidden functionality. Go ahead and press **F9** to run the MessageBox function. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn13.gif "Yo this is Dope")](https://securedorg.github.io/images/dyn13.gif) +[![alt text](https://securedorg.github.io/RE101/images/dyn13.gif "Yo this is Dope")](https://securedorg.github.io/RE101/images/dyn13.gif) --- @@ -98,7 +98,7 @@ It seems that the malware was waiting for the word **lmao** to display a message The CFF explorer from the triage analysis revealed that there was a resource called **BIN**. Step through the program to get the location of the loaded resource after **LockResource**. Remember function return the output in register **EAX**. Notice `mov edi,eax` is where the output is stored in **EDI**. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn14.png "ResourceLoad")](https://securedorg.github.io/images/dyn14.png) +[![alt text](https://securedorg.github.io/RE101/images/dyn14.png "ResourceLoad")](https://securedorg.github.io/RE101/images/dyn14.png) --- @@ -119,12 +119,12 @@ BOOL WINAPI CryptStringToBinary( ``` *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn15.png "CryptString")](https://securedorg.github.io/images/dyn15.png) +[![alt text](https://securedorg.github.io/RE101/images/dyn15.png "CryptString")](https://securedorg.github.io/RE101/images/dyn15.png) We know that Arg 1 is register **EDI** which is the resource we just loaded into memory and Arg 3 is 1. The CryptStringToBinary dwflag `0x00000001` means `CRYPT_STRING_BASE64`. Dump the address of EDI into one of the dump windows. This data definitely looks like base64 encoded strings. Step over these functions until past the second CryptStringToBinary call. The result will be placed in register **ESI**. Dump the address in the ESI register. Notice anything weird about the first 3 characters? *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn16.png "Post CryptString")](https://securedorg.github.io/images/dyn16.png) +[![alt text](https://securedorg.github.io/RE101/images/dyn16.png "Post CryptString")](https://securedorg.github.io/RE101/images/dyn16.png) --- @@ -133,7 +133,7 @@ We know that Arg 1 is register **EDI** which is the resource we just loaded into Step over the create and write file functions to save the decrypted resource to the file system. Note that this file is saved as **icon.gif**. Next step until the start of the arguments for the ShellExecute call. It looks as if it's using the environment to open the newly created file. The program will finally be done. Open the image and record what you see. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/dyn17.gif "ShellExecute")](https://securedorg.github.io/images/dyn17.gif) +[![alt text](https://securedorg.github.io/RE101/images/dyn17.gif "ShellExecute")](https://securedorg.github.io/RE101/images/dyn17.gif) --- diff --git a/RE101/dynamic2.md b/RE101/dynamic2.md index 4cf93a5..100002f 100644 --- a/RE101/dynamic2.md +++ b/RE101/dynamic2.md @@ -10,7 +10,7 @@ title: Dynamic Analysis Congrats, you made it through the workshop. All of your notes and debugging should have gotten you to come up with a similar control flow like the diagram and report below. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/Diagram.png "diagram")](https://securedorg.github.io/images/Diagram.png) +[![alt text](https://securedorg.github.io/RE101/images/Diagram.png "diagram")](https://securedorg.github.io/RE101/images/Diagram.png) ## Simple Report diff --git a/RE101/fundamentals.md b/RE101/fundamentals.md index 3e6f92f..5abcaf6 100644 --- a/RE101/fundamentals.md +++ b/RE101/fundamentals.md @@ -17,7 +17,7 @@ For windows and osx, follow the instructions in the install binary. | Windows | Mac OSX | Linux | | --- | --- | --- | -| [![alt text](https://securedorg.github.io/images/VBwin.png "Windows Virualbox")](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [![alt text](https://securedorg.github.io/images/VBmac.png "OSX Virtualbox")](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [![alt text](https://securedorg.github.io/images/Vblinux.png "Linux Virtualbox")](https://www.virtualbox.org/wiki/Linux_Downloads) | +| [![alt text](https://securedorg.github.io/RE101/images/VBwin.png "Windows Virualbox")](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [![alt text](https://securedorg.github.io/RE101/images/VBmac.png "OSX Virtualbox")](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [![alt text](https://securedorg.github.io/RE101/images/Vblinux.png "Linux Virtualbox")](https://www.virtualbox.org/wiki/Linux_Downloads) | ### Download Victim and Sniffer VMs ### @@ -70,11 +70,11 @@ Please use the utility [7zip](http://www.7-zip.org/download.html). Unzip the fil * Open terminal and run: `ps -ef | grep inetsim` * If no output, run: `/etc/init.d/inetsim start` * Run the ps command again to confirm it's running. - * Expected output: ![alt text](https://securedorg.github.io/images/VerifyInetsim.png "ps output") + * Expected output: ![alt text](https://securedorg.github.io/RE101/images/VerifyInetsim.png "ps output") 7. Victim VM: test connection to Sniffer VM * In the search bar, type `cmd.exe` to open terminal * Run command: `ping 192.168.0.1` - * Expected output: ![alt text](https://securedorg.github.io/images/PingGateway.png "Ping Output") + * Expected output: ![alt text](https://securedorg.github.io/RE101/images/PingGateway.png "Ping Output") 8. Sniffer VM: Devices->Shared Folders->Shared Folders Settings * On your Host, create a folder called `sniffershare` * In virtual box select Add New Shared Folder icon and navigate to the folder you just created (sniffershare) diff --git a/RE101/fundamentals2.md b/RE101/fundamentals2.md index e5119a1..32e0257 100644 --- a/RE101/fundamentals2.md +++ b/RE101/fundamentals2.md @@ -11,7 +11,7 @@ title: Fundamentals Typical windows programs are in the Portable Executable (PE) Format. It’s portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code. -![alt text](https://securedorg.github.io/images/Cprogram.gif "C Program") +![alt text](https://securedorg.github.io/RE101/images/Cprogram.gif "C Program") --- @@ -28,7 +28,7 @@ In this workshop we will be focusing on user-mode applications. [1]: https://msdn.microsoft.com/en-us/windows/hardware/drivers/gettingstarted/user-mode-and-kernel-mode?f=255&MSPPError=-2147217396 This diagram shows the relationship of application components for user-mode and kernel-mode. -![alt text](https://securedorg.github.io/images/WindowsArch.png "Windows Architecture") +![alt text](https://securedorg.github.io/RE101/images/WindowsArch.png "Windows Architecture") --- @@ -43,12 +43,12 @@ The executable code has designated regions that require a different memory prote This diagram shows how this header is broken up. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/PE32.png "PE 32 Header")](https://securedorg.github.io/images/PE32.png) +[![alt text](https://securedorg.github.io/RE101/images/PE32.png "PE 32 Header")](https://securedorg.github.io/RE101/images/PE32.png) Here is a hexcode dump of a PE header we will be working with. *Click to Enlarge* -[![alt text](https://securedorg.github.io/images/PEHeader.gif "PE 32 Header Animated")](https://securedorg.github.io/images/PEHeader.gif) +[![alt text](https://securedorg.github.io/RE101/images/PEHeader.gif "PE 32 Header Animated")](https://securedorg.github.io/RE101/images/PEHeader.gif) --- @@ -67,7 +67,7 @@ Here is a hexcode dump of a PE header we will be working with. [5]: https://en.wikipedia.org/wiki/Process_Environment_Block This diagram illustrates how the PE is placed into memory. -![alt text](https://securedorg.github.io/images/Memory.png "PE Memory Layout") +![alt text](https://securedorg.github.io/RE101/images/Memory.png "PE Memory Layout") --- @@ -77,6 +77,6 @@ This diagram illustrates how the PE is placed into memory. - **EBP** - Base Pointer is the register that used to store the references in the stack frame This diagram represents a typical stack frame. -![alt text](https://securedorg.github.io/images/TheStackFrame.png "Stack Frame") +![alt text](https://securedorg.github.io/RE101/images/TheStackFrame.png "Stack Frame") [Environment Setup <- Back](https://securedorg.github.io/RE101/section1) | [Next -> x86 Assembly](https://securedorg.github.io/RE101/section1.3) diff --git a/RE101/fundamentals3.md b/RE101/fundamentals3.md index ddd12ca..12afb8f 100644 --- a/RE101/fundamentals3.md +++ b/RE101/fundamentals3.md @@ -47,16 +47,16 @@ Example below is moving value at 0xaaaaaaaa into ecx. | --- | --- | | `mov ecx,[0xaaaaaaaa];` | `8B 0D AA AA AA AA` | -Use the search page below or open the [Search Instructions](https://securedorg.github.io/x86.html) page to search for functions discussed above +Use the search page below or open the [Search Instructions](https://securedorg.github.io/RE101/x86.html) page to search for functions discussed above - + --- ## Registers ### The image below is what registers will look like in a debugger. -![alt text](https://securedorg.github.io/images/Registers.png "Registers") +![alt text](https://securedorg.github.io/RE101/images/Registers.png "Registers") #### General-Purpose Registers [[1]][1] @@ -114,19 +114,19 @@ The **EIP** register contains the address of the next instruction to be executed ## Hello World ## *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/helloworld.gif "Hello World")](https://securedorg.github.io/images/helloworld.gif) +[![alt text](https://securedorg.github.io/RE101/images/helloworld.gif "Hello World")](https://securedorg.github.io/RE101/images/helloworld.gif) ## Calling a Function ## ### Arguments on the Stack ### *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/FunctionCall.gif "Function Arguments")](https://securedorg.github.io/images/FunctionCall.gif) +[![alt text](https://securedorg.github.io/RE101/images/FunctionCall.gif "Function Arguments")](https://securedorg.github.io/RE101/images/FunctionCall.gif) ### Local Variables on the Stack ### *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/FunctionCall2.gif "Function Locals")](https://securedorg.github.io/images/FunctionCall2.gif) +[![alt text](https://securedorg.github.io/RE101/images/FunctionCall2.gif "Function Locals")](https://securedorg.github.io/RE101/images/FunctionCall2.gif) [1]: https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture diff --git a/RE101/idacheatsheet.html b/RE101/idacheatsheet.html index eea3900..dfad7c3 100644 --- a/RE101/idacheatsheet.html +++ b/RE101/idacheatsheet.html @@ -14,86 +14,86 @@ - + - + - - - - - - + + + + + + - - + +

Navigation
Jump to operandEnter
Jump in new windowAlt+Enter
Jump in new windowAlt+Enter
Jump to previous positionEsc
Jump to Next positionCtrl+Enter
Jump to Next positionCtrl+Enter
Jump to addressG
Jump by nameCtrl+L
Jump to functionCtrl+P
Jump to segmentCtrl+S
Jump to segment registerCtrl+G
Jump to problemCtrl+Q
Jump to cross referenceCtrl+X
Jump by nameCtrl+L
Jump to functionCtrl+P
Jump to segmentCtrl+S
Jump to segment registerCtrl+G
Jump to problemCtrl+Q
Jump to cross referenceCtrl+X
Jump to xref to operand X
Jump to entry pointCtrl+E
Mark PositionAlt+M
Jump to entry pointCtrl+E
Mark PositionAlt+M
- - - - - - - - - - - + + + + + + + + + + +

Search

Next codeAlt+C
Next dataCtrl+D
Next exploredCtrl+A
Next unexploredCtrl+U
Immediate valueAlt+I
Next immediate valueCtrl+I
TextAlt+T
Next textCtrl+T
Sequence of bytesAlt+B
Next sequence of bytesCtrl+B
Not functionAlt+U
Next codeAlt+C
Next dataCtrl+D
Next exploredCtrl+A
Next unexploredCtrl+U
Immediate valueAlt+I
Next immediate valueCtrl+I
TextAlt+T
Next textCtrl+T
Sequence of bytesAlt+B
Next sequence of bytesCtrl+B
Not functionAlt+U
- +

Graphing
Flow chartF12
Function callsCtrl+F12
Function callsCtrl+F12
- + - - + +

Comments

Enter commentShift+;
Enter commentShift+;
Enter repeatable comment;
Enter anterior linesIns
Enter posterior linesShift+Ins
Insert predefined commentShift+F1
Enter posterior linesShift+Ins
Insert predefined commentShift+F1
- - + +

Data Format Options

ASCII strings styleAlt+A
Setup data typesAlt+D
ASCII strings styleAlt+A
Setup data typesAlt+D
- - - - - - - - - + + + + + + + + +

Open Subviews

NamesShift+F4
FunctionsShift+F3
StringsShift+F12
SegmentsShift+F7
Segment registersShift+F8
SignaturesShift+F5
Type librariesShift+F11
StructuresShift+F9
EnumerationsShift+F10
NamesShift+F4
FunctionsShift+F3
StringsShift+F12
SegmentsShift+F7
Segment registersShift+F8
SignaturesShift+F5
Type librariesShift+F11
StructuresShift+F9
EnumerationsShift+F10
- - - + + +

File Operations

Parse C header fileCtrl+F9
Create ASM fileAlt+F10
Save databaseCtrl+W
Parse C header fileCtrl+F9
Create ASM fileAlt+F10
Save databaseCtrl+W
- + - + - +

Debugger
Star processF9
Terminate processCtrl+F2
Terminate processCtrl+F2
Step intoF7
Step overF8
Run until returnCtrl+F7
Run until returnCtrl+F7
Run to cursorF4
Breakpoints
Breakpoint listCtrl+Alt+B
Breakpoint listCtrl+Alt+B
@@ -103,29 +103,29 @@
- +

Tracing

Stack traceCtrl+Alt+S
Stack traceCtrl+Alt+S
- - - - - - + + + + + +

Miscellaneous

CalculatorShift+/
Cycle through open viewsCtrl+Tab
Select tabAlt + [1…N]
Close current viewCtrl+F4
ExitAlt+X
IDC CommandShift+F2
CalculatorShift+/
Cycle through open viewsCtrl+Tab
Select tabAlt + [1…N]
Close current viewCtrl+F4
ExitAlt+X
IDC CommandShift+F2
- - - + + + - + @@ -136,11 +136,11 @@

Edit (Data Types – etc)

CopyCtrl+Ins
Begin selectionAlt+L
Manual instructionAlt+F2
CopyCtrl+Ins
Begin selectionAlt+L
Manual instructionAlt+F2
CodeC
DataD
Struct variableAlt+Q
Struct variableAlt+Q
ASCII stringA
ArrayNum *
UndefineU
- - - + + + - + @@ -148,32 +148,32 @@ - - - + + +

Operand Type
Offset (data segment)O
Offset (current segment)Ctrl+O
Offset by (any segment)Alt+R
Offset (user-defined)Ctrl+R
Offset (current segment)Ctrl+O
Offset by (any segment)Alt+R
Offset (user-defined)Ctrl+R
Offset (struct)T
Number (default)Shift+3
Number (default)Shift+3
HexadecimalQ
DecimalH
BinaryB
SegmentS
Enum memberM
Stack variableK
Change signShift+-
Bitwise negate Shift+`
ManualAlt+F1
Change signShift+-
Bitwise negate Shift+`
ManualAlt+F1
- - + +

Segments

Edit segmentAlt+S
Change segment register valueAlt+G
Edit segmentAlt+S
Change segment register valueAlt+G
- - - + + +

Structs

Struct varAlt+Q
Force zero offset fieldCtrl+Z
Select union memberAlt+Y
Struct varAlt+Q
Force zero offset fieldCtrl+Z
Select union memberAlt+Y
- + - - + +

Functions
Create functionP
Edit functionAlt+P
Edit functionAlt+P
Set function endE
Stack variablesCtrl+K
Change stack pointerAlt+K
Stack variablesCtrl+K
Change stack pointerAlt+K
Rename registerV
Set function typeY
diff --git a/RE101/intro.md b/RE101/intro.md index d58f7f6..8272bf2 100644 --- a/RE101/intro.md +++ b/RE101/intro.md @@ -7,7 +7,7 @@ title: Intro # Introduction # -![alt text](https://securedorg.github.io/images/cube.gif "Cube") +![alt text](https://securedorg.github.io/RE101/images/cube.gif "Cube") # Reverse Engineering # @@ -27,7 +27,7 @@ title: Intro * Constantly learn new things -![alt text](https://securedorg.github.io/images/bikeloop.gif "Bike") +![alt text](https://securedorg.github.io/RE101/images/bikeloop.gif "Bike") ## Game Plan ## diff --git a/RE101/malware.md b/RE101/malware.md index beb648f..92a0c1c 100644 --- a/RE101/malware.md +++ b/RE101/malware.md @@ -11,7 +11,7 @@ title: Malware Techniques | Perimeter Recon | Infiltrate | Internal Recon | Entrench | Exfiltrate | Purge | | ------------ |:------------:|:------------:|:------------:|:------------:|:------------:| -| ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | +| ![alt text](https://securedorg.github.io/RE101/images/rightarrow.png) | ![alt text](https://securedorg.github.io/RE101/images/rightarrow.png) | ![alt text](https://securedorg.github.io/RE101/images/rightarrow.png) | ![alt text](https://securedorg.github.io/RE101/images/rightarrow.png) | ![alt text](https://securedorg.github.io/RE101/images/rightarrow.png) | ![alt text](https://securedorg.github.io/RE101/images/rightarrow.png) | ## Malware Classes diff --git a/RE101/malware2.md b/RE101/malware2.md index 0246c00..65d190e 100644 --- a/RE101/malware2.md +++ b/RE101/malware2.md @@ -68,7 +68,7 @@ The malware classes may exhibit one or more of the following techniques. [Mitre * Control-Flow Flattening * String Encryption -![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation") +![alt text](https://securedorg.github.io/RE101/images/CodeObfuscation.gif "CodeObfuscation") ### Example Malware @@ -86,11 +86,11 @@ The malware classes may exhibit one or more of the following techniques. [Mitre * Once malware gains access to a system, it often looks to be there for a long time. * If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware. -![alt text](https://securedorg.github.io/images/Persistence.png "Persistence") +![alt text](https://securedorg.github.io/RE101/images/Persistence.png "Persistence") Example: Dll Search Order Hijacking -![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading") +![alt text](https://securedorg.github.io/RE101/images/DLLload.gif "Dll loading") ### Example Malware @@ -154,7 +154,7 @@ Example: Dll Search Order Hijacking Example: Mimikatz Credential theft -![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating") +![alt text](https://securedorg.github.io/RE101/images/mimikatzElevate.png "Mimkatz Elevating") ### Example Malware diff --git a/RE101/retools.md b/RE101/retools.md index ceab61e..f6654ff 100644 --- a/RE101/retools.md +++ b/RE101/retools.md @@ -69,7 +69,7 @@ title: RE Tools ### Disassembler: IdaFree -![alt text](https://securedorg.github.io/images/IdaFree.gif "IdaFree Layout") +![alt text](https://securedorg.github.io/RE101/images/IdaFree.gif "IdaFree Layout") * **Visual Modes** * **Graph Mode** - control flow diagram @@ -88,7 +88,7 @@ title: RE Tools ### Debugger: x64dbg -![alt text](https://securedorg.github.io/images/x64dbg.gif "x64dbg Layout") +![alt text](https://securedorg.github.io/RE101/images/x64dbg.gif "x64dbg Layout") **Common Commands** @@ -103,7 +103,7 @@ title: RE Tools ### Keyboard Layout for IdaFree and x64dbg -![alt text](https://securedorg.github.io/images/keyboarddbg.gif "Keyboard Layout") +![alt text](https://securedorg.github.io/RE101/images/keyboarddbg.gif "Keyboard Layout") --- @@ -113,7 +113,7 @@ title: RE Tools * Explores Resources * Unpacks UPX -![alt text](https://securedorg.github.io/images/CFFexplorer.gif "CFF Explorer") +![alt text](https://securedorg.github.io/RE101/images/CFFexplorer.gif "CFF Explorer") ## Information Gathering: Sysinternals Suite @@ -121,7 +121,7 @@ title: RE Tools * **ProcMon** - Monitor processes/thread, files system, network, and registry activity on the system * **ProcExp** - Monitor processes running on the system -![alt text](https://securedorg.github.io/images/procmon.png "ProcExp") +![alt text](https://securedorg.github.io/RE101/images/procmon.png "ProcExp") [Section 2.1 <- Back](https://securedorg.github.io/RE101/section2.1) | [Next -> Section 4](https://securedorg.github.io/RE101/section4) diff --git a/RE101/static.md b/RE101/static.md index 325681a..8a5477e 100644 --- a/RE101/static.md +++ b/RE101/static.md @@ -7,7 +7,7 @@ title: Static Analysis # Section 5: Static Analysis # -![alt text](https://securedorg.github.io/images/cube2.gif "static cube") +![alt text](https://securedorg.github.io/RE101/images/cube2.gif "static cube") Static analysis is like reading a map for directions on where to go. As you follow through this map you capture notes on what things might look interesting when you actually begin your journey. @@ -20,17 +20,17 @@ This section will teach you how to jump into code in static disassembly then ren ### Possible Packer? Notice in CFF explorer that there is UPX in the header. -![alt text](https://securedorg.github.io/images/triage2.png "UPX") +![alt text](https://securedorg.github.io/RE101/images/triage2.png "UPX") When you open the executable in IDA, you will notice large section of non-disassembled code. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")](https://securedorg.github.io/images/triage4.png) +[![alt text](https://securedorg.github.io/RE101/images/triage4.png "IDA UPX")](https://securedorg.github.io/RE101/images/triage4.png) Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")](https://securedorg.github.io/images/triage5.png) +[![alt text](https://securedorg.github.io/RE101/images/triage5.png "Unpacking UPX")](https://securedorg.github.io/RE101/images/triage5.png) --- @@ -52,14 +52,14 @@ Navigate to the **Strings** window. Here is an interesting string that we should start with: -![alt text](https://securedorg.github.io/images/static1.png "Strings window") +![alt text](https://securedorg.github.io/RE101/images/static1.png "Strings window") This string is a typical registry key path to allow programs to autorun/startup on reboot. This is considered a [persistence](https://securedorg.github.io/RE101/section2.1/#persistence) mechanism. Double Click the string. Using the **X** key we can jump to the reference of that string in the assembly code. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static2.gif "Strings window")](https://securedorg.github.io/images/static2.gif) +[![alt text](https://securedorg.github.io/RE101/images/static2.gif "Strings window")](https://securedorg.github.io/RE101/images/static2.gif) This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396). @@ -103,24 +103,24 @@ Right before the first **push 0** there is a **mov esi,eax** which means esi = e When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")](https://securedorg.github.io/images/static3.png) +[![alt text](https://securedorg.github.io/RE101/images/static3.png "Unknown Function")](https://securedorg.github.io/RE101/images/static3.png) Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/). *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static4.png "Xor routine")](https://securedorg.github.io/images/static4.png) +[![alt text](https://securedorg.github.io/RE101/images/static4.png "Xor routine")](https://securedorg.github.io/RE101/images/static4.png) We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static5.png "Rename function")](https://securedorg.github.io/images/static5.png) +[![alt text](https://securedorg.github.io/RE101/images/static5.png "Rename function")](https://securedorg.github.io/RE101/images/static5.png) Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe ```XORSearch.exe "A string to test"``` *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static6.png "xor search")](https://securedorg.github.io/images/static6.png) +[![alt text](https://securedorg.github.io/RE101/images/static6.png "xor search")](https://securedorg.github.io/RE101/images/static6.png) **"Yo this is dope!"** How weird. @@ -131,14 +131,14 @@ Let's use the tool **XORSearch** to see if we can find some interesting xor deco Let's navigate to the start of the program using the **X** key. Use the spacebar to toggle between graph view and text view. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static7.gif "start function")](https://securedorg.github.io/images/static7.gif) +[![alt text](https://securedorg.github.io/RE101/images/static7.gif "start function")](https://securedorg.github.io/RE101/images/static7.gif) It's easy to trace back through the program disassembly, but let's look at some control flow assembly instructions. Remember **jmp, jne, jnz, jnb** are control flow functions. **Jump Examples** *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static9.gif "jz jump")](https://securedorg.github.io/images/static9.gif) +[![alt text](https://securedorg.github.io/RE101/images/static9.gif "jz jump")](https://securedorg.github.io/RE101/images/static9.gif) ```assembly jz loc_401962 ; jump to offset loc_401962 if the previous condition is zero @@ -151,7 +151,7 @@ jle short loc_401634 ; jump to relative offset 401634 if the previous condition Next scroll down through and find the order of API function calls in the program. You should make note of all the function offsets. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/static8.gif "program scrolling")](https://securedorg.github.io/images/static8.gif) +[![alt text](https://securedorg.github.io/RE101/images/static8.gif "program scrolling")](https://securedorg.github.io/RE101/images/static8.gif) Some of the more interesting API Calls from the image above. Look up what each function does, many are self explanatory. @@ -171,6 +171,6 @@ Some of the more interesting API Calls from the image above. Look up what each f Now you know how to navigate the disassembly forward and backwards to get to interesting routines. The next step is making a rough path to follow for deeper analysis in Section 6. -![alt text](https://securedorg.github.io/images/maping.jpg "handwritten") +![alt text](https://securedorg.github.io/RE101/images/maping.jpg "handwritten") [Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6) diff --git a/RE101/triage.md b/RE101/triage.md index 7843b6d..5a5f0dc 100644 --- a/RE101/triage.md +++ b/RE101/triage.md @@ -7,7 +7,7 @@ title: Triage Analysis # Section 4: Triage Analysis # -![alt text](https://securedorg.github.io/images/timetriage.gif "hourglass") +![alt text](https://securedorg.github.io/RE101/images/timetriage.gif "hourglass") Depending on your workload, you want to spend the least amount of time trying to determine what the malware is doing and how to get rid of it. Many malware analysts use their own triage analysis, similar to that in the Emergency Room at the hospital. @@ -82,7 +82,7 @@ Questions to ask: You will want to capture this information throughout your investigation either through notes or report documents. -You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/ReportForm.html) +You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/RE101/ReportForm.html) --- @@ -92,30 +92,30 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g 2. Copy over the unknown file 3. Check the file header by opening the file in the hex editor **HxD** * Notice the first 2 bytes are **MZ** meaning it's a PE Binary -![alt text](https://securedorg.github.io/images/triage1.png "MZ Header") +![alt text](https://securedorg.github.io/RE101/images/triage1.png "MZ Header") 4. Add the file extension **.exe** to the **Unknown** file so that it reads as **Unknown.exe**. Now right click the file and select **CFF explorer** to check the PE header * Note the imports it's using -![alt text](https://securedorg.github.io/images/triage3.png "Imports") +![alt text](https://securedorg.github.io/RE101/images/triage3.png "Imports") 5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash 6. Open the file in **BinText** and record any interesting strings 7. Quick Detonation The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM. -![alt text](https://securedorg.github.io/images/triageVMs.gif "Victim and Sniffer") +![alt text](https://securedorg.github.io/RE101/images/triageVMs.gif "Victim and Sniffer") On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim. On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs2.gif) +[![alt text](https://securedorg.github.io/RE101/images/triageVMs2.gif "Victim and Sniffer")](https://securedorg.github.io/RE101/images/triageVMs2.gif) Go ahead and detonate the the malware. On the **Sniffer VM** look for an **HTTP** request. Right click and **Follow->TCP Stream**. I will display the HTTP get request that was sent by the malware. *Click Image to Enlarge* -[![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs3.gif) +[![alt text](https://securedorg.github.io/RE101/images/triageVMs3.gif "Victim and Sniffer")](https://securedorg.github.io/RE101/images/triageVMs3.gif) [Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5) diff --git a/RE101/x86.html b/RE101/x86.html index e9b59bf..97936ce 100644 --- a/RE101/x86.html +++ b/RE101/x86.html @@ -25,7 +25,7 @@ function loadXMLDoc(dname) } function searchXML() { - xmlDoc=loadXMLDoc("https://securedorg.github.io/x86.xml"); + xmlDoc=loadXMLDoc("https://securedorg.github.io/RE101/x86.xml"); x=xmlDoc.getElementsByTagName("Instruction"); input = document.getElementById("input").value; size = input.length;