Book Review: A Bug Hunter’s Diary

This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.

For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!

Continue reading

All About EBP

EBP was designed to provide a “Base Pointer” for the current function so that all parameters and local variables would be at a fixed offset from the base pointer even as the stack pointer moved with push and pop instructions.  This made it easier to generate assembly and was very beneficial for debugging because it made it easier to trace backwards up the stack and see what path of function calls led to the current instruction.  However, due to compiler improvements EBP is used less often so back tracing up the stack is more difficult.

Continue reading

Decorating Your Disassembly

When reviewing disassembly, some instructions are more important than others.  You can use a simple script to color instructions that you’re interested in and make them stick out.  You can use either IDAPython or IDC scripts to make color the interesting instructions.  Most professionals use IDAPython for their scripting, but I’ll talk about IDC because it’s available in the free version of IDAPro and I suspect some of our readers are just flirting with malware analysis and haven’t purchased the full version (also because I have an irrational bias against python).  The most important instruction that I like to highlight is the call instructions, but I also highlight instructions commonly used for data encoding (non-zeroing XORs), anti-VM (sidt, sgdt, str, etc), and anti-debugging (int 3, rdtsc, etc).  This makes it easier to locate more interesting code during disassembly.

Continue reading

Unpacking with Windbg

A few weeks ago a friend sent me some packed malware that he was having trouble with. The malware had a number of anti-debugging techniques employed that made it difficult to unpack and my friend was in a desperate rush to create solid host-based indicators for the malware.  After spending about 30 minutes trying to find all the anti-debugging techniques, I decided to try opening it in WinDbg, because most of the anti-debugging techniques were specifically targeting OllyDbg.  OllyDbg is the most popular debugger for unpacking and in our book we devote an entire chapter to unpacking using OllyDbg.  However, in cases like this you can use WinDbg to unpack malware and all the same strategies apply.

Continue reading

New Tool: FakeNet – Coming Soon!

In Chapter 3 of our book, we discuss strategies for how to use dynamic analysis tools and techniques.  The best way to get started is set up tools to fake the network, which usually includes changing the local DNS server, running a local DNS server such as ApateDNS/FakeDNS, and setting up a second virtual machine with INetSim in order to simulate network services.  I’ve been working on a new tool called FakeNet which will combine all those steps into a single tool with additional features to handle hard coded IP addresses, new protocols, SSL support, and more.  We’ll be releasing the tool on 2/29 during a Mandiant webinar where we’ll be talking about our book and the tool.

Continue reading