.

Assembly

<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Thu Dec 16, 2010 11:30 pm

Assembly

Hi all,

I want to look at what happens in the background of my C code.
This would help me in understanding the assembly language better. My goal is to understand this so that it helps me in Reverse Engineering.

I want to explore my C code in OllyDB just like we look at Crackme's

Guide me about how to do it

Regards,
SatYr
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Dec 17, 2010 7:51 am

Re: Assembly

Hi satyr,

You said your goal is to understand more reverse engineering. But what do you really want to do:

- Reverse engineer viruses, worms, etc to understand how they work
- Exploit a stack or heap buffer overflow
- Other?

I ask this question because trying to understand C code is very tough and not mandatory at all in order to write exploits. So if you can be a little bit more precise, we will be able to guide you properly.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Fri Dec 17, 2010 10:02 am

Re: Assembly

http://en.wikibooks.org/wiki/X86_Disassembly
http://www.microsoft.com/msj/0298/hood0298.aspx

That should probably get you going.. Also try to answer H1t M0nk3y's questions as we can probably guide you better if we know your goals..
Last edited by dante on Fri Dec 17, 2010 10:13 am, edited 1 time in total.
<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Mon Dec 20, 2010 6:08 pm

Re: Assembly

Thanks for your replies..

I want to understand how exploits are created both by analyzing the application and from patches
I am also interested in malware analysis

I am working as a penetration tester, I want to expand my skills. I like both the above mentioned skill set but im confused whether it is possible to pursue both together or i should go about it one after another. If that is the case which one should I choose right now.

I am considering changing my profile based on these skills. Ideally I would like to work in a company which specializes in either exploit dev or malware analysis. The company I am in right now only caters to pen testing. My objective is to develop my interest into something i can work for. Getting paid for doing something you love is the best thing to happen to anyone.

Kindly guide me in this regards.

Thanks,
Satyr
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Dec 20, 2010 8:51 pm

Re: Assembly

Hey satyr, have you read this thread? http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5219.0/

Also, have you read the articles provided by dante? The "microsoft" one is pretty good. If you are very serious, I would try writing very simple programs in assembly, like Hello World. Then add a few loops and jump conditions (if). Once you understand what ESP, EIP, EAX, etc are, than move to the "Shellcoder's Handbook" or do PWB. At this point, you should know enough to continue by yourself.

I suggest you to buy something like "The assembly language for intel-based computers". It is pretty expensive, but I found the old third edition for something like 5$ on eBay. It's a good reference book...

I hope it helped!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Mon Dec 20, 2010 9:39 pm

Re: Assembly

thanks a ton :) this surely helps

one more thing, please advice a little more about the topics Exploit development and Malware analysis.

Considering my background in Pentesting, what might be a good option career wise. I like both but im confused about choosing both considering the learning curve and time which i would have to dedicate for learning both at the same time.


Thanks,
Satyr
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Dec 21, 2010 8:14 am

Re: Assembly

I am not an expert in either Exploit development or Malware analysis. I wrote 5 or 6 exploits and never did Malware analysis. The only things I know is Malware analysis is probably the hardest thing in computer science, after writing your own OS! So get very, very good at assembly, exploit development and understand viruses, worms, backdoors etc very well before even starting on this route. Again, I know close to nothing about this field, but that's what I will do (notice: I didn't say "would do" but "will do"  ;))

So start with Exploit development. Again, Offensive Security has a nice introduction to exploit development in their PWB course. They go further in the topic with their CTP course.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Tue Dec 21, 2010 1:02 pm

Re: Assembly

Exploit development and Malware analysis are quiet different topics and each requires its own steep learning curve. At advanced levels both requires to have a good knowledge in reverse engineering and os internals. There are several overlapping topics and few topics like Packers, protectors, anti-reversing techniques are discussed only in malware analysis. In my opinion, its better to start with the exploit development.

I would suggest you to start with the first link in previous post on x86 disassembly. Its packed with a lot of examples and is very newbie friendly. Then move on to reading PVE buffer overflow tutorials. Beware of PVE tutorials, if you dont know the role of function epilogue and function prologue and still did a stack overflow, you have not yet understood it. When you read ret to libc , ROP should be obvious to you, if not, you have not understood it. But that sort of understanding and ability to visualize the stack can be attained only if you have strong hold on the basics. So start with x86 disassembly or atleast read on different calling conventions before jumping into Aleph one's post.

Once you are done with pve's tutorials and comfortable with the debugger,  try heap spraying, heap feng shui(requires knowledge in OS internals) and then move onto reverse engineering following lena's tutorials. Again the basics are important, you should know the PE file format, memory management. This is based on my experience and hope this works for you.
Last edited by dante on Tue Dec 21, 2010 8:33 pm, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Dec 21, 2010 1:20 pm

Re: Assembly

Other assembly videos:

Assembly Language Primer for Windows 1 & 2
http://www.securitytube.net/Security-Ba ... -List.aspx
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Tue Dec 21, 2010 6:46 pm

Re: Assembly

wow ... thanks a ton dante  and H1t M0nk3y  ...that is good piece of information :)

guess i have my hands full now .... ill follow these suggestions...

@dante - currently wht are you doing in exploit development

@H1t M0nk3y - plz let me know if u fix up on a course ... even ill lookout for good courses and inform u in case i go ahead with some
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Dec 21, 2010 8:32 pm

Re: Assembly

dante wrote:Packers, protectors, anti-reversing techniques are discussed only in exploit development. In my opinion, its better to start with the exploit development.


Whoa nelly slow down. Packers and anti-reversing is exposed and highly effective in malware analysis. Not "only" exploit development. To be honest, "packers" are usually used for covertness when someone doesn't want another visibly seeing what they're doing. Most shellcode exploits are fully visible across the board.

For example, when in Canvas, Core or Metasploit, I can open, modify and save exploits in ALL applications across the board. If they were packed and or encrypted and THEN packed, there would be an issue of trust within the security community and companies buying applications like Canvas, Core and Metasploit Pro.

Granted there is a LOT more overlap, I actually recommend the reverse, learn MALWARE analysis before exploitation. Even if you DO start learning exploitation, unless you plan on doing something sketchy, there is usually NO NEED to pack anything - again unless you plan on doing something sketchy.

By understanding malware analysis, from a professional level, you're liable to make more headway in the industry. This can be confirmed by visiting employment websites like Dice, Monster, etc., do a quick search for say "malware analyst" versus "exploit developer." You CAN make some serious cash with sites like say Zero Day Initiative, iDefense, etc., but the likelihood of you gaining a foothold in a comfortable solidly grounded company like say BT, Raytheon, etc., is low.

Exploit Development = good for bookoo bucks selling exploits ... Many companies won't care that you can exploit someone elses stuff

Malware Analysis - companies care that you can analyze (incident response, forensics, CERT/SERT/PSIRT) what is causing chaos on their network.

Malware analysis is a lot more simplified than wanting to yank your hair out over say DEP and ASLR. In a MA environment, you're usually going to create your labs, infect yourself, analyze the post and pre states of the machine that is now infected. What did the malware do, how did it do it, what did it affect, where did it try to connect, HOW did it try to connect, how did it try to bypass protections.

In an exploit development scenario, you're trying to disassemble/decompile thousands of lines of code looking for something that triggers an anomaly. WHAT can you do with that anomaly. That's fine and dandy. Now that you did it on ONE machine, replicate it across the board.

For those who've seen my mushroomcloud exploit, this was a classic clusterfsck of epic proportions. (Replication). I spent who knows how many hours going back and forth on machine to machine to machine trying to get it right across the board. I had others (thanks phenolit if you stumble upon here) who helped me iron out the kinks... At the end of the day, it turned out to be an NDIS driver issue via way of TREND MICRO causing VMWare to implode. Bottom line, anyone who DIDN'T use Trend Micro weren't affected by MushroomCloud. Those who did, sayanora. So from the exploit development side, how much do you think a company would find an exploit like this to be worth? How much total time did I spend on the exploit, analysis (pre and post mortem)? 3 months. This included time spent with VMWare engineers on the phone, time spent with friends, coworkers and other security pros on conference calls and email, time spent trying to get Trend Micro to understand it all.

End of the day? If I *tried* to even shop it around on say ZDI, iDefense, or others, it would be pointless. It's not replicable outside of unique instances. This is a nightmare in the windows exploitation development world. And THAT is where the money is, in Windows exploitation. Linux, BSD, Solaris, tends to be more for "bragging rights." If you think for a moment any one of those mentioned would even care financially about the potential damage from you 'sploit' think again. Whereas MS is used by millions of business, they're liable to be more visible hence the need for them to respond quickly.

Now I've had my share of exploit development and analysis of malware and or viruses throughout the years. From my POV, malware analysis is where the CAREER is at. Exploit Development is where bragging rights are... It is also where headaches and gray hair is made.

Anyway my two cents
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Tue Dec 21, 2010 8:55 pm

Re: Assembly

thanks for pointing out sil... i edited it ...sorry satyr... i meant malware analysis and i really wanted someone to prove me wrong. I dont think packers/protectors are involved in exploit development anywhere except may be in writing shellcodes(encoding, polymorphic)...

I dont know what nelly is(Life; Unmanly, effeminate) ? ;) ..

P.S: Wanted to say this for a long time. Big fan of your long posts sil.  I read ALL your previous posts before even joining the forum and one of the reasons I am still trying to contribute to this forum is because of guys like you taking time to write such awesome posts.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Dec 22, 2010 8:42 am

Re: Assembly

I was enjoying a nice coffee this morning in a quiet house reading another "sil novel" :D

More than the long posts, I enjoy hearing a real expert talking about an interesting subject! I to, try to help others when I can, but I lack the experience sil has!!

Exploit Development is where bragging rights are... It is also where headaches and gray hair is made.


Sil, what do you mean by "headaches and gray hair is made"? Are you refering to long fuzzing hours before finding something?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Dec 22, 2010 11:08 am

Re: Assembly

While Assembly skills are highly valuable for malware analysis, don't discount the value of dynamic analysis. Good dynamic analysis requires almost no coding skills. Being able to execute a piece of malware in a sandboxed environment and using tools to analyze the behavior that is occurring on the box is extremely helpful. It won't be enough to write an AV signature, but for most folks doing this kind of work its enough to understand how the malware was delivered, what controls it exploited and how, what actions it took once it infected the machine and the impact to the organization, how it propagates (may not be the same vector as the initial infection - also need to make sure you aren't serving up malware to another organization), how to remove it in a way that does not compromise critical operations, how to prevent it from occurring again as well as determine any additional resources needed for the incident.

This is a huge amount of value that can be derived with very little to no code knowledge. Obviously parsing memory dumps and all kinds of other extremely technical activities can be extremely beneficial here but they aren't necessary to provide a decent analysis in many cases.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

satyr

User avatar

Newbie
Newbie

Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Wed Dec 22, 2010 1:19 pm

Re: Assembly

if i was an android taking all this information through a cord at the back of my head ... i guess i would have exploded.

im in awe reading what sil has posted ... all that experience ... hours behind the monitor and industry knowledge shows up in posts like these ... hats off to u :)

again I thank all the members here who have responded to basic newbie questions ... your modesty is inspirational .. thank you guys ... im sure i will pick up a lot of things from here ..thanks to all of u :)
Next

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software