My presentation at REcon 2013 – Inside EMET 4.0

This year I presented “Inside EMET 4.0″ @ REcon Montreal. Since I was heavily involved in EMET 3.5TP till EMET 4.0, I was in a position to explain its internals.

The presentation explains how the mitigations work and how they are implemented.

One of the main motivations of this presentation is to share back with the security community and to help developers write EMET compatible code.

Please download the slides from here

Posted in Programming, Security | Tagged , , , , , , , , | 2 Comments

My presentation at REcon 2012 Montreal

This year was my first time at REcon, most of the talks were pretty genuine, I have to mention also that Montreal is an awesome city :)

My talk for this year was to describe how to build a tailored operating system that will be executed using an emulator (be it Bochs, qemu, VMWare, …) for the purpose of debugging malware, shellcode or any other code snippet.

An existing emulator will be leveraged (instead of building an emulator from scratch, which can be time consuming and error prone).

Later, I describe how to write a program that can construct a custom disk image containing a tailored operating system to run a specific piece of code or malware.

The following design aspects were covered:

  • disk structure: file system design and file format structure
  • booting process: page table setup, GDT/IDT setup and exception dispatching
  • the host: the role played by the host
  • host/guest interaction: communication method used to exchange information between the host and the guest
  • os environment: system structures and the memory layout of the main program and its dependencies
  • API emulation: customization of APIs using scripts (Python, …) or native code (asm or C code)
  • debugging: debugging facilities using Bochs’ built-in debugger
  • use cases: malware and shellcode debugging

The slides can be downloaded from here.

Special thanks to the organizers Hugo Fortier and David Mirza.

Posted in IDA Pro, RE | Tagged , , , , , , , , , , , , , , | Leave a comment

PyHiew 0.3.0 with process memory editing

PyHiew 0.3.0 has been released with fsPlus integration. It is now possible to edit process memory directly from Hiew.

How to edit process memory with Hiew

- Press F9 to toggle Hiew HEM modules
– Select PyHiew and then the fsPlus script

select_fsPlus

- After successful activation you should get this:

activated_fsPlus

This step is required only once.

- Now press F9 to show the files list (you may want to press Alt-F4 to refresh the files list):
fileselect_fsPlus

Processes and files will be listed along side each other. Processes will have the following format: {ProcessName.extension}.pid|{PID}. The process name and PID will be replaced with the actual process name and ID. Now you’re ready to edit the process in question. Just press ENTER to select the file!

textview_fsPlus

The first few pages (virtual address 0 and on) are not mapped in processes, for this reason fsPlus will provide “virtual” information to Hiew and construct a “special” PE file header describing all the loaded modules and some textual information after that:

textinfo_fsPlus

Pressing ENTER (to switch to Hex view) then F8 then F6 (to view the PE sections) will reveal all the loaded modules:

sections_fsPlus

You may press ENTER to jump to any section in memory. In the following screenshot, we have a view crossing from one page to another. The first page is not mapped thus fsPlus will return “BAD!” whenever it cannot read memory and the following page contains the actual process memory bytes:

procmem_fsPlus

It is possible to copy blocks (for example to copy sections from an unpacked program), edit the process (by pressing F3) and save the changes or even achieve most of the File I/O operations you do on a normal files.

It is possible to configure fsPlus so that a folder if your choice will contain the process list (instead of having the listing showing in the current directory). For this, you need to edit the “fsPlus.ini” file:

; Specify the process hook path. The folder must *EXIST* (but not necessarily empty) and have a trailing backslash
; For example, if it can be: "C:\_processes\" or simply the current directory: ".\"

[ProcessAsFile]
ProcessDir=.\

If another folder is specified, then when you press F9 to toggle the file list in Hiew, make sure you navigate to the folder you just specified in order to get the processes list.

That’s it! If you have questions let me know.

Download the PyHiew 0.3.0 package and get started! :)

Posted in Programming, Python | Leave a comment

PyHiew and PEiD

Many times I find myself viewing a file with Hiew and at the same time wondering what kind of packer is applied to the file. Normally, I would run PEiD in parallel and check the packer signatures there.

For this reason, I created a small PyHiew script that allows you to detect the packer directly from Hiew using a text files having the same format as PEiD’s signature database .

A PEiD signature file is essentially an INI file with the packer name as the section name and two keys: the signature key containing the byte pattern and the ep_only key (which is ignored by the PEiD.py script), example:

[Packer Name]
signature = B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD  21
ep_only = true

In order to run the script you need to get the latest PyHiew (PyHiew 0.2.1a) and a copy of UserDb.TXT (it used to be here http://research.pandasecurity.com/blogs/images/userdb.txt):

  • Unpack the Pyhiew archive into Hiew’s folder
  • Copy “UserDb.txt” to %hiew%\PyHiew
  • Now open a PE file with Hiew
    • Switch to Hex view (press ENTER)
    • Press F8 to show the header info
    • Press F5 to jump to OEP
  • Now press F11 to load the HEM plugins
    • Select PyHiew
    • Select PEiD script

Please note that you can configure PEiD.py to use any signature database or databases of your choice. Simply edit the script and adjust the following lines:

# Add more PEiD signatures to this list
PEID_DATABASES      = ['UserDB.TXT']

When PEiD.py parses the signature files, it will generate a cache file (peid-db.cache) so that the next time scanning will be faster. Please delete the cache file if you edit your signature files (it will be regenerated again).

And here is PyHiew’s PEiD in action:

PyHiew's PEiD

The depth value indicates after how many bytes scanned the pattern was matched. If there is more than one match, the output window will display the rest of the matches.

Posted in Programming | 10 Comments

PyHiew: Transferring names between IDA Pro and Hiew

Last week I updated PyHiew to version 0.2.0 which adds the ability to manage names in Hiew (add local/global names and comments).

In this blog post I demonstrate how to use these facilities to transfer names between IDA Pro and Hiew.

Here’s a summary of the script logic:

  • A PyHiew script will act as a server
  • It will display an information dialog and setups up a server socket then wait for connections
  • An IDA Pro python script will act as a client to send the names from IDA to Hiew
  • Hiew receives and populates the names

Using the script

Load the IDA client script (pyhiew\3rd\IDA-Names-Client.py) from the PyHiew package

names-sel-script

A message box will show, do not close it until you proceed with Hiew

names-ida-wait

Now run Hiew and open the desired file and press F11 to toggle the HEM modules.
Select PyHiew and then the IDA-Names-Server script
The script will display a message window like this:

names-wait

Depending on what you want to transfer you may press one of the function keys.

After selecting an option, Hiew will display a wait box. Now switch back to IDA and press OK to connect to Hiew and start the name transfer.

If the operation succeeds then the name count will be displayed:

names-after-copy

In Hiew (Hex/Asm view) you may press F12 to display the name window:

names-transferred

That’s it! This script ships with PyHiew 0.2.1

Posted in IDA Pro, Python | Leave a comment

Introducing PyHiew

PyHiew (open source project) is a Hiew external module (HEM) that allows users to write Python scripts that can interface with Hiew.

It wraps most of the functionality present in the HEM SDK, thus allowing the users to programmatically access Hiew and do things like:

  • Create windows
  • Create menus
  • Show messages
  • Get input from user
  • File I/O: Read, Write, Find
  • etc…

For example, here is a “Hello world” script:

import hiew

hiew.Message(“Hi”, “Hello world!”)

hello_world

To demonstrate how it works, let us download the pre-compiled package and install it:

  • Unzip the package to %HIEW%
  • Verify that %HIEW%\pyhiew folder exists
  • Make sure that Python 2.7 is installed
  • Run hiew32 against an input file
  • Press F11 to launch Hiew’s the external modules browser

hem_list

If other HEMs are installed they will be listed too.

Pressing ENTER to select “Python Hiew” will take you to PyHiew’s script browser:

cliptext_hem

What you see is a list of PyHiew scripts (in %HIEW%\pyhiew) that come with the package:

  • ClipText: a script that allows you to copy Hiew selection to clipboard into various formats (C source, Pascal, text, …)
  • Decompress: a script that will allow you to decompress a gzip compatible stream from inside Hiew
  • hello: the hello world script
  • test_pyshell: a simple script that allows you to execute Python statements

Let us now play with ClipText by making a block selection with Hiew and pressing F11 –> PyHiew –> ClipText

cliptext_menu_c

We select “Copy as C array” and press ENTER:

cliptext_copied_c

To verify that it works, let us open a text editor and paste from the clipboard:

cliptext_out_c

It works! :)

Let us now run the Decompress script by first loading a PDF file that got some streams with FlateDecode filter:

decompress1_select_stream

We manually select the stream (we don’t have to if we write a small script that detected the boundaries for us) and press F11 –> PyHiew –> Decompress:

decompress1_outfile

The script will ask for an output file name, and after that we can open that file and verify if decompression went okay:

decompress1_out

Neat huh?! :)

If you’re curious, here’s the Decompress.py source code:

decompress_src

That’s it for now. Make sure you refer to the “doc” folder if you want to write your own scripts.

A discussion group has been created to share useful scripts and address technical problems.

Last but not least, for those who do not know, you can have process editing facilities in Hiew simply by using my old utility Hiew+  (which still works with the latest versions of Hiew). Get it from http://lgwm.org/projects/hiewplus/.

Stay tuned!
Elias

Posted in Programming, Python | 3 Comments