[unisog] Decompiling virus binaries

John Sage jsage at finchhaven.com
Tue Jul 22 21:54:51 GMT 2003


Jeff:

On Mon, Jul 21, 2003 at 11:54:09AM -0400, Jeff Bollinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We received what we believed to be a recent/(new to us) virus
> attachment, and short of running `strings` against the binary, what
> other methods/tools have y'all used to determine the contents of a virus
> binary?  I guess what I'm really asking is, do you know of any good
> de-compilers (hopefully for x86 Linux, GCC 3) that would be useful in
> this instance, or can I use an existing compiler to break the virus down
> to its source code?

Try objdump:

[jsage at sparky /storage/virii] $ ls -la fixb.exe
-rw-rw-r--    1 jsage    jsage       17920 Jul  4 13:01 fixb.exe

[jsage at sparky /storage/virii] $ objdump -x fixb.exe
 
fixb.exe:     file format efi-app-ia32
fixb.exe
architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00401000
 
Characteristics 0x10f
        relocations stripped
        executable
        line numbers stripped
        symbols stripped
        32 bit words
 
Time/Date               Mon Jun 30 11:39:03 2003
 
ImageBase               00400000
SectionAlignment        00001000
FileAlignment           00000200
MajorOSystemVersion     4
MinorOSystemVersion     0
MajorImageVersion       0
MinorImageVersion       0
MajorSubsystemVersion   4
MinorSubsystemVersion   0
Win32Version            00000000
SizeOfImage             00007000
SizeOfHeaders           00000400
CheckSum                00000000
Subsystem               00000002        (Windows GUI)
DllCharacteristics      00000000
SizeOfStackReserve      00100000
SizeOfStackCommit       00001000
SizeOfHeapReserve       00100000
SizeOfHeapCommit        00001000
LoaderFlags             00000000
NumberOfRvaAndSizes     00000010
 
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00002038 0000003c Import Directory [parts of .idata]
Entry 2 00000000 00000000 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00002000 00000038 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 Reserved
Entry f 00000000 00000000 Reserved
 
There is an import table in .rdata at 0x402038
 
The Import Tables (interpreted .rdata section contents)
 vma:            Hint    Time      Forward  DLL       First
                 Table   Stamp     Chain    Name      Thunk
 00002038       00002088 00000000 00000000 0000211c 00002014
 
        DLL Name: kernel32.dll
        vma:  Hint/Ord Member-Name Bound-To
        20ee      660  WinExec
        2110      703  lstrlenA
        20d6      354  GetWindowsDirectoryA
        20c8      128  ExitProcess
        20ba       48  CreateFileA
        2104      693  lstrcatA
        20f8      670  WriteFile
        20ac       26  CloseHandle
 
 0000204c       00002074 00000000 00000000 0000216c 00002000
 
        DLL Name: advapi32.dll
        vma:  Hint/Ord Member-Name Bound-To
        2148      388  RegCreateKeyExA
        213a      384  RegCloseKey
        212a      243  GetUserNameA
        215a      430  RegSetValueExA
 
 00002060       00000000 00000000 00000000 00000000 00000000
 
Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         00000400  00401000  00401000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .rdata        00000200  00402000  00402000  00000800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         00003c00  00403000  00403000  00000a00  2**2
                  CONTENTS, ALLOC, LOAD, DATA
SYMBOL TABLE:
no symbols
 
 

[jsage at sparky /storage/virii] $ objdump -d fixb.exe |less

fixb.exe:     file format efi-app-ia32
 
Disassembly of section .text:
 
00401000 <.text>:
  401000:       68 ff 00 00 00          push   $0xff
  401005:       68 42 6d 40 00          push   $0x406d42
  40100a:       e8 d3 01 00 00          call   0x4011e2
  40100f:       68 00 30 40 00          push   $0x403000
  401014:       68 42 6d 40 00          push   $0x406d42
  401019:       e8 d6 01 00 00          call   0x4011f4
  40101e:       6a 00                   push   $0x0
  401020:       6a 20                   push   $0x20
  401022:       6a 02                   push   $0x2
  401024:       6a 00                   push   $0x0
  401026:       6a 02                   push   $0x2
  401028:       68 00 00 00 40          push   $0x40000000
  40102d:       68 42 6d 40 00          push   $0x406d42
  401032:       e8 9f 01 00 00          call   0x4011d6
  401037:       a3 3b 6c 40 00          mov    %eax,0x406c3b
  40103c:       6a 00                   push   $0x0
  40103e:       68 45 6e 40 00          push   $0x406e45
  401043:       68 00 2a 00 00          push   $0x2a00
  401048:       68 aa 30 40 00          push   $0x4030aa
  40104d:       ff 35 3b 6c 40 00       pushl  0x406c3b
  401053:       e8 96 01 00 00          call   0x4011ee
  401058:       ff 35 3b 6c 40 00       pushl  0x406c3b
  40105e:       e8 6d 01 00 00          call   0x4011d0
  401063:       68 45 6e 40 00          push   $0x406e45
  401068:       68 41 6e 40 00          push   $0x406e41
  40106d:       6a 00                   push   $0x0
  40106f:       68 3f 00 0f 00          push   $0xf003f
<snip>



- John
-- 
"Obviously, we do not want to leave zombies around."



More information about the unisog mailing list