1 / 35

Investigating Hacker Tools

Investigating Hacker Tools. Outline. Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool. Outline. Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool. The Goals.

elma
Download Presentation

Investigating Hacker Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Investigating Hacker Tools

  2. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

  3. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

  4. The Goals • Prevent similar attacks in the future • Assess an attacker’s skill or threat level • Determine the extent of a compromise • Determine if any damage was done • Determine the number and type of intruders • Prepare yourself for successful subject interview if you catch the attacker • Determine the attacker’s objectives and goals

  5. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

  6. Statically Linked Programs • A statically linked executable file contains all the code necessary to successfully run the application • Don’t have any dependencies

  7. Dynamically Linked Programs • Shared libraries • Contain commonly used functions and routines • Reduce the size of the executable file • Conserve system memory • Update the shared libraries without the change of the original programs

  8. Static Program vs. Dynamic Program Dynamically Compiled Program Shared Libraries Statically Compiled Program Printf Stub to Reference other Memory Location Dynamic Program Printf Function Contained Within the Program’s Object Code Static Program System Memory

  9. Programs Compiled with Debug Options • With debug options • Include a lot of information about the program and its source code

  10. The comparison of the file size The file size

  11. The stripped programs • Strip is a function that discards all symbols from the object code to make a file much smaller and perhaps more optimal for execution The smaller file size The command line

  12. Programs Packed with UPX (Ultimate Packer for eXecutables) • An effective compression tool for executable files • A hacker can obscure their illicit programs from signature-based IDS • A review of the ASCII-formatted strings within the rogue code will show whether UPX was used to compress the executable http://upx.sourceforge.net

  13. An example of UPX

  14. An example of Symbol Extraction (1/2) Debugging information is included, use $nm –al zapdebug $nm –a zapdynamic Symbol type Symbol value

  15. An example of Symbol Extraction (2/2) • Symbol type • Lowercase • A local variable • Uppercase • A global variable $man nm

  16. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

  17. What and the step you should follow • Static analysis is tool analysis performed without actually executing the rogue code • The general approach to static analysis involves the following steps • Determine the type of file you are examining • Review the ASCII and Unicode strings contained within the binary file • Perform online research to determine if the tool is publicly available on computer security or hacker sites • Perform source code review if you either have the source code or believe you have identified the source code via online research

  18. Determine the Type of File The command The magic file

  19. Review the ASCII and Unicode Strings • $strings –a filename • $hexedit • Allow you to see Unicode and ASCII strings within a file at the same time • Look for the following items • The name if the source code files before the application was compiled • The exact compiler used to create the file • The “help” strings in the tool • The error messages that the program displays • The value of static variable

  20. Performing Online Research and Source Code Review • It’s very helpful to find the same tool • Two occasion • The attacker leaves the source code on the system • Find the identical program from another source with the proper source code

  21. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

  22. What and the task you should do • Dynamic analysis of a tool takes place when you execute rogue code and interpret its interaction with the host operating system • Methodology must includes the following tasks • Monitor the time/date stamps to determine what files a tool affects • Run the program to intercept its system calls • Perform network monitoring to determine if any network traffic is generated • Monitor how Windows-based executables interact with the Registry

  23. Set up your test environment • You need to invest the time to set up the proper test environment • VMware • Make sure that the test system is not connected to the Internet • Beacon packet • Phone home • Or your can execute it on a closed network

  24. Intercept the system call • User applications use system calls to request the kernel • System trace ($strace) • Wiretap between a program and the operating system Execute the rouge program The output file

  25. The example_1 of strace

  26. The example_2 of strace (1/3)

  27. The example_2 of strace (2/3)

  28. The example_2 of strace (3/3)

  29. Conducting Analysis Beyond strace • Debugging • Decompiling • Linux Assembly web site • http://linuxassembly.org • Tool Interface Standard’s and Manuals on the Mr. Dobbs Microprocessor Resources web site • http://x86.ddj.com/intel.doc/tools.htm • objdump • nm • gdb

  30. Dynamic Analysis on a Windows System • filemon • Provide a wiretap between running processes and the file system. • regmon • Tap a process’s interaction with the Windows Registry • listdlls • Show all of the DLLs needed by a process • fport • Determine what port the rouge program opens • flist • Determine if a process changes its process name after execution

  31. filemon

  32. regmon

  33. listdlls

  34. fport

  35. pslist

More Related