Reverse Engineering

Tools that assist with reverse engineering applications (to include modification)

sira

1. Enable network proxy
2. Snapshot file system
3. Install App
4. Decrypt app
5. Snapshot file system
6. Binary analysis:
a. PIE enabled?
b. Stack smashing protection enabled?
c. Reference counting enabled?
d. Class-dump or class-dump-z
e. XML processors installed?
f. Jailbreak Detection?
ii. (if yes, disable)
7. Runtime Analysis:
a. Use the app and record data
b. Certificate enforcement
i. if yes, bypass (import cert, hook cert functions)
c. Snapshot file system
d. Analyze shanpshot diffs
i. Locate storage of sensitive data
1. Was it stored securely?
ii. Protocol handlers installed?
e. Locate transmission of sensitive data
i. Was it transmitted securely?
ii. Privacy Analysis
1. Did the app transmit Contacts?
2. Did the app transmit Calendar?
3. Did the app transmit Location?
4. Did the app store a location log?
a. What was the granularity of the location?
5. Did the app transmit UDID?
f. Abuse the app and record data
i. If protocol handlers in use, can they be abused?
ii UIWebView in use?
1. Attempt XSS
a. Attempt to exploit objc bridge
iii. XML in use?
1. Attempt local XML attacks
iv. Attempt buffer overflows
v. Attempt format string attacks
vi. Attempt local file traversal
vii. Attempt local SQLi
viii. Logic flaw abuse
ix. (If in scope - Server side analysis)
g. Snapshot file system
h. Analyze snapshot diffs
i. As findings are discovered, repeat any steps in 7. as needed

SiRA is able to automate or semi-automate many of the steps involved in an application
assessment. SiRA includes some assistance for all 7 of the major methodology steps outlined
above. Not all automatable substeps are currently implemented, but work is ongoing. In
addition, SiRA provides a convenient single location for a variety of manual and semi-automated
functionalities. Finally, SiRA can automate your automation by providing a step-by-step guided

shellnoob

shellnoob is a toolkit to help you write shellcode.

Features:
convert shellcode between different formats and sources. Formats currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty, safeasm, completec, shellstorm. (All details in the "Formats description" section.)
interactive asm-to-opcode conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode and you want to figure out if a specific assembly instruction will cause problems.
support for both ATT & Intel syntax. Check the --intel switch.
support for 32 and 64 bits (when playing on x86_64 machine). Check the --64 switch.
resolve syscall numbers, constants, and error numbers (now implemented for real! Smile).
portable and easily deployable (it only relies on gcc/as/objdump and python). And it just one self-contained python script!
in-place development: you run ShellNoob directly on the target architecture!
built-in support for Linux/x86, Linux/x86_64, Linux/ARM, FreeBSD/x86, FreeBSD/x86_64.
"*prepend breakpoint*" option. Check the -c switch.
read from stdin / write to stdout support (use "-" as filename)
uber cheap debugging: check the --to-strace and --to-gdb option!
Use ShellNoob as a Python module in your scripts! Check the "ShellNoob as a library" section.
Verbose mode shows the low-level steps of the conversion: useful to debug / understand / learn!
Extra plugins: binary patching made easy with the --file-patch, --vm-patch, --fork-nopper options! (all details below)

LordPE

LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit, ....
Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

I personally use this tool along with XVI32 and olydbg to add code caves into the PE file so I can manually pack and XOR malicious code into the PE file.

PowerSploit

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

CodeExecution
Execute code on a target machine.

Invoke-DllInjection
Injects a Dll into the process ID of your choosing.

Invoke-ReflectivePEInjection
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

Invoke-Shellcode
Injects shellcode into the process ID of your choosing or within PowerShell locally.

Invoke-ShellcodeMSIL
Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.

Watch-BlueScreen
Cause a blue screen to occur (Windows 7 and below).

ScriptModification
Modify and/or prepare scripts for execution on a compromised machine.

Out-EncodedCommand
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

Out-CompressedDll
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

Out-EncryptedScript
Encrypts text files/scripts.

Remove-Comments
Strips comments and extra whitespace from a script.

Persistence
Add persistence capabilities to a PowerShell script

New-UserPersistenceOptions
Configure user-level persistence options for the Add-Persistence function.

New-ElevatedPersistenceOptions
Configure elevated persistence options for the Add-Persistence function.

Add-Persistence
Add persistence capabilities to a script.

PETools
Parse/manipulate Windows portable executables.

Get-PEHeader
An in-memory and on-disk PE parsing utility.

Get-ObjDump
Displays information about one or more Windows object files.

Get-LibSymbols
Displays symbolic information from Windows lib files.

Get-DllLoadPath

BinNavi

BinNavi is a binary code reverse engineering tool that was built to assist vulnerability researchers who look for vulnerabilities in disassembled code.
With BinNavi you can analyze disassembled x86, ARM, PowerPC, and MIPS code using the powerful built-in static code analysis techniques. In cases where static code analysis is not enough, you can use the built-in debuggers to get a live view on the program you are analyzing.

Syser

Syser Debugger is designed for Windows NT Family based on X86 platform. It is a kernel debugger with full-graphical interfaces and supports assembly debugging and source code debugging.

STrace

strace is a system call tracer, i.e. a debugging tool which prints out a trace of all the system calls made by a another process/program.

LTrace

ltrace intercepts and records dynamic library calls which are called by an executed process and the signals received by that process. It can also intercept and print the system calls executed by the program.

NM

nm command, is used to list the symbols from the target program. By using nm, we can get to know the local and library functions and also the global variables used. nm cannot work on a program which is striped using ‘strip’ command. Below is a link on usage for reverse engineering with linux.

http://www.thegeekstuff.com/2012/03/linux-nm-command/

Strings

This is a tool that is built into unix based systems to print the strings of printable characters in files or programs.. Used for information gathering while reverse engineering a file. Below I have supplied a link to a man page for the command along with usage of the tool.

http://www.thegeekstuff.com/2010/11/strings-command-examples/
http://unixhelp.ed.ac.uk/CGI/man-cgi?strings

Syndicate content