Presented at
DEF CON 32 (2024),
Aug. 9, 2024, 11 a.m.
(20 minutes).
We all know it all too well: that ominous feeling when opening an unknown file in your favorite analysis tool, only to be greeted with hundreds or thousands of unknown functions, none of which are matched by your existing function signatures, nor any of your helper scripts. This makes the analysis a painfully slow and tedious process. Additionally, it sometimes means that the required analysis time exceeds the available time, and another file is chosen to be reversed instead. Especially when dealing with malware, this is an undesired scenario, as it would create a blind spot from a blue team’s perspective.
The goal of this talk is to share a tried and tested method on how to deal with thousands of unknown functions in a given file, significantly decreasing the time spent on the analysis. The example throughout the talk is the Golang based qBit family, but is applicable to any kind of binary. While this talk focuses on using Ghidra, given its free and open-source nature, it is equally possible with other industry standard tools. The focus will be on scripts, as well as the creation and usage of FunctionID and BSim databases. By combining these, you will be able to create your own symbols, and bring them anywhere you go, for any language of choice.
While the symbols are portable, an aggregation of them scales very well over any number of analysts. As such, this methodology works well for individual researchers, but when scaling it for a team of researchers, the outcome will be greater than the sum of its parts.
This talk will use (malicious) Golang binaries as examples and provide a large dataset of symbols for this language. The scripts, as well as FunctionID and BSim databases, mentioned in this talk will all be made publicly available at the time of this talk.
In no particular order:
- Automate .fidb generation with headless Ghidra: [link](https://blog.threatrack.de/2019/09/20/ghidra-fid-generator/)
- Understanding static and dynamic compilation and linking: [link](https://www.youtube.com/watch?v=fGnbGX88z3Y)
- How symbols work: [link](https://www.youtube.com/watch?v=iBQo962Sx0g)
- BSim answers from the Ghidra team: [link](https://github.com/NationalSecurityAgency/ghidra/issues/6098)
- Feeding Gophers to Ghidra (a blog I wrote for my employer about my research into Golang internals): [link](https://www.trellix.com/blogs/research/feeding-gophers-to-ghidra/)
- A blog I wrote summarising my Golang reversing journey for my employer: [link](https://www.trellix.com/blogs/research/feeding-gophers-to-ghidra/)
- The open-source scripts on GitHub: [link](https://github.com/advanced-threat-research/GhidraScripts)
- A talk I gave about the Golang internals at HackInTheBox Amsterdam 2023: [link](https://www.youtube.com/watch?v=wsNfHqZfTfE)
- Ghidra’s FunctionID codebase: [link](https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Features/FunctionID)
- Hex-Ray’s IDA Pro’s F.L.I.R.T. explained: [link](https://hex-rays.com/products/ida/tech/flirt/in_depth/)
- BSim’s GhidraDoc explanation and tutorial: [link](https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/GhidraClass/BSim/README.md)
Presenters:
-
Max "Libra" Kersten
Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as DEFCON, Black Hat (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for DEFCON, Botconf, several universities, and private entities.
Similar Presentations: