Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll understand more on packers. We'll demonstrate the visual changes in a malware code when a packer has been included versus the one with no packer. We'll use Cantor Dust to display the visual changes.

Video Transcription

00:04
so I'm gonna show you. Ah, little demo off the difference we can see in the code.
00:12
So over on the left, here we have the original bought by an eerie from,
00:17
um,
00:19
the illusion bought that we downloaded from the get help, Paige,
00:23
and
00:24
I'm gonna copy it over on the right side and over here of download this program called Cantor Dust,
00:32
uh, made by a researcher, works in the national labs, and he has talked at Black Hat where he releases tools, Actually. Really, really good. Uh, but he said he'd release
00:44
more than just this demo, and he never did. I don't know what his deal is, but it makes really pretty pictures and allows us to quickly see what's going on so
00:56
we can take our original binary, are bought, weaken dragged over here, and we can say OK, so this thing,
01:04
you can view it in different coordinate systems. Um,
01:11
it's electrical.
01:12
It definitely has some patterns. Some lines in it that you can see.
01:17
It definitely has, um,
01:22
some data, like right over here
01:25
in the corner,
01:26
you can see the smaller cubes,
01:30
and that is asking that those are the strings that we typically see.
01:36
And over on the left
01:38
we can see
01:40
these two columns of green,
01:44
and that's all fine and good.
01:48
And it gives us some kind of clear
01:52
idea of the type of data that's in there.
01:56
It's basically showing us the bites.
02:00
So
02:01
we have our original, but by near here,
02:05
I'm gonna make a copy of it.
02:08
I'm gonna pull up a command, prompt
02:13
CMD
02:15
It's in this directory
02:19
and I'm going to download
02:22
a program. U P X. Like I said, the
02:25
one of the oldest Packers
02:28
most commonly used.
02:30
I'm just going down. What for Windows here.
02:35
And I've put the program right here.
02:37
So I'm a type
02:39
U P X.
02:42
Yeah,
02:43
and I'm going to pack
02:46
the baht binary copy.
02:50
So it does its little banner, and then it says it edited this file. It compressed the size by 41%
02:57
so that's nearly half of the size it was before.
03:00
Just rename this file too
03:05
packed.
03:09
Run cantor dust again.
03:13
So this was our original
03:15
bought binary,
03:16
and this is our pact version.
03:19
You can see there's really no
03:22
ah
03:23
structure to it.
03:24
It's a lot of randomness. There is really nothing there that weaken point and say, Oh, I can see that there's some structure, this file, that there tends to be a cluster of bites that are very similar over here.
03:38
Um,
03:38
you know, we we can't really make much of it. It's because it's compressed. It's high entropy
03:46
also.
03:49
I'll show this in the future.
03:51
But if we run strings on our original binary,
03:54
I can see
03:57
that there are plenty. The user agents. Ah, the obfuscated strings, the pass or encoded pass. You know, the function calls. And if we
04:08
run the same strings command on
04:11
ah, the pact binary,
04:13
we see that there are hardly any.
04:16
There's a few functions that it needs to resolve the other functions dynamically.
04:25
There's probably a reference to you. PX in there somewhere.
04:30
Yeah
04:31
u PX explanation point u P x zero u P x one PX to these air actually the names of the sections,
04:39
but
04:40
well, we'll take a look at that in a bit.
04:43
And just for a test
04:46
we can
04:47
look at the hash is no shot, one
04:56
shot one
04:58
75
05:00
and the five
05:01
and they are indeed different.
05:04
All it takes is one bit to be flipped
05:08
toe, generate a new hash or two to derive. Ah NIU hash
05:13
visual reverse engineering might
05:15
take hold in the future,
05:17
but, ah,
05:20
I I don't see it happening just yet. The tools aren't quite there, but
05:26
I definitely recommend this talk.
05:28
Even if he didn't really release his tool that he said he was going to. It's still pretty inspiring toe to see what what's possible
05:34
with just visually inspecting
05:38
binary.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor