Object Oriented Code RE with

HexRaysCodeXplorer
Eugene Rodionov Alex Matrosov
@vxradius @matrosov
Agenda
* Object Oriented Code Reversing Challenges
-- virtual methods
-- templates

* Reversing Object Oriented Malware

-- Flamer
-- Sednit

* HexRaysCodeXplorer in use
Modern C++ Malware for Targeted Attacks
Why reversing C++ code
is a hard problem?
Virtual Methods & Templates
 Virtual Methods class Animal {
protected:
int _weight;
public:
class Cat { Animal(int weight) : _weight(weight) {};
private: virtual int eat(int food) = 0;
int _weight; };
public:
Cat(int weight) : _weight(weight) {}; class Cat : Animal {
public:
int eat(int food) { Cat(int weight) : Animal(weight) {};

};
return _weight += food; vs
virtual int eat(int food) {
}; return _weight += food;
};
int _tmain(int argc, _TCHAR* argv[]) };
{
Cat* cat = new Cat(130); int _tmain(int argc, _TCHAR* argv[])
int newWeigth = cat->eat(20); {
} Animal* cat = new Cat(130);
int newWeight = cat->eat(20);
}
 Virtual Methods class Animal {
protected:
int _weight;
public:
class Cat { Animal(int weight) : _weight(weight) {};
private: virtual int eat(int food) = 0;
int _weight; };
public:
Cat(int weight) : _weight(weight) {}; class Cat : Animal {
public:
int eat(int food) { Cat(int weight) : Animal(weight) {};

};
return _weight += food; vs
virtual int eat(int food) {
}; return _weight += food;
};
int _tmain(int argc, _TCHAR* argv[]) };
{
Cat* cat = new Cat(130); int _tmain(int argc, _TCHAR* argv[])
int newWeigth = cat->eat(20); {
} Animal* cat = new Cat(130);
int newWeight = cat->eat(20);
}
Virtual Function Tables
Class A meta

vfPtr A::vfTable RTTI Object

Locator
attr_1 A::a1()
signature
attr_2 A::a2()
pTypeDescriptor
A::a3()
pClassDescriptor
Virtual Function Tables
Class A meta

vfPtr A::vfTable RTTI Object

Locator
attr_1 A::a1()
signature
attr_2 A::a2()
pTypeDescriptor
A::a3()
pClassDescriptor
Virtual Function Tables
* lead to indirect method calls
-- difficult to analyze statically

* initialized in constructors
-- need to track back object creation
C++ Templates
* extra code to analyze
-- another way to create polymorphic types
std::vector<int> std::vector<char>
std::vector<std::string> std::vector<custom_type>

* problematic to recognize standard library

code (FLIRT)
-- playing with compiler optimization
options
C++ Code Reconstruction Problems
* Object identification
-- type reconstruction

* Class layout reconstruction

-- Identify constructors/destructors
-- Identify class members
-- Local/global type reconstruction
-- Associate object with exact method calls

* RTTI reconstruction
-- vftable reconstruction
-- Associate vftable object with exact object
-- class hierarchy reconstruction
Reversing Object
Oriented Malware
Practical Approaches: REconstructing Flamer Framework
REconstructing Flamer Framework
Vector<Consumer> Vector<Command Executor>

DB_Query ClanCmd FileCollect Driller GetConfig

Mobile
Consumer

Cmd Vector<Task>
Consumer
IDLER CmdExec Sniffer Munch FileFinder

Lua
Consumer

Vector<DelayedTasks>
Media Share LSS
Consumer Euphoria Frog Beetlejuice
Supplier Sender

http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
REconstructing Flamer Framework
Vector<Consumer> Vector<Command Executor>

DB_Query ClanCmd FileCollect Driller GetConfig

Mobile
Consumer

Cmd Vector<Task>
Consumer
IDLER CmdExec Sniffer Munch FileFinder

Lua
Consumer

Vector<DelayedTasks>
Media Share LSS
Consumer Euphoria Frog Beetlejuice
Supplier Sender

http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
Identifying Used Types
* Smart pointers

* Strings

* Vectors to maintain objects

* Custom data types:

-- tasks
-- triggers
-- and etc.
Data Types Being Used: Smart pointers
struct SMART_PTR
{
void *pObject; // pointer to the object
int *RefNo; // reference counter
};
Data Types Being Used: Smart pointers
Data Types Being Used: Vectors
struct VECTOR
{
void *vTable; // pointer to the virtual table
int NumberOfItems; // self-explanatory
int MaxSize; // self-explanatory
void *vector; // pointer to buffer with elements
};

* Used for handling objects:

-- tasks
-- triggers
Data Types Being Used: Strings
struct USTRING_STRUCT
{
void *vTable; // pointer to the table
int RefNo; // reference counter
int Initialized;
wchar_t *UnicodeBuffer; // pointer to unicode string
char *AsciiBuffer; // pointer to ASCII string
int AsciiLength; // length of the ASCII string
int Reserved;
int Length; // Length of unicode string
int LengthMax; // Size of UnicodeBuffer
};
Approaching Flamer
* Identify Object Constructors Type
reconstruction

* Reconstruct Object
Attributes
Control Flow Graph
Reconstruction
* Reconstruct Object Methods
Identifying Object Constructors
REconstructing Object’s Attributes
REconstructing Object’s Attributes
REconstructing Object’s Methods
REconstructing Object’s Methods
REconstructing Object’s Methods
Reversing Object
Oriented Malware
Practical Approaches: REconstructing XAgent Framework
XAgent Framework
Agent Modules
Vector<IAgentModule>
AgentKernel
AgentKernel Local Channel
Cryptor DNameNode
Storage Controller
Module
FileSystem

Module
Remote
KeyLogger Communication Channels
Vector<IAgentChannel>
Process
Retranslator WinHttp
Module

http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
Object Interconnection: IAgentModule

struct IAgentModule {
LPVOID receiveMessage;
LPVOID sendMessage;
LPVOID getModuleId;
LPVOID setModuleId; IAgentModule
LPVOID executeModule;
};

Module Process
Module
AgentKernel Remote Retranslator
FileSystem
Keylogger Module
Exploring RTTI*
* recover type names

* reconstruct class hierarchy

* identify object virtual function tables

* IDA ClassInformer plugin

Exploring RTTI*
* recover type names

* reconstruct class hierarchy

* identify object virtual function tables

* IDA ClassInformer plugin

XAgent: LocalDataStorage

Local
DataStorage

Registry File
reader/writer reader/writer
XAgent: Cryptor
XAgent: Cryptor

salt
encrypted message (4 bytes)

key RC4

plain text
XAgent: IReservedApi
XAgent: Identifying Used Types

* Strings: std::string

* Containers to maintain objects:

-- std::vector
-- std::list
XAgent: Identifying Used Types

* Strings: std::string

* Containers to maintain objects:

-- std::vector
-- std::list
HexRaysCodeXplorer
HexRaysCodeXplorer since 2013
* CodeXplorer V1.0 released
on REcon’2013

* First third-party plugin

for Hex-Rays Decompiler

* v1.0 supports IDA v6.4 and

Decompiler for x86 v1.8
HexRaysCodeXplorer Features
* Hex-Rays decompiler plugin x86/x64

* The plugin was designed to facilitate static analysis of:

-- object oriented code
-- position independent code

* The plugin allows to:

-- partially reconstruct object type
-- navigate through decompiled virtual methods
Hex-Rays Decompiler Plugin SDK
* At the heart of the decompiler lies ctree structure:
-- syntax tree structure
-- consists of citem_t objects
-- there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK
* Type citem_t is a base class for: citem_t
-- cexpr_t – expression type
-- cinsn_t – statement type cexpr_t cinsn_t

* Expressions have attached type information

* Statements include:
-- block, if, for, while, do, switch, return, goto, asm

* Hex-Rays provides iterators for traversing the citem_t objects within

ctree structure:
-- ctree_visitor_t, ctree_parentee_t
Hex-Rays Decompiler Plugin SDK
* Type citem_t is a base class for: citem_t
-- cexpr_t – expression type
-- cinsn_t – statement type cexpr_t cinsn_t

* Expressions have attached type information

* Statements include:
-- block, if, for, while, do, switch, return, goto, asm

* Hex-Rays provides iterators for traversing the citem_t objects within

ctree structure:
-- ctree_visitor_t, ctree_parentee_t
DEMO time :)
HexRaysCodeXplorer: Gapz Position Independent Code
HexRaysCodeXplorer: Virtual Methods

IDA’s ‘Local Types’ is used to represent

object type
HexRaysCodeXplorer: Virtual Methods

IDA’s ‘Local Types’ is used to represent

object type
HexRaysCodeXplorer: Virtual Methods
* Hex-Rays decompiler plugin is used to navigate through the
virtual methods
HexRaysCodeXplorer: Object Type REconstruction

* Hex-Rays’s ctree structure may be used to partially

reconstruct object type

* Input:
-- pointer to the object instance
-- object initialization routine entry point

* Output:
-- C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction
* citem_t objects:
-- memptr, idx, memref
-- call, ptr, asg
HexRaysCodeXplorer: Object Type REconstruction
* citem_t objects:
-- memptr, idx, memref
-- call, ptr, asg
HexRaysCodeXplorer: Object Type REconstruction
// reference of DWORD at offset 12 in buffer a1
*(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorer: v1.7 [NSEC Edition]

Automatic virtual table identification

+
Type reconstruction
HexRaysCodeXplorer: v1.7 [NSEC Edition]

* Automatic virtual table identification

HexRaysCodeXplorer: v1.7 [NSEC Edition]

* Automatic virtual table identification

HexRaysCodeXplorer: v1.7 [NSEC Edition]

* Automatic virtual table identification

* Support for IDA Pro x64

* Bugfixes
DEMO time :)
HexRaysCodeXplorer: Next plans
* Switch to IdaPython
Why python?
HexRaysCodeXplorer: Next plans
* Switch to IdaPython

* Further research & development:

-- find cross-references to
object attributes
-- handling nested structures
-- code similarity based on data
flow analysis
Thank you for your attention!

http://REhints.com

@Rehints

https://github.com/REhints/HexRaysCodeXplorer