This document discusses tools and techniques for analyzing hackers' tools through static and dynamic analysis. Static analysis involves determining the file type, reviewing strings, performing online research, and reviewing source code if available. Dynamic analysis involves executing the tool in a sandboxed environment and monitoring system calls, file system activity, registry activity, and network traffic to observe the tool's behavior and interactions. A variety of Unix and Windows tools are recommended for tracing activity at different levels, including strace, Filemon, and Regmon. The goal of analysis is to understand the tool's functions and determine how it was used.
2. AAAAcccckkkknnnnoooowwwwlllleeeeddddggggmmmmeeeennnnttttssss
Material is sourced from:
INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND
EDITION
Authors: CHRIS PROSISE
KEVIN MANDIA
Publisher:
McGraw-Hill/Osborne
New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto
2 Israel Umana - Investigating Hackers' tools
3. THE GOALS TTTHHHEEE GGGOOOAAALLLSSS OOOOFFFF TTTTOOOOOOOOLLLL AAAANNNNAAAALLLLYYYYSSSSIIIISSSS
Prevent similar attacks in the future
Assess an attacker’s skill or threat level
Determine the extent of a compromise
Determine if any damage was done
Determine the number and type of intruders
3
Prepare yourself for a successful subject interview if you
catch the attacker
Determine the attacker’s objectives and goals (specific
targeting versus target of opportunity)
Israel Umana - Investigating Hackers' tools
6. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss
On a Unix system, change to the directory of the suspicious
file and issue the command:
root@conan zap]# ls -al Z
This displays the file attributes and permissions
6
-rwxr--r-- 1 root root 7423 Feb 4 02:00 Z
Israel Umana - Investigating Hackers' tools
7. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd)
root@conan zap]# file Z
This command shows the compilation method used on the
file. Here is a sample output:
Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux),
7
statically inked, stripped
Israel Umana - Investigating Hackers' tools
8. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd)
root@conan zap]# strings –a Z
This command shows if the file is compressed with UPX
Sample output:
--Excerpt--
Linux
8
$Info: This file is packed with the UPX executable packer
http://upx.sf.net$
$
$Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights
Reserved. $
UWVSQR
Israel Umana - Investigating Hackers' tools
11. STATIC ANALYSIS SSSTTTAAATTTIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL
Static analysis is tool analysis performed without actually executing the
rogue code.
It involves the following steps:
1. Determine the type of file
11
2. Review the ASCII and Unicode strings
3. Perform online research
4. Perform source code review
Israel Umana - Investigating Hackers' tools
12. Determining DDDeeettteeerrrmmmiiinnniiinnnggg tttthhhheeee TTTTyyyyppppeeee ooooffff FFFFiiiilllleeee
Common file types include:
Windows 95/98/NT/2000/XP executable or dynamically
linked library (DLL)
Linux a.out/elf/script
Solaris a.out/elf/script
12
DOS 32-bit COFF
DOS 16-bit .com file
DOS 16-bit executable
Atari ST/TT
Israel Umana - Investigating Hackers' tools
13. Using the UUUsssiiinnnggg ttthhheee UUUUnnnniiiixxxx FFFFiiiilllleeee CCCCoooommmmmmmmaaaannnndddd
The standard command for determining a file type on Unix
systems is file.
[root@conan zap] file *
13 Israel Umana - Investigating Hackers' tools
14. UUUUssssiiiinnnngggg tttthhhheeee WWWWiiiinnnnddddoooowwwwssss EEEExxxxeeeettttyyyyppppeeee CCCCoooommmmmmmmaaaannnndddd
The Windows equivalent of the file command is the NT Resource
Kit tool exetype.
It recognizes fewer file types than the file command
14 Israel Umana - Investigating Hackers' tools
15. Reviewing the RRReeevvviiieeewwwiiinnnggg ttthhheee AAAASSSSCCCCIIIIIIII aaaannnndddd UUUUnnnniiiiccccooooddddeeee
SSSSttttrrrriiiinnnnggggssss
Basic static analysis of object code involves examining the
ASCII-formatted strings of the binary file.
The strings command has the following syntax:
strings -a filename
15
This command line will display all ASCII strings contained in
the object code that are four characters or longer.
Israel Umana - Investigating Hackers' tools
16. HHHHeeeexxxx eeeeddddiiiittttoooorrrrssss
When all analysis fails, the hex editor is our friend. However,
when performing static tool analysis, the hex editor is only
slightly better than the strings command. It allows you to see
Unicode and ASCII strings within a file at the same time.
16 Israel Umana - Investigating Hackers' tools
17. Performing PPPeeerrrfffooorrrmmmiiinnnggg OOOOnnnnlllliiiinnnneeee RRRReeeesssseeeeaaaarrrrcccchhhh
Perform online research to determine if the tool is publicly
available on computer security or hacker sites. Compare any
online tools identified with the tool you are analyzing.
If the tool is not publicly available, then you will need to
decompile the file to analyse its functions.
17
Israel Umana - Investigating Hackers' tools
18. Performing PPPeeerrrfffooorrrmmmiiinnnggg SSSSoooouuuurrrrcccceeee CCCCooooddddeeee RRRReeeevvvviiiieeeewwww
With the source code available to you for review, you will be
capable of determining exactly what a rogue program does.
Performing source code review requires working knowledge
of the programming language used to create the tool. Most
popular exploits and tools are found in ANSIC and Microsoft
18
Visual Basic scripting, so you should become familiar with
these formats.
Israel Umana - Investigating Hackers' tools
19. DYNAMIC ANALYSIS DDDYYYNNNAAAMMMIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR
TTTTOOOOOOOOLLLL
In Dynamic analysis, you execute rogue code and interpret its
interaction with the host operating system.
This can be dangerous on your forensic workstation.
Our methodology includes the following tasks:
19
Monitor the time/date stamps to determine what files a tool affects.
Run the program to intercept its system calls.
Perform network monitoring to determine if any network traffic is
generated.
Monitor how Windows-based executables interact with the Registry.
Israel Umana - Investigating Hackers' tools
20. Creating the CCCrrreeeaaatttiiinnnggg ttthhheee SSSSaaaannnnddddbbbbooooxxxx EEEEnnnnvvvviiiirrrroooonnnnmmmmeeeennnntttt
Get the operating system and architecture necessary to
execute the object code properly.
Install VMware on your test system
Turn on the Nonpersistent write option in configuration
settings
20
Make sure that the test system is not connected to the
Internet.
execute rogue code on a closed network
Israel Umana - Investigating Hackers' tools
21. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa UUUUnnnniiiixxxx SSSSyyyysssstttteeeemmmm
Most applications execute in a memory area defined as user
space
prohibited from accessing computer hardware and resources
directly
User applications access these resources by requesting the
21
kernel to perform the operations on its behalf
The user application makes these requests to the kernel via
system calls.
Israel Umana - Investigating Hackers' tools
22. UUUUssssiiiinnnngggg SSSSttttrrrraaaacccceeee
Unix has a tool that traces the use of system calls by an
executed process.
The strace command displays information about file access,
network access, memory access, and many other system calls
that a file makes when it is executed.
22
[root@conan zap]strace -o strace.out ./zapdynamic
This command line will store the interaction between
the zap program and the operating system in a file called
strace.out.
Israel Umana - Investigating Hackers' tools
24. EEEExxxxaaaammmmiiiinnnniiiinnnngggg SSSSttttrrrraaaacccceeee OOOOuuuuttttppppuuuutttt
Look out for the following system calls
The execve call.
The brk system calls are used to allocate memory for the
process.
The mmap calls which map a portion of a file into memory.
24
The fstat call obtains information about the file that is
referenced by the file descriptor
The close system calls are used to release a file descriptor
when the process no longer needs the file or socket
referenced.
Israel Umana - Investigating Hackers' tools
25. Using UUUsssiiinnnggg SSSShhhhoooorrrrttttccccuuuuttttssss wwwwiiiitttthhhh SSSSttttrrrraaaacccceeee
search the strace output file for open, read, write, unlink,
lstat, socket, and close system calls.
A shortcut is to use the option -e trace=file.
To display all interactions with a network device, use the
option -e trace=network
25
More combinations are available in the main page for strace.
save a copy of all the data transferred with the
–e write command
Israel Umana - Investigating Hackers' tools
26. Conducting CCCooonnnddduuuccctttiiinnnggg AAAAnnnnaaaallllyyyyssssiiiissss BBBBeeeeyyyyoooonnnndddd SSSSttttrrrraaaacccceeee
The strace utility cannot do everything
With strace, you cannot determine what the process is doing
once it reads, writes, or receives values from the system
calls.
Need to resort to techniques such as debugging and
26
decompiling.
The debugger will allow you to step through every action a
program takes during its execution.
Israel Umana - Investigating Hackers' tools
27. RRRReeeeccccoooommmmppppiiiilllleeee tttthhhheeee GGGGNNNNUUUU BBBBiiiinnnnuuuuttttiiiillllssss PPPPaaaacccckkkkaaaaggggeeee
The binutils package is installed on most versions of Linux
Built to recognize a small number of object file types.
Tools in the precompiled binutils package may build, view,
disassemble, and otherwise alter a handful of Linux native
executable files
27
Recompile of the package with ./configure –enable-targets=all
Israel Umana - Investigating Hackers' tools
28. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa WWWWiiiinnnnddddoooowwwwssss
SSSSyyyysssstttteeeemmmm
You execute the rogue code and use utilities to watch how
the rogue process interacts with the file system, the Registry,
(APIs), and the operating system.
For dynamic tool analysis of Windows applications, we use
Filemon, Regmon, ListDLLs, Fport, and PsList.
28
Filemon, Regmon, ListDLLs, and PsList can be gotten at:
http://www.sysinternals.com
Israel Umana - Investigating Hackers' tools
29. UUUUssssiiiinnnngggg FFFFiiiilllleeeemmmmoooonnnn
The Filemon utility (from the Sysinternals web site) provides
a wiretap between running processes and the file system.
It intercepts all access and queries a process makes to the file
system.
You can determine all of the files the program reads, writes
29
to, and accesses to perform its unknown activity.
Israel Umana - Investigating Hackers' tools
31. UUUUssssiiiinnnngggg RRRReeeeggggmmmmoooonnnn
Regmon taps a process’s interaction with the Windows
Registry.
Some programs query, enumerate, and close more than 950
Registry keys upon execution.
Regmon allows you to enter filters to focus your analysis on
relevant entries.
31
It provides immediate access to the Registry Editor (regedit).
Provides a simple interface to monitor which programs write
startup entries in the Registry and which programs query the
network hardware in order to generate or receive network
traffic.
Israel Umana - Investigating Hackers' tools
33. UUUUssssiiiinnnngggg LLLLiiiissssttttDDDDLLLLLLLLssss
ListDLLs is available in the NT/2000 Resource Kit
Shows all of the DLLs needed by a process.
It enumerates the full pathnames of the DLLs loaded by the
process.
ListDLLs is helpful for detecting applications that have been
33
modified (injected) with extra functionality.
Viewing which DLLs the program is
using may allow you to detect if the application is interacting
with the network services at an API level or if it is attempting
to bypass them.
Works on programs that are currently running
Israel Umana - Investigating Hackers' tools
34. UUUUssssiiiinnnngggg FFFFppppoooorrrrtttt aaaannnndddd PPPPssssLLLLiiiisssstttt
Fport and PsList are critical tools for dynamic analysis on a
Windows system.
Fport should be used prior to and after executing a rogue
process to determine if the rogue process opened any
network sockets.
34
PsList is useful to determine if a process changes its process
name after execution.
Israel Umana - Investigating Hackers' tools
37. Conducting Further CCCooonnnddduuuccctttiiinnnggg FFFuuurrrttthhheeerrr AAAAnnnnaaaallllyyyyssssiiiissss oooonnnn
WWWWiiiinnnnddddoooowwwwssss
The tools described in this chapter provide the first level of
analysis.
more comprehensive techniques are available
Decompiling and debugging are the next steps.
IDA Pro (an interactive disassembler) and SoftICE (a source-
37
source-level
debugger).
Can be obtained at:
IDA Pro: http://www.datarescue.com
SoftICE:
http://www.compuware.com/products/devpartner/
softice
Israel Umana - Investigating Hackers' tools