Reverse Engineering and Dynamic AnalysisCIO and CISO Mukul Gupta Explains the Process, Tools and Sandboxing
The Reverse Engineering Process
Engineers can only build strategies to limit a program's harmful impacts if they understand its complexities. A reverse engineer - sometimes called a "reverser" - uses a number of approaches to figure out how a program propagates through a system and what it's supposed to do.
Disassembling - and in certain circumstances, decompiling - a computer program is part of the reverse engineering process. In this procedure, binary instructions are converted to code mnemonics or higher-level structures, allowing engineers to study what the program does and how it affects other systems.
As a consequence, the reverser becomes aware of the vulnerabilities that the software planned to attack. For example, when WannaCry ransomware was reverse-engineered, attempts to follow its spread led to the discovery of the "kill switch" - a finding that proved important in stopping the virus's propagation.
Reverse engineers can extract signals that show:
- When a program was created - although malware writers are known to leave fictitious trails;
- What embedded resources it may use;
- Encryption keys, and other file, header and metadata components.
Reverse Engineering Tools
The most common tools used in reverse engineering are IDA Pro, Apktool and OllyDbg.
IDA Pro is one of the greatest and most-often-used reverse engineering software tools. It's an interactive disassembler with an integrated command language, or IDC, that can handle a variety of executable formats for different processors and operating systems. IDA Pro also comes with a plethora of plug-ins that can further enhance the disassembler's capabilities.
Apktool can decode resources to a near-original state and reproduce them after a few tweaks. It enables step-by-step debugging of smali code and makes app development easier thanks to its project-like file structure and the way it automates some repetitive operations, such as APK generation.
OllyDbg - named after its creator, Oleh Yuschuk - is an x86 debugger that focuses on binary code analysis, which comes in handy when source code isn't accessible. It locates routines from object files and libraries and identifies registers, procedures, API calls, switches, tables, constants and strings.
Case Study of Apktool
By using Apktool with a sample Android application package, or apk, we can decompile the application's other files, such as Androidmanifest.xml and strings.xml, to change the application permission.
Let's assume that we already have a sample apk payload available, and it is Netflix.apk.
Step 1: Introduction to Apktool
Here we are looking at the usage of apktool with the help of
apktool -h. You can also use
man apktool to see all the flags that can be used alongside apktool to streamline the debugging process.
Step 2: Use flag 'd'
flag 'd' implies decoding the application. You need to decode the application apk to extract the necessary files. This is also called reverse-engineering the apk file.
Step 3: Decoded Application Files
The location shows the disassembled demo payload application created in-house and named Netflix.apk, with common files AndroidManifest.xml and strings.xml under the res folder.
The AndroindManifest.xml file is used to enable to disable permissions access for the application. It also includes the integrated icon or name settings of the application.
The strings.xml file enables the name string of the application. The default is: main_activity.
Step 4: Open AndroidManifest.xml File
You can open the file with any available file editor. Here, we are using the Pluma Parrot OS default file editor and adding the icon integration string.
Step 5: Add 3 Files
Under the res folder, add three folder with icons under resolution:
- drawable-hdpi-v4: 72x72 pixels
- drawable-idpi-v4: 33x33 pixels
- drawable-mbpi-v4: 48x48 pixels
This will add/modify the icon of your application to the images processed.
Step 6: Run Binding Command
Run the binding command to integrate the new icon under the folder location.
This will make a new dist folder containing the new apk, which will now have the desired icon.
Step 7: Desired Icon Appears
The desired icon will appear in the Android package installer.
Dynamic Analysis and Sandboxes
All the above strategies involve dynamic analysis of an application, which is testing an application while software is running. You can disassemble, debug or rearrange the software to gain information required to hack or exploit the application or to find out what bugs the application contains. You can also use Wireshark, which is a network protocol analyzer, when you want to capture and inspect packets.
There are benefits to using a sandbox for dynamic analysis, but there are some disadvantages as well. Sandbox-evading malware is a concern.
Many of the more powerful malicious programs employ evasion tactics to identify that they are executing in a sandbox and will stop showing their true, harmful nature once a sandbox is discovered.
To avoid detection and outwit sandboxes, advanced malware programs use a number of evasion strategies, including:
- Postponing risky actions;
- Acting only when a user is present;
- Concealing malicious code in locations where it will not be noticed.
Some of the malwares that evade sandboxes are Locky ransomware and the RogueRobin and KeRanger ransomware Trojans. You can read about them here.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Mukul Gupta is the CIO and CISO at ATCS Pvt. Ltd., India. He has over 15 years of experience working in the quality and security domain.