Archive for the ‘BinCrowd’ Category

Recovering UML diagrams from binaries using RTTI – Inheritance as partially ordered sets

2011-01-21

Wow, it’s been a while since we last blogged. Ok, time to kick off 2011 🙂

A lot of excellent stuff has been written about Microsoft’s RTTI format — from the ISS presentations a few years back to igorsk’s excellent OpenRCE articles. In the meantime, RTTI information has “spread” in real-world binaries as most projects are now built on compilers that default-enable RTTI information. This means that for vulnerability development, it is rare to not have RTTI information nowadays; most C++ applications come with full RTTI info.

So what does this mean for the reverse engineer ? Simply speaking, a lot — the above-mentioned articles already describe how a lot of information about the inheritance hierarchy can be parsed out of the binary structures generated by Visual C++ — and there are some pretty generic scripts to do so, too.

This blog article is about a slightly different question:

How can we recover full UML-style inheritance diagrams from executables by parsing the RTTI information ?

To answer the question, let’s review what the Visual C++ RTTI information provides us with:

  1. The ability to locate all vftables for classes in the executable
  2. The mangled names of all classes in the executable
  3. For each class, the list of classes that this class can be legitimately upcast to (e.g. the set of classes “above” this class in the inheritance diagram)
  4. The offsets of the vftables in the relevant classes

This is a good amount of information. Of specific interest is (3) — the list of classes that are “above” the class in question in the inheritance diagram. Coming from a mathy/CSy background, it becomes obvious quickly that (3) gives us a “partial order”: For two given classes A and B, either A ≤ B holds (e.g. A is inherits from B), or the two classes are incomparable (e.g. they are not part of the same inheritance hierarchy). This relationship is transitive (if A inherits from B, and B inherits from C, A also inherits from C) and antisymmetric (if A inherits from B and B inherits from A, A = B). This means that we are talking about a partially ordered set (POSet)

Now, why is this useful ? Aside from the amusing notion that “oh, hey, inheritance relationships are POSets“, it also provides us with a simple and clear path to generate readable and pretty diagrams: We simply calculate the inheritance relation from the binary and then create a Hasse Diagram from it — in essence by removing all transitive edges. The result of this is a pretty graph of all classes in an executable, their names, and their inheritance hierarchy. It’s almost like generating documentation from code 🙂

Anyhow, below are the results of the example run on AcroForm.API, the forms plugin to Acrobat Reader:

The full inheritance diagram of all classes in AcroForm

 

A more interactive (and fully zoomable) version of this diagram can also be viewed by clicking here.

For those of you that would like to generate their own diagrams, you will need the following tools:

Enjoy ! 🙂

Las Vegas & the zynamics team

2010-07-14

Along with RECon, the single most important date in the reverse engineering / security research community is the annual Blackhat/DefCon event in Las Vegas. Most of our industry is there in one form or the other, and aside from the conference talks, parties and award ceremonies, there’s also a good amount of technical discussions (in bars or elsewhere) that takes place.

This year, a good number of researchers/developers from the zynamics Team will be present in Las Vegas — alphabetically, the list is:

  1. Ero Carrera
  2. Thomas Dullien/Halvar Flake
  3. Vincenzo Iozzo
  4. Tim Kornau

So, if you wish meet any of the team to discuss reverse engineering, our technologies, our research, or the performance of the Spanish or German football team at the last world cup, do not hesitate to drop an email to info@zynamics.com — Vegas is always chaotic, and scheduling a meeting will minimize stress for everyone that is involved.

Specifically, the following topics are specifically worth meeting over:

  1. Chat with Ero over our unpacking engine (just presented at RECon) — and how it fits into the larger scheme of things (e.g. VxClass)
  2. Meet with Tim or Vincenzo to discuss automated gadget-finding for ROP, or anything involving the ARM/REIL translations
  3. Meet with Thomas/Halvar to discuss VxClass, automated malware clustering, automated generation of “smart” malware signatures etc.

Aside from this, if you are interested in …

  • … boosting your reverse engineering performance by porting symbols from FOSS software into your closed-source disassemblies (BinDiff)
  • … becoming faster at finding bugs by leveraging differential debugging, the REIL intermediate language and static analysis frameworks (BinNavi)
  • … enhancing team-based reverse engineering by pooling accumulated knowledge and sharing information (BinCrowd)
  • … automatically correlating and clustering malware and forensically obtained memory dumps, and automatically deriving detection mechanisms (VxClass)
  • … analyzing malicious PDF files including the embedded JavaScript code (PDF Dissector)

then do not hesitate to drop us mail — we’ll gladly show/explain what our tools/technologies can do.

See you there !

BinCrowd server can now be licensed

2010-06-04

After a long beta phase with our public BinCrowd community server, we are now releasing the BinCrowd server itself. If you are interested in having your own BinCrowd server to exchange reverse engineered information in your team or organization please contact info@zynamics.com.

See the official product website or the BinCrowd manual for more details about BinCrowd and the BinCrowd server.

The BinCrowd community server will remain free to use for everyone.

Product updates: BinCrowd, PDF Tool, MSDN parser

2010-05-11

Hi everyone,

we have a few interesting updates for three of our products:

BinCrowd (Collaborative reverse engineering tool; more info here)

The login bug that plagued early testers of our free BinCrowd community server should be fixed now. If you had problems logging in to your account in the past, please try again now. Note that clicking on the confirmation link in the original confirmation email was buggy too. It is possible that your account was deleted automatically because it was not confirmed within 7 days. In that case just make a new account.

We have also improved the speed of file comparisons in the web interface a lot. Even large files like Adobe Reader’s acrord32.dll are now compared to all files in the database in just a few seconds.This is absolutely amazing if you want to compare your file to different versions of the same file, for example to figure out what changed.

Another improvement was made to the BinCrowd IDA Pro plugin which you can get from the zynamics GitHub account. It can now handle the upload of larger files more gracefully. Previous versions tended to crash when giants files (roughly >50K functions) were uploaded.

PDF Tool (Malware PDF analysis tool; more info here)

Our malware PDF analysis tool without a name still has no name. However, we would like to release the first version of it really soon and that’s why we need a name. If you know a name for the tool, please let us know through comments to this post. If we name the tool after your suggestion you will get a free life-long single-user license of the PDF tool.

MSDN Parser (IDA Pro plugin for importing MSDN documentation, more info here)

Thanks to Navtej Singh, Mario Vilas, and others it was possible to improve the IDA Pro plugin that imports MSDN information into IDA Pro. Parsing of the MSDN documentation was improved and function argument names/descriptions are now copied from MSDN into IDB files. That means you now have full documentation about the function arguments of Windows API functions in your IDB files.

At zynamics, we like good offense …

2010-05-07

… and therefore we are happy to have sponsored Shawn Dean so he could go to the Wajutsu Keishukai Grappling Tournament in Tokyo – which HE WON.  We are happy to have had to opportunity to sponsor him and even happier to see him succeed.

Also, it is great to see BinNavi-embroidered shorts on the winner 😛

Watch it yourself here:

Shawn Dean receives honors

  • http://www.youtube.com/watch?v=KiVNO-MguWE
  • http://www.youtube.com/watch?v=lF1YJwpccA0
  • http://www.youtube.com/watch?v=xWFdNnYGP5k
  • http://www.youtube.com/watch?v=eKIYmdIRlGc
  • Shawn Dean in action

    ShaREing is Caring – Announcing the free BinCrowd community server

    2010-03-25

    Hi everyone,

    today at CanSecWest Thomas and I gave a talk where we announced the BinCrowd community server which zynamics makes available to the reverse engineering community for free. BinCrowd is a collaborative reverse engineering tool that can be used by reverse engineers to keep a repository of reverse engineered information and share this information with friends and colleagues.

    The core technology behind BinCrowd is basically a huge database of function information which can be accessed using BinDiff-style algorithms. This allows you to efficiently store information about disassembled functions in a database and to use that database to compare functions from different binary files.

    Imagine you are a reverse engineer hunting for new vulnerabilities. Here is what BinCrowd can do for you:

    • You can use BinCrowd to look up whether anybody else in the BinCrowd community has analyzed a particular file before. If the file is already in the database, you can download reverse engineering information like function descriptions or argument names from the database. Due to the fuzzy matching algorithms behind BinCrowd even different versions of the target file are considered.
    • BinCrowd tells you what static libraries are used by the file. If BinCrowd determines that your file is linked against an open-source library you can start reading the original source code instead of the disassembled code.
    • BinCrowd tells you what version of a library is used. If BinCrowd tells you that a vulnerable version of zlib is used in your file, you can go down that path during your audit.
    • You can reverse the lookup process too. If you have a vulnerable function you can ask BinCrowd in what other files this function is used. This will potentially give you many more vulnerable programs without any effort.

    Or maybe you are a malware analysis specialist. Your workflow probably differs from that of a vulnerability researcher. Nevertheless, BinCrowd is very useful for you too.

    • You can use BinCrowd as a repository of malware information. If you have identified and documented a certain rootkit hiding technology you can import information from your earlier analysis to new pieces of malware that use the same code.
    • You can use BinCrowd to share information with colleagues from your malware analysis team and even with people from outside your team.
    • If you are working on a team where information flow is restricted by clearance levels you can use BinCrowd as a central information repository. BinCrowd access roles will take care that people with a lower clearance can not download information entered into the system by people with a higher clearance.

    There are potentially many more uses for BinCrowd since we are only at the beginning of a long road of creating a repository for reverse engineered information. If you are interested on joining us on that road you can sign up to the community server for free at http://bincrowd.zynamics.com.

    To use BinCrowd you only need

    Happy shaREing and caring!

    Finally, here are the slides Thomas and I used for our talk.