Assembler and Disassembler Programs

		Chapter 12 - Malware Code Analysis Honeypots for Windows by Roger A. Grimes Apress 2005

Choosing a disassembler program actually involves two choices:

• Choose a good assembly program, along with a good set of companion tools. In order to become a good disassembler, you need to be a good assembly language programmer. This means using a first-class assembly program, called an assembler.

• Choose a good disassembler. One that decodes the most important parts of a program automatically is worth its weight in gold.

Assemblers

You tried out Microsoft’s Debug.exe program earlier in this chapter. It is a very crude assembler for 8-bit and 16-bit applications. It works and does the job, but it is probably a programmer’s last choice for an assembler. More than two dozen assemblers are available.

MASM

Microsoft’s free Macro Assembler (MASM) is a popular choice used by many beginning and advanced programmers for the Windows platform. It’s been around for almost as long as Microsoft has been around. You can download it at http://www.masm32.com, which is the official MASM32 web page and also has plenty of Win32 programming references. Some say there are more powerful and faster assemblers, but MASM has a great feature set, and you can’t beat the price. As an added benefit, there is probably more documentation available on the Internet regarding the use of MASM than any other assembler, although much of it refers to the older DOS environments.

MASM comes with nearly every tool you’ll need to become a successful assembly programmer. It even includes a disassembler, although there are some better tools (as you’ll see in the upcoming section on disassemblers). The only possible drawback is that it is specifically built for the Windows and MS-DOS environments, but that isn’t a negative for most readers of this book.

As an example, Figure 12-4 shows a malicious file, called Netlog1.exe, found on a recent Windows 95 honeypot. The name alone was a little suspicious, because it isn’t an official Microsoft file. Searching for ASCII text with Strings.exe (http://www.sysinternals.com/ntw2k/source/misc.shtml#strings) revealed strings such as Victim+is+online, spawned, and the tHing 1.6 server. Googling on the text strings quickly showed the file is associated with the backdoor Thing Trojan (http://vil.nai.com/vil/content/v_10542.htm). Its small 8KB size is used after the initial exploit as a backdoor tool to keep access and to copy more tools.

Figure 12-4: Strings.exe revealing text strings in a malicious file

Figure 12-5 shows the file disassembled by MASM. First, I looked for the APIs used. In this instance, I saw Wsock.dll and Kernel32.dll. The appearance of Wsock.dll tells me the file is trying to use network connectivity, and seeing Kernel32.dll tells me the file is manipulating the Windows OS. In particular, the Kernel32 routines used include opening files, writing files, going into a sleep mode, and enumerating the process ID. All of this is suspicious activity.

Figure 12-5: MASM disassembly of the Thing Trojan showing called Windows APIs

Figure 12-6 is a sampling of the assembly language contained within the trojan. Like most executable programs, the trojan is full of MOV, POP, and JMP instructions. Although not revealed in this figure, the disassembly later showed the file’s true intent, which, of course, is why I disassembled it in the first place.

Figure 12-6: Sampling of MASM disassembly of the Thing Trojan

Other Assemblers

The following are some other assemblers:

• Open Watcom Assembler: This is a free assembler, available from http://www.openwatcom.com. It is MASM-compatible, but with a smaller list of features. It has been ported to support several OSs other than Windows, including DOS, OS/2, Linux, and even Novell’s NetWare. Open Watcom doesn’t have the tremendous support that MASM does, but its free parent suite includes C++ and Fortran compilers for wider language support.

• High Level Assembler (HLA): This assembler was created as a learning tool to teach programmers with experience in higher-level languages the traditionally harder assembly language. You can download HLA, documentation, and support tools from Webster’s HLA support page (http://webster.cs.ucr.edu/AsmTools/HLA/index.html). HLA went from being a teaching tool for one college to a serious programming tool used by thousands within a few years. It enjoys widespread support on the Windows and Linux platforms. New assembly language programmers should consider using HLA.

• A86/A386: This is another great assembler with a disassembler, available from http://eji.com/a86. It isn’t free, but the cost of $80 buys you an excellent programming tool. A86 was the assembler I learned with over a decade ago, and its roots still show. It appears to be a little less feature-rich than its competitors. Its supporters praise the product’s leanness.

• Small Is Beautiful (SIB): You can’t get any leaner than Steve Gibson’s assembly language starter kit (http://www.grc.com/smgassembly.htm). Coming in at a whopping 20KB, including the source and compiled program file, SIB has probably got all its small-size competition beat. Steve created a tool anyone can use to create Win32 applications. Knowing Steve and his expertise, the program is bound to pack a lot of bang for the buck, especially considering that it is free.

Most popular assemblers are at least somewhat compatible with each other, often supporting MASM as the official gold standard. You can usually move programs written in one assembler to another, but there can be translation issues.

See Webster’s web page on assembler language tools (http://webster.cs.ucr.edu/AsmTools/index.html) for more information about assembler products.

Disassemblers

For the honeypot administrator, choosing a disassembler is even more important than choosing an assembler. A disassembler unassembles the compiled executable into assembly language statements. A good disassembler will show the logic between various sections of code, comment on code, pull out the visible ASCII strings, and separate the program between the instructions and stored data (often a disassembler’s most confounding task).

IDA Pro

Hands down, the most popular disassembler for tracing malware is DataRescue’s $399 IDA Pro (http://www.datarescue.com). It has a fantastic GUI and feature set, and it supports most Windows executable types, including EXE, NE, and PE files. It automatically detects the data and code portions of a program. It will auto-comment code, show graphical relationships between code jumps, document local variables, and automatically recognize the standard library functions generated by popular C compilers. The purchase cost includes a year of free e-mail support and updates. Its feature set and popularity have resulted in a broad community to support questions, active plug-in development, and training classes.

Figure 12-7 shows IDA Pro disassembling Netlog1.exe (renamed Netlog1.vir to prevent accidental execution). When Netlog1.vir was loaded, even though the file’s extension was renamed, IDA Pro recognized it as aWindows PE file. I confirmed its findings, and it disassembled the file among multiple windows. I was able to see the disassembled code in text, hexadecimal, and instruction form. It had a separate window for text strings, much more thorough than what Strings.exe revealed. This is because IDA Pro can pull out ASCII strings that might be missed by a pure string-search program. It revealed all the APIs used, functions used, and whether the functions were internal or external. It even commented the code. For example, Figure 12-7 shows IDA Pro decoding assembly language commands to routines that are opening a network connection, receiving data, and converting IP addresses.

Figure 12-7: IDA Pro disassembling Netlog1.exe instructions

Figure 12-8 shows my favorite IDA Pro feature: source code jump logic. Perhaps the longest part of disassembly analysis, besides separating program and data areas (which IDA Pro has already done), is following the program’s logic. IDA Pro creates beautiful logic diagrams, branching section from section, which can be printed and analyzed. I used to spend hours developing program logic, and transfer the logic to taped together sheets of paper with penciled-in arrows going up and down the page like some sort of geek banner. Now, I can click the Print button. The vendor and end-user community have built dozens of plug-ins (including a UPX plug-in) to make disassembling easier. IDA Pro is so easy to use, it’s almost like cheating.

Figure 12-8: An IDA Pro logic diagram

PE Explorer

Another great disassembler commercial alternative is PE Explorer (http://www.pe-explorer.com), which sells for $129. Like IDA Pro (but with fewer features), it is very Windows-friendly and easy to navigate. It extracts APIs, shows dependencies, pulls out code sections, and disassembles compiled programs into commented code dumps.

Figure 12-9 shows PE Explorer disassembling Netlog1.exe (renamed Netlog1.vir). As you can see, it offers a thorough look at the PE file structure and all of the resources in the file, and tells you just about every little detail you could possibly want to know about a PE file.

Figure 12-9: PE Explorer disassembing Netlog1.exe

PE Explorer can handle a variety of different PE file types: EXE, DLL, SYS, MSSTYLES, OCX, SCR, and more. My favorite feature is its ability to automatically unpack UPX files with the optional plug-in. (UPX is a popular packer for compressing executables.)

Free Disassemblers

If you are looking for free alternatives, consider Microsoft’s MASM (discussed earlier in this chapter), Ollydbg, or Borg. Although none of these can match IDA Pro, they offer more than basic disassembler functionality.

OllyDbg (http://home.t-online.de/home/Ollydbg) is a good alternative, which although classified as shareware for copyright reasons, remains free. OllyDbg is a debugger, not a disassembler, but it contains a lot of the same functionality. It has an intuitive interface, full Unicode support, and context-sensitive help. It traces registers, recognizes procedures, reveals API calls, lists strings, and dynamically traces stacks. Least of all, it fits on a floppy. Its author is working on a 2.0 version that should contain even more functionality.

Borg (http://www.caesum.com) can decompile PE, DOS, and binary files in either 16-bit or 32-bit mode. Figure 12-10 shows it decompiling the Netlog1.exe (renamed Netlog1.vir) Thing Trojan. Borg lists machine instructions, shows strings, and reveals APIs and routines. It doesn’t comment code as do the more intelligent decompilers, and it’s not as smart at determining data versus program code sections. Borg does have a unique decrypt feature. If you suspect you are viewing code with a simple encryption scheme (such as XOR, XADD, ADD, SUB, or simple substitution), you can mark a block of text, and then decrypt it using the selected algorithm. Although most legitimate programs and malicious code are obscured using nontrivial encryption, many malware programs still use one of the simpler methods.

Figure 12-10: Borg disassembling Netlog1.exe

The Decompilation Wiki site (http://catamaran.labs.cs.uu.nl/twiki/pt/bin/view/Transform/DeCompilation) contains many useful links related to decompilation, including ahistory. Also, you can find a list of disassemblers at http://www.itee.uq.edu.au/~csmweb/decompilation/disasm.html.

Text Editors

Along with assembly and disassembly tools, most programmers pick a favorite text editor. Although the Windows default text editor, Notepad.exe, is free, serious programmers often want a more intelligent text editor. TextPad (http://www.textpad.com) and EditPlus (http://www.editplus.com) are excellent choices.