Recently, when using IDA Pro to view an x86 exe file, it was found to be a statically compiled file, which contains a large number of OpenSSL library functions. Therefore, the corresponding signature file was searched on the Internet, but no library function signature for this version of OpenSSL was found, so a signature file was made personally.
Firstly, experimental environment
Operating system: Windows 10
Programming environment: VS 2015, ActivePerl 5.26.3 Build 2603
IDA Pro 7.0
Secondly, make signature
Creating and applying signature files are divided into 4 steps: (1) Obtain static library files; (2) Use static libraries to generate model files; (3) Use model files to generate signature files; (4) Apply signature files. The steps are shown in Figure 1.
Figure 1 Steps to create and apply signature files
2.1 Build compilation environment
Firstly, install VS2015 and Perl in the virtual machine. If the result shown in Figure 2 is displayed after Perl is installed, it indicates that the installation is successful.
Figure 2 Testing if perl is installed successfully
2.2 Compile library files
Firstly, the string 'AES part of OpenSSL 1.0.2h 3 May 2016' is found in the exe file, which can determine that the version of OpenSSL is 1.0.2h; and there is the string 'openssl-dist-1.0.2h-vs2015' in the exe, which can be determined to be compiled with VS2015.
(1) Unzip the downloaded openssl-1.0.2h.tar.gz source code (download addresshttps://www.openssl.org/source/old/1.0.2/)
(2) Open the 'VS2015 Developer Command Prompt' command line tool from the start menu and switch to the OpenSSL source code directory.
(3) Execute the command 'perlConfigure VC-WIN32 no-shared no-asm --prefix=C:\Users\user\Desktop\download\x86_build_out' in the command line, and the execution result is shown in Figure 3.
Figure 3 Execute perl command
The parameter explanation is as follows.
Configure is a command file built-in to the OpenSSL source code, a required parameter;
VC-WIN32 indicates compiling the x86 version, VC-WIN64A indicates compiling the x64 version, debug-VC-WIN32 indicates compiling the debug version of x86, a required parameter;
no-shared indicates compiling into a static linked lib module, shared indicates compiling into a dynamic linked library dll module, a required parameter;
no-asm If you need to optimize locally, you also need to download NASM, here we use the no-asm option directly, so there is no need to download NASM, a required parameter;
--prefix is the installation path of OpenSSL after compilation, a required parameter;
(4) Execute ms\do_ms in the command line, as shown in Figure 4.
Figure 4 Execute do_ms
Then execute the command nmake-f ms\nt.mak to compile OpenSSL, which takes a long time to execute. After execution, the compilation results are generated in the /out32 directory under the source code directory.
Execute the command nmake-f ms\nt.mak test to test whether there are any problems with the compilation results from the previous step.
Execute the command nmake-f ms\nt.mak install to organize the compilation results into the target folder, as shown in Figure 5.
Figure 5 Compilation results folder
There are two library files under the lib folder: libeay32.lib (11.8MB), ssleay32.lib (1.96MB).
2.3 Generate signature file
(1) Use the pcf tool in the 'flair70.zip' toolkit of IDA Pro 7.0 to create a pattern file (pat). Generate the pattern file using the command pcf libeay32.lib libeay32.pat, as shown in Figure 6.
Figure 6 Generate libeay32.pat file
(2) Generate the sig file using the sigmake libeay32.patlibeay32.sig command, as shown in Figure 6. The prompt indicates that there are 116 conflicting functions, and the libeay32.exc file has been generated under the current file, and the content of the libeay32.exc file is as follows, listing all the conflicting functions.
There are 2 methods to resolve conflicts, the first method is to delete the first 4 lines of the file, so sigmake will exclude all these conflicting functions. The second method is to add a symbol '+' to the function name you think is correct, and then delete the first 4 lines of the file, as shown below.
Save the edited exc file, execute the sigmake function again to generate the libeay32.sig file, as shown in Figure 7.
Figure 7 Generating sig file
The same steps can be used to generate the signature file for ssleay32.lib.
2.4 Applying Signatures
Copy the generated two signature files (libeay32.sig, ssleay32.sig) to the IDA Pro signature folder (default directory X:\Program Files\IDA 7.0\sig\pc), use the hotkey Shift+F5 to open the IDA Pro signature window, then right-click, select the 'Apply new signature...' menu to apply the new signature, as shown in Figure 8.
Figure 8 Structure of Signature File Application
As shown in Figure 8, the libeay32 signature matches 2441 library functions, and the ssleay32 signature matches 664 library functions, among which the vcseh signature is the signature file automatically loaded by IDA Pro.
If there are multiple lib files, it is cumbersome to generate multiple sig files one by one. You can also generate a signature file from multiple pattern files, using the command sigmake libeay32.pat sslideay32.pat openSSL_102h.sig, as shown in Figure 9.
Figure 9 Merging to Generate Signature File
3. Checking Conflicting Functions
Open the libeay32.exc file, and you can see the following content, among which the _SSL_CTX_sessions function and _SSL_get_wbio function are two conflicting functions.
Unzip ssleay32.lib using 7-zip, load the ssl_lib.obj file using IDA Pro, and you can see that the _SSL_CTX_sessions function and _SSL_get_wbio function are shown in Figures 10 and 11, respectively. It can be seen that the machine code of the two functions is 8B4424048B4010C3, so the two functions conflict.
Figure 10 _SSL_CTX_sessions function
Figure 11 _SSL_get_wbio function
IDA Pro's signature recognition technology is called FLIRT (Fast Library Identification and Recognition Technology, a fast library identification and recognition technology), which uses the machine code of binary functions in library files to quickly identify library functions in files, making the disassembly code more readable. The specific details of FLIRT technology can be found in the reference [1].
IV. Related Resources
Here are two websites for collecting signature files.
idb2pat.py is a Python script written by the FireEye Labs Advanced ReverseEngineering team at FireEye company. This script supports converting IDB database to pattern file (pat), and then converting it to signature file (sig). This script is applied when an binary file has been analyzed, some key functions have been manually named, and when analyzing another similar binary file, this script can be applied to quickly migrate function names. Note that this script does not support Chinese directory names when saving pattern files.https://github.com/fireeye/flare-ida.
V. Summary
Creating a high-quality signature file can greatly accelerate the reverse engineering process. There are many factors to consider when creating a signature file, including source code version, compilation optimization options, compiler type, compiler version, and whether it is a release version. If the signature matching is not good, you can try different compilation parameters.
References
[1] https://www.hex-rays.com/products/ida/tech/flirt/in_depth/IDA F.L.I.R.T. Technology: In-Depth
[2] IDA Pro Official Guide
[3] https://blog.csdn.net/traceme2011/article/details/90606018 Compile OpenSSL using VS2015
[4] https://blog.csdn.net/liang19890820/article/details/51658574Compile OpenSSL under Windows
[5] https://www.fireeye.com/blog/threat-research/2015/01/flare_ida_pro_script.htmlFLARE IDA Pro Script Series: Generating FLAIR function patterns using IDAPython
*Author of this article:dolphin, please note the source from FreeBuf.COM when转载
评论已关闭