Skip navigation.
Home

Covert Debugging: Circumventing Software Armoring

These are the presentation materials we presented at Blackhat USA 2007 and Defcon 15. Thanks to everyone who came to the talks.

Abstract

Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.

Full Paper
Presentation
SAFFRON ACTUALLY EXECUTES THE MALWARE -- BEWARE
Saffron for Intel PIN

Read more for the release notes for Saffron DI.

Release Notes for Saffron-DI

Saffron Dynamic Instrumentation Code
Version 0.1a
Released 8/2/2007 at Blackhat USA 2007

DOWNLOAD PIN

http://rogue.colorado.edu/pin/

This was tested on PIN 2.1-12211 on Windows XP SP2 and Vista both in 32-bit mode.

I recommend getting the Visual Studio targetted release of PIN, as I've had good
luck with. Once you have installed it, put this file into the "SimpleExamples"
directory. Next edit the Nmakefile add saffron-di.dll to the COMMON_TOOLS variable. It should read like this:

COMMON_TOOLS= dcache.dll edgcnt.dll pinatrace.dll trace.dll icount.dll opcodemix.dll \
              malloctrace.dll calltrace.dll jumpmix.dll toprtn.dll catmix.dll regmix.dll \
              ldstmix.dll saffron-di.dll

BUILD PIN

In Visual Studio go to Build->Build Solution. Everything should build correctly.

USAGE

Change to the SimpleExamples directory inside of the pin folder. Have the executable
you are interested in ready to run. To run Saffron, execute this command:

C:\pin-2.1...\SimpleExamples>..\bin\pin.exe -t saffron-di -- yourexehere.exe

Saffron will then deposit a dumped version of the executable into the directory. Inspect
each one till you find the one that yields the most information. A good choice tends
to be the last one.

A log will be made in saffron-di.out in the SimpleExamples directory which contains some
useful (maybe) information.

Caveats:

  • 32-bit only! This could be ported to IA-32e and Itanium
  • The dumped executables probably will not run, they are meant for analysis only
  • The entry point in each of the dumps is a guess based on the current value of EIP at the time of the dump

    Thanks to Lorie Liebrock, Valsmith, Ty Bodell, and Houdini for their help

  • nice work dudes. three

    nice work dudes.

    three questions left:

    1. when is saffron ring0/ring3 code released?
    2. when will it be integrated into the oc engine?
    3. what happens to the dumped code? is an auto IAT-rebuilder planned?

    great questions

    1.) we are discussing the right way to do it, hit us up on the irc for details
    2.) as soon as we can, we are still in vegas hehe
    3.) yes, we are working on iat rebuilder, just ran out of time for vegas. the rest of the dump looks like any other dump you would get from like ollydump or lordpe, just no iat yet.

    thanks for your support and help, we really appreciate it!

    makefile for saffron-di.cpp

    It doesn't appear that saffron-di.cpp is included in any of the makefiles after I compiled pintools. What should the makefile for saffron-di.cpp look like and where in the top level makefile should I place it?

    Fixed

    It should be all fixed now. You have to add the saffron-di entry into the Nmakefile. Thanks for pointing that out.

    very nice

    thought it looked like any other generic unpacker, but the page fault handler was a pretty unique way to go...can't wait for the driver release.

    You guys are awesome. Much

    You guys are awesome. Much respect and love from the Queen :)

    Question

    Hi.

    I just tried Saffron and I am a bit confused. I packed notepad.exe with an official release of UPX and then told saffron to dump the executable.

    Should Saffron have dumped something or is normal that dumped files have same file size than compressed notepad.exe?

    I do not know what to think, I was expecting something else.

    Regards.

    P.S. Saffron executes the program to dump. That should be noted because someone may try to dump a malware without knowing it will be executed.

    Was the file unpacked? This

    Was the file unpacked? This might be normal depending on how you packed it. It should reflect the size of the image that the PE file requested on startup.

    You are correct that the file is executed.

    Deception with Saffron

    Hi.

    notepad.exe was not unpacked.

    Original file size for notepad.exe is 70,144 bytes. Compressed file size is 48,128 bytes.

    Used UPX version is 2.02w.

    Command line for compression was: UPX -9 notepad.exe

    After running Saffron four files are generated. All them are 48,128 bytes long. None of them is an unpacked file of notepad.exe.

    I think you have enough information to look at the problem.

    Regards,

    VirusBuster

    I just ran the same program

    I just ran the same program with upx, and I got the four files. All of them were unpacked. I'm not sure what the problem you're seeing is.

    Could you post somewhere

    Could you post somewhere saffron-di.dll?

    Maybe my version was not compiled properly but it´s strange because files are being dumped. :-?

    Regards.

    Have you looked inside of

    Have you looked inside of the dumped files to see what they look like? Can you compare between the packed, and unpacked versions?

    I'll try and post a saffron-di.dll later.

    Danny

    Problems posting it?

    Problems posting it?

    It's qualifying exam time.

    It's qualifying exam time. I'll post after that. :)

    Ok, thanks you. What day do

    Ok, thanks you.

    What day do you finish exams? It´s just to not be pendant every day.

    Maybe this output made by

    Maybe this output made by Saffron will help to understand what´s going wrong when it dumps notepad.exe:

    Debugging notepad.exe
    ImageBase 0x00000000 Halting EIP Addr: 0x0100739d (Diff: 0x100739d) ImageSize 0
    Name: UPX0 VirtualSize: 65536 VirtualAddress: 0x00001000 SizeOfRawData: 65536 PointerToRawData: 0x00000400 Characteristics e0000080
    Name: UPX1 VirtualSize: 20480 VirtualAddress: 0x00011000 SizeOfRawData: 20480 PointerToRawData: 0x00000400 Characteristics e0000040
    Name: .rsrc VirtualSize: 32768 VirtualAddress: 0x00016000 SizeOfRawData: 32768 PointerToRawData: 0x00004a00 Characteristics c0000040
    Dumping 48128 bytes from 0x2210048
    Dumped 48128 bytes
    ImageBase 0x00000000 Halting EIP Addr: 0x0100739d (Diff: 0x100739d) ImageSize 0
    Name: UPX0 VirtualSize: 65536 VirtualAddress: 0x00001000 SizeOfRawData: 65536 PointerToRawData: 0x00000400 Characteristics e0000080
    Name: UPX1 VirtualSize: 20480 VirtualAddress: 0x00011000 SizeOfRawData: 20480 PointerToRawData: 0x00000400 Characteristics e0000040
    Name: .rsrc VirtualSize: 32768 VirtualAddress: 0x00016000 SizeOfRawData: 32768 PointerToRawData: 0x00004a00 Characteristics c0000040
    Dumping 48128 bytes from 0x2340048
    Dumped 48128 bytes
    ImageBase 0x00000000 Halting EIP Addr: 0x0100739f (Diff: 0x100739f) ImageSize 0
    Name: UPX0 VirtualSize: 65536 VirtualAddress: 0x00001000 SizeOfRawData: 65536 PointerToRawData: 0x00000400 Characteristics e0000080
    Name: UPX1 VirtualSize: 20480 VirtualAddress: 0x00011000 SizeOfRawData: 20480 PointerToRawData: 0x00000400 Characteristics e0000040
    Name: .rsrc VirtualSize: 32768 VirtualAddress: 0x00016000 SizeOfRawData: 32768 PointerToRawData: 0x00004a00 Characteristics c0000040
    Dumping 48128 bytes from 0x2470048
    Dumped 48128 bytes
    ImageBase 0x00000000 Halting EIP Addr: 0x0100739f (Diff: 0x100739f) ImageSize 0
    Name: UPX0 VirtualSize: 65536 VirtualAddress: 0x00001000 SizeOfRawData: 65536 PointerToRawData: 0x00000400 Characteristics e0000080
    Name: UPX1 VirtualSize: 20480 VirtualAddress: 0x00011000 SizeOfRawData: 20480 PointerToRawData: 0x00000400 Characteristics e0000040
    Name: .rsrc VirtualSize: 32768 VirtualAddress: 0x00016000 SizeOfRawData: 32768 PointerToRawData: 0x00004a00 Characteristics c0000040
    Dumping 48128 bytes from 0x25a0048
    Dumped 48128 bytes

    That image base is wrong, it

    That image base is wrong, it should not be 0x00000000. Could you install Windbg and try again?

    So installation instructions

    So installation instructions are incomplete in some way. Something is missing.

    Probably somewhat-123 was able to get Saffron working because he installed Microsoft´s SDK.

    Ok, I´ll try installing WinDbg and will try again.

    Saffron not dumping anything

    Hi again.

    I just tried Saffron with a real armored malware and results are not good. Here you can read about them:

    MD5 of malware is f65aae48919d03af93123ba46eeb9e15

    Kaspersky finds on it:

    c:\test\F65AAE48919D03AF93123BA46EEB9E15.EXE/135gz.exe Infected Backdoor.Win32.Hupigon.fez
    c:\test\F65AAE48919D03AF93123BA46EEB9E15.EXE/cc.exe Infected Backdoor.Win32.Delf.aow

    I ran Saffron and the malware got executed but PIN did not return from execution. Control+break was necessary to return to prompt.

    When checked for dumped executables nothing had been created.

    What is the problem? Why is Saffron unable to operate as announced? Is because Saffron is still in an early stage of development?

    Thanks in advance for the explanation.

    Regards,

    VirusBuster

    P.S. Did anyone else try Saffron? Why there are not more people posting results of their tests?

    Saffron problems

    It's possible that the packer is doing stuff that would thwart the dynamic instrumentation version of Saffron. I searched for that MD5 and we do not have it in our collection. Can you upload it? Also what was it packed with?

    It´s packed with

    It´s packed with Orien.

    First I would like to get Saffron running fine on my system.

    Could anyone else repeat the procedure in his/her computer to verify if Saffron dumps notepad.exe fine there?

    Maybe it dumps fine in dannyquist´s computer because he is the developer of the tool and he has some required library I don´t or something like that. :-?

    Regards.

    VirusBuster ??

    As in 29A member, and virus collector?

    That´s right.

    That´s right.

    ...Installed VS Studio 2005

    ...Installed VS Studio 2005 Express,
    and one of Microsoft's available SDKs...
    sorry,can't remember which one right now ;-)
    Downloaded pin v.2.2-13635,
    edited makefiles per Danny Quist's instructions,
    opened solution,and everything went smoothly...

    As for the practical unpacking part,
    it pretty much unpacked every crap that I fed it...
    my only "complaint",if I could say it this way,
    it would be better if it was mentioned in first place,
    that the process is not performed "statically"...
    but then again,it was easy to guess that...
    I mean,a universal static unpacker probably exists,
    only in our wildest dreams,he-he...
    Excellent work guys once again,
    and thanks for sharing with the community...

    Could you upload

    Could you upload saffron-di.dll somewhere, please?

    That way anyone can test Saffron without having to download, install Visual Studio and compile the tool.

    Thanks in advance.

    Dynamic Unpacking

    I've modified this entry to make sure to state that this executes the code. Thanks for the comments I'm glad it worked for you.

    Cannot get it to work

    I compiled the tool as described and everything went fine. copied an executable into the folder and ran it with the command line. it does not run the executable. it just exits without any error. it creates the .out file and in it it only says debugging ...exe

    what can be wrong?

    My guess is that we are not

    My guess is that we are not compiling saffron-di.dll correctly for some reason.

    I´m waiting for dannyquist or sowhat-x123 to upload the dll somewhere so we just need to run it with PIN and then nothing can be wrong.

    Let´s wait for them to post the dll.

    Also on PIN download section is said:

    "Windows users must separately download the 6.6.7.5 version of debughlp.dll from Microsoft and copy it to the Bin directory."

    It was not easy for me to find that dll and I´ld say I got the right one. It would be interesting that dannyquist or someone posts the required dll and makes easily available for everybody.

    ...guys,don't want to sound

    ...guys,don't want to sound stubborn or something...
    I also get upset when I try to build stuff,
    and no matter how hard I try messing around with makefiles,
    compiler's options etc,I still don't get it to build as it should:
    it's something that happens to anyone on occasion.
    But please,understand that,while under other circumstances,
    I would be more than happy to provide a pre-compiled dll,
    in this specific occasion,there are quite a few reasons I can't do this...
    1)It's not say a random GPL project,
    where some end-users have ran into troubles...it states clearly:
    "It is free for non-commercial and educational use only.No other use is permitted without express written permission from Offensive Computing, LLC"
    And I'm nothing more than a random end-user as well...
    and obviously,I don't have the permission to redistribute precompiled binaries...
    2)Even if the licence permitted it,who am I to trust for...
    it's the nature of the tool itself that forbids something like that...
    there's a pretty obvious reason why it was released only as src...
    3)Having said the above,if it's that much urgent,
    personally,for most common samples/"daily" crap,
    I find PEiD's generic unpacker to be working just fine...
    otherwise,there's more generic unpackers out there,
    eg.search for RL!dePacker or VMUnpacker from DSWLab etc,
    at least say until Danny Quist decides to release a .dll file as well..
    4)debughlp.dll 6.6.7.5 certainly comes with previous WinDbg version...
    http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.6.07.5.exe
    But I guess it will also work with the latest version,
    unless say MS decided to "break" stuff around again... ;-)

    Thanks for your comments.

    Thanks for your comments.

    I already have tried all the unpackers you commented. I´m not really impressed with any of them. i.e. VMUnpacker was very promising but finally it was not so good in my opinion.

    About the nature of the tool... since it executes the malware, it´s necessary to use under a controled environment so it doesn´t forbids something like that as you say. ;-)))

    http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.6.07.5.exe

    I just downloaded and installed it.

    debughlp.dll doesn´t exist. The most similar file name is dbghelp.dll. Is it the correct file?

    If it´s... should be renamed to debughlp.dll and store with that name at \BIN folder of PIN tools or is ok to keep dbghelp.dll file name?

    What´s the file name you have in \BIN folder?

    Okay. This is weird

    I am running the tool on a clean file (tasklist.exe).

    commandline is:

    In simple examples directory:

    ..\Bin\pin.exe -t saffron-di -- tasklist.exe

    tasklist.exe executes and prints out the running tasks. saffron-di.out is created and it has "Debugging tasklist.exe" in it. No other file is created.

    I have dbghlp.dll version 6.6.7.5 in the Bin folder where pin.exe is located.

    When I ran any other tool that comes with pin, they all ran fine. Either saffron-di is broken, or I am missing some step. is anyone else having similar problems? if so, did you solve it? how? what was the issue?

    Lets figure this out. I was at danny's talk at Defcon 15 and this tool looked awesome. only if can run it. it will be great :)

    Sorry for being late...

    ...in my reply,I've been quite busy latest days:
    managed to do a bit of testing in a couple different systems though,
    and it seems there's something going wrong...
    unfortunately,I wasn't able to spot the reason:
    under some systems it seems to work great,
    under other systems it gives the aformentioned failed results.
    Compiled two versions,one with the older Server 2003 SP1 SDK,
    the second with the more recent Server 2003 R2 SDK...
    but this doesn't seem to really affect it,also,
    there weren't any say "heavy" kernel hooking drivers running,
    that would possibly conflict with it's operation or similar...
    As a guess in the wild,
    maybe this behavior has something to do with pin itself?...

    Could you be more specific

    Could you be more specific about what you mean with "failed results", please?

    P.S. dannyquist: Do you see why I´m paranoid about sowhat-123?

    We talk at 7:00pm and he posts that he did more tests and found something is wrong at:

    sowhat-x123 on Mon, 2007-08-27 20:12

    just a few minutes after we finished talking!

    What an incredible coincidence! Really!!!

    Yeah,well...

    ...don't think that I've ran through lots of tests,
    ain't got that much time unfortunately...
    or even more,the required knowledge to be honest ;-)
    Checked 4 different builds...debug/release,
    either 2003 SP1 sdk or 2003 R2 sdk...
    and tested them on UPX,NsPack and also with Orien,
    (because it was mentioned previously).
    Systems were an older XP SP1 and also two XP SP2 boxes
    (ain't got access to Vista):
    upx->not fully unpacked,almost same filesize,
    imagebase was...00s as mentioned previously,
    but...binary's internal strings got revealed.
    With NsPack/Orien,dumps only listed the section names.

    On the very first XP SP2 box though it runs just fine,
    no hassle at all...that's why I assumed that the problem,
    probably has to do with pin itself...or Windows itself ;-)

    But once again,at least until this is fully solved...
    snaker's PEiD unpacker,RL!dePacker and VMUnpacker,
    they're all really great generic unpackers...
    I mean,your reply made me quite curious...
    what kind of weird/"hardcore" packers did you fed them,
    and they couldn't handle them?
    Secondly,why not just use in the meanwhile,
    the traditional way of process dumping,
    or run one of the numerous Olly scripts?