Software Reverse Engineering with Ghidra

Software Engineering Team Fall 2019

Ghidra: Analyzing Wannacry VIP Poster Topic Spring 2020

Final poster presentation (UH account required to view)

Chris' Results (UH account required to view)

4/30/20

Completed PowerPoint (see top page link)

YINGFEI: Good job on the crackme video. Next we may want to try some fancy tricks with Wannacry.

Revising Chris' Results

4/23/20

Currently editing a video for Ghidra CrackMe.

There is a mac executable call program under the files.

I have provided the script I came up with the video called "crackme_script"

4/6/20

Some light to taskche.exe and the other files embedded to it.

https://medium.com/@nikhilh20/malware-analysis-wannacry-b0d35f1b2033

https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf

https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/2172-ccn-cert-id-17-17-ransom-wannacrypt0r-eng/file.html

WannaCry zip available at: https://www.ghidra.ninja/posts/03-wannacry-1/ (.exe file)

The killswitch:

Podcast interview with David Fearne

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

4/2/20

• Dropper (tasksche.exe)

  • • What is a dropper?

    • https://resources.infosecinstitute.com/malware-spotlight-droppers

• • https://www.pandasecurity.com/mediacenter/src/uploads/2017/05/1705-Informe_WannaCry-v160-en.pd

  • https://threatvector.cylance.com/en_us/home/threat-spotlight-wannacry-ransomware.html

  • https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

  • https://www.2-remove-virus.com/what-is-tasksche-exe/

    • Looking at another ransomware of how droppers work

    • https://www.vmray.com/cyber-security-blog/undetected-jscript-dropper-executes-sage-ransomware/

    • How does a ransomware spread?

    • https://security.berkeley.edu/faq/ransomware/

    • Drive by downloading

    • https://www.rsa.com/content/dam/en/case-study/asoc-drive-by-download.pdf

3/24/20

• • Understanding how ransomeware works (added to the VIP Poster Topic Page)

  • https://www.exabeam.com/wp-content/uploads/2017/07/Exabeam_Ransomware_Threat_Report_Final.pdf

  • Added documentation in the VIP Poster Page

3/5/2020

YINGFEI: Excellent Starting tutorial.

1. How to Install Ghidra on Windows, stryker2k2, https://www.youtube.com/watch?v=IL60yGDbRGw

2. Reversing CrackMe with Ghidra (Part 1), https://www.youtube.com/watch?v=6p5Qviusskk

3. Reversing CrackMe with Ghidra (Part 2), https://www.youtube.com/watch?v=Eu9YC1Jq1Do

4. Crackme00-09 at GitHub, https://github.com/Maijin/Workshop2015/tree/master/IOLI-crackme

2/13/2020

Sample application (ransomware):

• • Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra

    • Reversing WannaCry Part 2 - Diving into the malware with #Ghidra

1/30/2020

History of Ghidra (Black Hat 2019)

Ghidra Ninja (Videos on using Ghidra)

10/08/2019

Ghidra Tutorial from SFSCon file 1 file 2

VM is at https://drive.google.com/open?id=1bXXtAfc1uEid2PA9MttY9uK-BQHKywFS

Windows PowerShell 'Get-FileHash' https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-6

10/01/19

CodeBreaker Challenge resources on 2019 https://codebreaker.ltsnet.net/resources

Read the two files here.

Files for the 2019 challenge

• • • 2019 Tech Talk Presentation

    • Android Emulator Set Up

9/24/2019 Update info

• new crackme tutorial

  • https://crackmes.one/

  • https://nora.codes/tutorial/an-intro-to-x86_64-reverse-engineering/ and https://github.com/NoraCodes/crackmes

======================================

9/13/2019

1. Download Ghidra at https://ghidra-sre.org/

• Install on Windows https://www.youtube.com/watch?v=IL60yGDbRGw

• Install on Linux https://www.youtube.com/watch?v=OJlKtRgC68U

• Read the docs at github

  • https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/GhidraClass/Beginner/Introduction_to_Ghidra_Student_Guide.html

2. Read the Ghidra doc in GhidraClass/Beginner.

• This is a short clean intro for Mac. https://www.youtube.com/watch?v=fTGTnrgjuGA

• https://github.com/NationalSecurityAgency/ghidra/tree/master/GhidraDocs/GhidraClass/Beginner

• https://www.youtube.com/watch?v=4urMITJKQQs

• https://0xeb.net/2019/03/ghidra-a-quick-overview/

• NSA CodeBreaker link https://codebreaker.ltsnet.net/resources

3. Get familiar with X86 Assembly.

• x86 Assembly Guide –http://www.cs.virginia.edu/~evans/cs216/guides/x86.html

• Debugging C and C++ programs with gdb (and ddd) http://www.cs.swarthmore.edu/~newhall/unixhelp/howto_gdb.html

• Smashing The Stack For Fun And Profit http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf

4. First go over the intro video and figure out the basic configuration.

Task 1. Building a simple C code (helloworld.c) and try to see how much the binary can be decompiled. Then, make it a little complicated and try again. For example, make a recursion call or a few complicated call graph.

Task 2. Using scripting to analyze a program.

**** Please add a google drive page/doc to your weekly progress notes.

Chris' Notes Jonah's Notes Jetro's Notes

*** Set Up C/C++ compiler in Eclipse https://www.youtube.com/watch?v=AhCLgRVcKMg

*** Find WinMain() for Windows exe files https://www.youtube.com/watch?v=Sv8yu12y5zM at 1:52