Expert Insights with CyberEdBoard

Application Security , DevSecOps , Next-Generation Technologies & Secure Development

Reverse Engineering and Dynamic Analysis

CIO and CISO Mukul Gupta Explains the Process, Tools and Sandboxing
Reverse Engineering and Dynamic Analysis
Mukul Gupta, CIO and CISO, ATCS Pvt. Ltd., India, and executive member of the CyberEdBoard

The Reverse Engineering Process

Engineers can only build strategies to limit a program's harmful impacts if they understand its complexities. A reverse engineer - sometimes called a "reverser" - uses a number of approaches to figure out how a program propagates through a system and what it's supposed to do.

See Also: Webinar | Protecting Against Account Takeovers

Disassembling - and in certain circumstances, decompiling - a computer program is part of the reverse engineering process. In this procedure, binary instructions are converted to code mnemonics or higher-level structures, allowing engineers to study what the program does and how it affects other systems.

As a consequence, the reverser becomes aware of the vulnerabilities that the software planned to attack. For example, when WannaCry ransomware was reverse-engineered, attempts to follow its spread led to the discovery of the "kill switch" - a finding that proved important in stopping the virus's propagation.

Reverse engineers can extract signals that show:

  • When a program was created - although malware writers are known to leave fictitious trails;
  • What embedded resources it may use;
  • Encryption keys, and other file, header and metadata components.

Reverse Engineering Tools

The most common tools used in reverse engineering are IDA Pro, Apktool and OllyDbg.

IDA Pro

IDA Pro is one of the greatest and most-often-used reverse engineering software tools. It's an interactive disassembler with an integrated command language, or IDC, that can handle a variety of executable formats for different processors and operating systems. IDA Pro also comes with a plethora of plug-ins that can further enhance the disassembler's capabilities.

Apktool

Apktool can decode resources to a near-original state and reproduce them after a few tweaks. It enables step-by-step debugging of smali code and makes app development easier thanks to its project-like file structure and the way it automates some repetitive operations, such as APK generation.

OllyDbg

OllyDbg - named after its creator, Oleh Yuschuk - is an x86 debugger that focuses on binary code analysis, which comes in handy when source code isn't accessible. It locates routines from object files and libraries and identifies registers, procedures, API calls, switches, tables, constants and strings.

Case Study of Apktool

By using Apktool with a sample Android application package, or apk, we can decompile the application's other files, such as Androidmanifest.xml and strings.xml, to change the application permission.

Let's assume that we already have a sample apk payload available, and it is Netflix.apk.

Step 1: Introduction to Apktool

Here we are looking at the usage of apktool with the help of apktool -h. You can also use man apktool to see all the flags that can be used alongside apktool to streamline the debugging process.

Apktool -h (Source: Mukul Gupta)

Step 2: Use flag 'd'

Using flag 'd' implies decoding the application. You need to decode the application apk to extract the necessary files. This is also called reverse-engineering the apk file.

Apktool d /home/user/Netflix.apk (Source: Mukul Gupta)

Step 3: Decoded Application Files

The location shows the disassembled demo payload application created in-house and named Netflix.apk, with common files AndroidManifest.xml and strings.xml under the res folder.

The AndroindManifest.xml file is used to enable to disable permissions access for the application. It also includes the integrated icon or name settings of the application.

The strings.xml file enables the name string of the application. The default is: main_activity.

Android:icon@mipmap/main_activity (Source: Mukul Gupta)

Step 4: Open AndroidManifest.xml File

You can open the file with any available file editor. Here, we are using the Pluma Parrot OS default file editor and adding the icon integration string.

Android:icon@drawable/Appname (Source: Mukul Gupta)

Step 5: Add 3 Files

Under the res folder, add three folder with icons under resolution:

  • drawable-hdpi-v4: 72x72 pixels
  • drawable-idpi-v4: 33x33 pixels
  • drawable-mbpi-v4: 48x48 pixels

This will add/modify the icon of your application to the images processed.

Source: Mukul Gupta

Step 6: Run Binding Command

Run the binding command to integrate the new icon under the folder location.

Apktool b /location/Appname (Source: Mukul Gupta)

This will make a new dist folder containing the new apk, which will now have the desired icon.

Source: Mukul Gupta

Step 7: Desired Icon Appears

The desired icon will appear in the Android package installer.

Source: Mukul Gupta

Dynamic Analysis and Sandboxes

All the above strategies involve dynamic analysis of an application, which is testing an application while software is running. You can disassemble, debug or rearrange the software to gain information required to hack or exploit the application or to find out what bugs the application contains. You can also use Wireshark, which is a network protocol analyzer, when you want to capture and inspect packets.

There are benefits to using a sandbox for dynamic analysis, but there are some disadvantages as well. Sandbox-evading malware is a concern.

Many of the more powerful malicious programs employ evasion tactics to identify that they are executing in a sandbox and will stop showing their true, harmful nature once a sandbox is discovered.

To avoid detection and outwit sandboxes, advanced malware programs use a number of evasion strategies, including:

  • Postponing risky actions;
  • Acting only when a user is present;
  • Concealing malicious code in locations where it will not be noticed.

Some of the malwares that evade sandboxes are Locky ransomware and the RogueRobin and KeRanger ransomware Trojans. You can read about them here.


CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community - CyberEdBoard.io.

Mukul Gupta is the CIO and CISO at ATCS Pvt. Ltd., India. He has over 15 years of experience working in the quality and security domain.



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.