An Intro to Binary Ninja (Free) for Malware Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

code analysis is an essential part of the maare analysis process and thankfully you have options when it comes to choosing a reverse engineering platform that fits your needs but if you've been performing malware analysis for a while like me you tend to pick one of these products and stick with it for years because that becomes the world you know well Vector 35 recently released a free version of their binary ninja product and that got my attention so the question is should you consider giving binary ninja a triy well let's take a look now binary ninja has been around for years but the new free version makes many of the benefits of binary ninja accessible to anyone without a time restriction the free version does understandably have some limitations for example in terms of the available architectures and API and plug-in access but it still includes both disassembly and decompilation for several popular architectures making this a very useful product today I want to cover the basics of Performing maare analysis with this new version of binary ninja I recently participated in a stream with Steve Sims where I introduced how to reverse engineer malare with gidra using a w to cry sample I'll include a link to that discussion in the description but in case anyone is interested in a comparison I thought I would use that same sample here today so here on my desktop I have a ransomware dll uh this dll is actually decrypted in memory during execution and includes the core ransomware encryption functionality so there are several ways to load a sample into binary ninja which I have already installed here in my VM but the easiest is to Simply drag the file of interest to the binary ninja shortcut on my desktop so I'll go ahead and drag this file to Binary ninja you have to click Start here to proceed and after clicking start it will automatically begin processing the file the status bar on the bottom left keeps you updated about its progress but in the time it took me to actually say all of that the bar has disappeared because the file is done processing now during the editing process I do sometimes speed up the video but what you just saw was the loading process in actual time and it was actually pretty fast with only one click the default load options seem to do a fine job of processing this file but you can modify those options within the settings one way to modify load options is to go over here to file and then open with options when you choose that you can then choose a binary of Interest so let's say I'm just going to choose one to cry one more time here there it is and press open now the settings automatically pops up and you'll see here that you have a variety of load options you can now browse through and choose from but since we are sticking with the defaults for now I'll go ahead and close this window and maximize the primary interface to Binary ninja now let's take a look at the overall window here as you can see it's a pretty clean interface our file is open in a tab right here so if we wanted to open additional files we could click on this plus sign here giving us an opportunity to now open additional binaries as well but I'll go ahead and close this tab and return to the main view here in addition to the Views that we are currently seeing which I'll discuss further you'll also see a variety of buttons around the sides here on this side here on the left on the bottom left here and on the bottom right and the top right these buttons are basically positioned to activate a sidebar panel around that location so this first one here on the top left control this symbols window which is visible by default and includes all of the symbols binary ninja identified within this program if you want to hide it you can just click this button one more time and these symbols view will disappear and again all buttons activate a view around the location within the window so for example if I go to the bottom left here it'll activate a view here on the bottom if I go to the bottom right and click uh this magnifying glass it'll activate a view here and uh on the top right if I click on this x right here it'll activate a variables view here on the top right I got to say I like the button placement because over time with any platform you get used to where certain content is located and if the button to activate that content is near the location where you expect that content to be it just makes it a lot easier to remember what that button actually does versus having like 30 buttons horizontally across the top of the window so let's begin taking a closer look at this main view we have here at the top you'll see that there are three dropdowns 1 2 3 all of which help to drive this primary view right here so with this first drop down we can choose from PE or raw if I choose raw you'll see this is a view similar to what you would find in a hex editor so for now we'll just keep it at PE the second drop down has many more options I'll kind of be jumping around here uh within these options to cover the basics right now we are on linear which shows us the code and we'll touch on what kind of code this is here shortly if we begin from the top we first have the bite overview this is basically a representation of the bite values where each bite gets a character it includes the asy representation of a bite if there is one uh but if the bite value is zero there is basically an empty space here it's uh it's an interesting view because it allows you to get a feel for the structure of a file and look for any patterns at a high level and since we're actually discussing patterns I'll mention that on the right hand side here we have a feature map which visually represents aspects of the binary the different colors represent different categories of information including code strings and data now the documentation includes more detail on what each color represents also you can move within this space horizontally and vertically so if for example I click on uh in this blue area here which represents code and then I start clicking uh around here on the left hand side you'll see that there is both a vertical and a horizontal line that tells you exactly where within this visual representation we currently are for now I'm actually going to go ahead and hide this feature just to give me a little more screen real estate and I can do that by right clicking and going to hide feature map so I'll go ahead and return to the second drop down now and choose probably the most important view for maare analysis which is the triage summary as the name indicates it provides a pretty good overview of the file including various hashes and Header information and as I scroll down you see references to the uh imported libraries the imported functions uh followed by sections and strings and you can see that the Imports the exports and strings are all searchable within this view here and if you want to dig into Strings some more since this is kind of a small view here you can go back to this second dropdown and choose strings and now you have an entire window dedicated to Strings that you can begin searching through and no matter what view you're looking at say for example that I'm in the uh the bite overview uh if you suddenly think of a string that you want to search for you can always go to the bottom right here and click on the quotes button and this pops up a window uh that you can also use to begin searching for Strings okay but let's go ahead and head back to our triage view so pivoting by Imports or strings is a popular way to jump to interesting locations within the code so let's use this triage view as an opportunity to demo how we can begin code analysis with binary ninja now in the Stream I referenced earlier where I introduced code analysis with gidra I pivoted into code based on the create mutex API so let's let's do that here as well under Imports I can search for create newex and you'll see we have one hit here which I can single click on and you'll see that clicking on that API populates this view on the left which represents cross references now I'm primarily interested in where this API is called in the code so let's focus on code references which are located here on the bottom I'll go ahead and choose the first one with a single click and when I Mouse over it after having done that single click you'll see that I get a preview of what the code actually looks like where this call to create mutex a is actually made if I go ahead and double click now on this selection it takes me to the location of the code where we are uh seeing the create mutex a call executed right now we're in the highle I view which I'll discuss a bit later for now I'll go to a more familiar view perhaps which under this third pull down is disassembly and there we have that call to create newex a by the way if I scroll up or down here you'll see references to a series of nine zeros and if I scroll down you'll see 9 zeros here as well these are bites that don't actually contribute to the executable code and I actually think it's a really nice choice to just show these bytes horizontally I know gesra would tend to show these vertically because when you're performing code analysis vertical screen real estate is quite precious since you are scrolling through code so I think that's a really good choice now if I want to view the graph view I can hit the space bar and you see this is now a graph View and what you'll also notice is on the top to this second pull down has populated now with the word graph so that is an alternative way to arrive at the graph view in addition to just hitting spacebar when I'm in the graph view one of the buttons here on the left becomes relevant uh this one right here called minig graph this provides an overview of the layout of this function and this gray box right here can kind of be moved around to navigate over this larger view on the right hand side I really like binary ninja graph view I honestly found the graph view in gedra kind of appealing so I kind of stopped using it but this is definitely more enjoyable to browse and of course if you want to uh zoom in and out you can just use your mouse to do that which is helpful and easy to do by the way this uh theme you're seeing the color scheme that you are currently looking at on my screen is the default theme but there are others available including a ton of community themes at Vector 35's GitHub repo so I'll include a link to that in the description uh in case you want to change it up okay so I've shown the disassembly we saw this graph view versus the more traditional text view but there are actually several other representations of the code that you can access using this third dropdown so you'll see that there are references for example to pseudo C which is what you might be expecting at a bare minimum based on using a gidra or Ida Pro so let me go ahead and choose this option here and if I want to go back and forth between the disassembly and this pseudo C view right here I can hit Tab and do that quite easily now you might want to see both of the those views at once right you might want to see the disassembly while also taking a look at the pedo C output that's probably what you do with ADD Pro or with gidra so let me quickly show you how to do that here on the top right you'll see a uh button right here and if I Mouse over it it says split view if I click on this it will create another view here on the right hand side so for example I could choose to show the disassembly here on the left hand side and then on the right hand side show the pseudo C and if I scroll around here on one of these sides or the other and start clicking you'll see that by defaul these views do in fact remain uh in sync I could even add another view here on the right hand side maybe towards the bottom right by going uh to this button which has now changed a little bit to indicate that the next view if I click on this button is actually going to be on the bottom so I know this is getting a little bit crazy here on the screen but in case you are using a very large monitor which many people in this field are you could for example choose let's see the triage summary here and now I have access to the triage summary the pseudo C code and of the disassembly here on the left hand side so lots of options here in terms of what uh views you can look at simultaneously now going back to the original reference to create mutex a and looking at the pseudo C output one detail I want to mention is notice when it checks the return of get last error here to see if the mutex exists you can see the symbolic constant it's checking against which is error already exists some of the other Frameworks include the hexadecimal value it would check against but not the text representation of the symbolic constant at least by default which makes this quite a bit easier to read so besides the disassembly and pseudo we do have other options here in this third dropdown you'll see references to low medium and high level ILS I stands for Intermediate Language and these ILS are basically different representations of the code that range from looking like assembly to something more readable like the Cudo code that we're looking at right now so as you go from low to medium to high the code generally gets more and more readable any re framework like gidra or Ida that includes a decompiler has some sort of Intermediate Language but binary ninja exposes these and there is something to be gained from each now the only Intermediate Language available in the free version we're using here today is the highlevel iil which is similar to pseudo C but actually has some nice advantages over the pseudo C representation for example you can see the name of the argument as described in the Microsoft documentation and and the actual value being passed that's not in the pseudo C output because it's not part of C syntax but binary ninja does have that information and it's here in the highle iil so there's actually a case to be made for using the highle iil rather than the pseudo C output when using binary ninja and that's something I'm really warming up to as I spend more time with this framework as you're probably noticing the developers at Vector 35 really focus on UI design and optimizing ease of use if you ever listen to one of their streams they really nerd out on interface Elements which I think is awesome because reducing the friction associated with accessing features and organizing them appropriately really does make it easier to reverse engineer a program and frankly more enjoyable on that note I do want to mention that key bindings have their own menu option here under edit key bindings and here you can create hot keys for just about anything and in addition to configuring any key bindings you like you can also take advantage of built-in command pallet via command or contr P so if I go ahead and do command P here is the command pallet and you can use this to really access any view or functionality within binary ninja so if remembering hotkeys is a pain for you you can just type here what you want to do like hey I want that uh feature map back that we looked at earlier I could go around digging through the menus trying to find it or I could just type feature map and there we go I got an option to show it hit enter and we have our feature map back here on the right hand side and just to cover some miscellaneous features you'd expect from any re platform uh if I for example want to insert a comment I can do so by hitting the semicolon key here and typing this is a comment followed by enter and there it inserts a comment similarly in the disassembly you'll see the comment is at the right location uh this time at the end of the line if you want to rename an argument or a variable or maybe even this function you can just click on it right here and hit n on the keyboard and this gives you an opportunity to name this function and then press enter and now you have your new function name if you need to edit the properties of a function you can use the context menu by right clicking on that function and then choosing edit function properties and here you can uh make a variety of changes such as for example updating the calling convention let's talk about types you can access types by hitting this T here on the top left and this brings up all of the user and the system types as well as those associated with the libraries that are imported by this executable let's say want to change a type uh we'll go ahead and jump to some code here as an example so in order to jump to an address you can hit G for go and the address I'll jump to here is 1 0010 DB and then I'll hit accept or enter and it's now jumped to that location based on that address and we'll go ahead and actually use the highle iil here to get some exposure to this view now if I scroll up to the top here notice this variable Vore 54 associated with the lp process information which sounds pretty official uh if I actually scroll down to see where LP process information is referenced and I actually just scroll to the right here I'll see that it's the last argument actually passed to create process a upon looking up create process a on microsoft.com I'll find that the final argument is a pointer to a process information structure that contains information about the new process but if I scroll back up here to VAR 54 and take a look at the type for r54 it says handle not process information well to help binary ninja out and change the type of r54 I can highlight it as I've done already rightclick and go to change type or just hit Y on my keyboard I'll then go ahead and type process information there we go choose this first one and click accept and now that we've confirmed the correct type whenever VAR 54 is referenced it actually includes the correct member as well so so you'll see references to H thread here dpress ID as well as DW thread ID well let's say that you wanted to now create a structure I think I saw a structure in a function that referenced the test data string so I'm going to bring up the uh strings view here and search for test data I see my uh reference here to test data and looking at the cross references here on the bottom left I'm just going to go to the first one by double clicking on it and then we have the test data string right here now let me go ahead and deactivate this strings View and you'll see that with many of these references to ARG one we are dereferencing offsets from the address within arg1 so it's possible that uh we're dealing with a structure here although I don't recall exactly what this is so if you wanted to Define these references as part of a structure what we could do is click on arg1 and hit s on the keyboard and then even really without adding any members here I could just click create and you can see that the representation has already changed now if you want to work on this structure further we we could go to the user types here on the top left I can click on struct1 which is the default name that binary ninja gave this struct and then I can start actually working on the structure down here one need option is that I can right click in this space now and choose create all members for structure or I could just hit s again and let me go ahead and make some space by getting rid of this mini graph for now but you'll see that it went ahead and automatically created some members and it's got some unknown bites here that we could continue to work on but it filled in some members which is a good start so this is how you would begin creating a structure and then of course you might choose to tweak it uh Beyond this process and once you have that structure in place and you're comfortable with whatever members you are able to identify you could also click on a struct one right here and uh in the cross references you'll see it now shows you all of the references to that structure so you could then go to each of these references to continue understanding how that structure is actually used which is pretty nice one of the major limitations with the free version of binary ninja is no plugin or API access so while binary ninja does have an impressive and easy to use Python API you can't use it with the free version you also can't use any plugins nonetheless I do want to mention their plug-in ecosystem they have a bunch of official plugins on GitHub and there are a ton of community plugins that seemed pretty cool too and I do like that there is just one place to go to to find the vast majority of plugins rather than scouring the internet and the paid version of binary ninja has a plug-in manager that makes installing these very easy so comparing sticker prices for a moment binary ninja obviously costs more than free but it's like onethird the cost of Ida Pro or even less depending upon what you buy so if the drawbacks of gidra are too much for you and the price of Ida Pro and its decompilers are also too much for you this strikes a really nice balance I also love that the documentation actually includes guides for migrating from Ida or gidra just to prepare you for what's similar and what's different so I hope you enjoyed this video introducing binary Ninja for maare analysis be sure to check out my other videos for more maare analysis content and I'll see you next time

Info

Channel: Anuj Soni

Views: 2,666

Rating: undefined out of 5

Keywords:

Id: -RaOeooSmug

Channel Id: undefined

Length: 20min 3sec (1203 seconds)

Published: Tue Mar 19 2024