Unobfuscated malware can still be overwhelming to analyze. Even accomplished reverse engineers may feel hand-wavey about STL and COM code. Take for example Gophe, a spambot associated with Dyre campaigns and Trickbot C2, which weighs in around 2.6 MB with a 10 KB WinMain, three embedded binaries, copious STL template-generated code, and multiple flavors of atypical COM usage. COM is 27 years old, and plugins are starting to materialize to automate its analysis, but Gophe presents a strong case for understanding COM directly and applying that knowledge to decompilation instead of assembly listings. Meanwhile, C++ reversing is well-covered, but the literature is largely orthogonal to STL code. In this talk, Michael Bailey of FireEye’s FLARE Team will share how to tame STL code with knowledge of a few key structures and how to investigate COM usage that doesn’t conform to the norm. This will include a guided tour of a Gophe sample to focus on tactics for effective STL and COM reversing by enriching decompilation in Hex-Rays. We’ll examine what Gophe is doing with Outlook.Application, Microsoft’s Messaging API (MAPI), and one other COM interface that it uses to hide from view. This reverse engineering case study is all ham and no spam, so bring your appetite!
Author Name: BSides Huntsville
Author Description:
BSides Huntsville is the conference for those that work (or would like to work) in the trenches of cybersecurity. This is the opportunity for you to engage in fierce discussions about the next big ideas or the worst product you’ve ever seen in a friendly and informal setting.