Launch a second instance of
pestudio and open puttycomp.exe.
Notice these items, as shown below:
Make sure that the top line in the left pane is selected
in both windows, as shown below.
The hash values shown in the right pane are different, because the disk files are different. Note: in recent versions of pestudio, the hash value is shown at the bottom left.
indicators shows the number of suspicious features in each file. These are false positives since this is a harmless program, not malware.
virustotal may show false positives too: one engine falsely regards putty itself as malicious.
Sections in PuTTY
In the pestudio window examining putty.exe,
in the left pane, click sections.
In the right pane, notice these items,
as shown below:
There are the four typical sections: .text, .rdata, .data, and .rsrc.
Comparing the "raw-size" (size on disk) and "virtual-size" (size in memory) values, they are almost equal for each section. The difference is that the raw-size is rounded up to the nearest 4K block size.
Permissions: notice that the .text section is executable and the .data section is writable. The other sections have no permissions. This is the normal situation. No program should ever allow write and execute permissions on the same memory segment, as a basic security principle.
entry-point: This is where execution starts. It's an address in the .text section, where it should be.
Note: in recent versions of pestudio, the entry point is on the lower right.
entropy: The .text section has entropy 6.7, which is typical for assembly code which varies a lot, but is not completely random. The other sections have lower entropy, especially the .data and .rsrc sections which contain large unused sections filled with zeroes, as we will see below.
Sections in PuTTYcomp
In the pestudio window examining puttycomp.exe,
in the left pane, click sections.
In the right pane, notice these items,
as shown below:
There are only three sections: UPX0, UPX1, and .rsrc. The absence of a .text section is very strange, since that section should have the executable code.
The UPX0 section has a "raw-size" of zero and a large "virtual-size"--this section does not exist on the disk, and will be dynamically filled when the program runs.
The permissions are very strange, every section is writable and most of them are also executable. These permissions clearly do not enforce any security barriers.
entry-point: It's bold and red to indicate that it is suspicious--it's in the UPX1 section, which is not normal at all. Note: in recent versions of pestudio, the entry point is on the lower right, and is not in a red color.
entropy: The UPX0 section has no data, so no entropy. The UPX1 section has an entry near 8 (total randomness) because this data has been compressed. The .rsrc section has a normal entropy value for data storage.
Imports in PuTTY
In the pestudio window examining putty.exe,
in the left pane, click imports.
In the right pane, scroll through the list,
as shown below,
to get a feeling for the many API calls
used by even a very simple Windows application.
Some of them are blacklisted, and some even have
MITRE techniques listed, showing how they are
used by attackers.
Imports in PuTTYcomp
In the pestudio window examining puttymod.exe,
in the left pane, click imports.
In the right pane,
the list is very short,
as shown below,
because the
unpacker does only one simple job.
Get the Malware Samples
If you don't already have them,
download the malware samples from:
Unzip the g_ollydump221b.zip file.
Move the OllyDump.dll file into the
same folder as the OllyDbg executable,
as shown below.
Examining PuTTY and PuTTYcomp with OllyDbg
In OllyDbg, open putty.exe.
Launch a second instance of
OllyDbg.
In OllyDbg, open puttycomp.exe.
A "Compressed code?" box pops up.
Click No.
Note these features, as shown below:
putty.exe shows code starting at address
004550F0 (Your address may be different)
putty.exe starts with a PUSH 60 command
puttycomp.exe shows code starting at address
004860E0 (A different address than putty.exe)
puttycomp.exe starts with a PUSHAD command
Memory Maps
In both OllyDbg windows, click
View, Memory.
Olly shows the memory map.
Find the putty sections.
Note these features,
as shown below.
Both programs are loaded at a base
address of 400000, which is
a common address for 32-bit Windows
programs.
putty has the usual .text, .rdata, .data, and .rsrc sections.
puttymod has only three sections: UPX0, UPX1, and .rsrc.
Dumping Sections
In the OllyDbg windows showing putty,
right-click the .text line and click
Dump.
In the OllyDbg windows showing puttycomp,
right-click the UPX0 line and click
Dump.
As shown below, putty's .text
section contains machine code instructions,
but the UPX0 section is filled with
zeroes.
Notice how large this section is: it goes
from 00401000 to 00448FFF.
In the OllyDbg windows showing putty,
right-click the .data line and click
Dump.
In the OllyDbg windows showing puttycomp,
right-click the UPX1 line and click
Dump.
As shown below, putty's .data
section contains a few values, but
it's mostly zeroes.
The UPX0 section contains compressed
data. Olly has tried to interpret it
as assembly code, but it's nonsense,
as shown below. From the entropy value
we saw earlier, we know this data is
almost totally random.
Viewing the Unpacking Stub
In the OllyDbg window examining
puttycomp.exe,
in the top left pane,
you see code starting with the
PUSHAD instruction/
Scroll down in this pane to see
the unpacking code and find where it ends.
The last instruction is
JMP puttycom.004550F0
as shown below.
This JMP jumps into the UPX0 memory
section, which contained only
zeroes when we dumped it.
The unpacker must put code there
before this JMP, or the program would crash.
Click on the JMP instruction.
Press the F2 key to put a breakpoint
there, as shown below.
Running the Unpacking Code
Press the F9 key to run the program.
The program runs to the breakpoint.
Press the F7 key to
execute one more instruction.
The program proceeds to the
PUSH 60 instruction,
as shown below.
This code contains the instructions
for the real, unpacked,
putty text section.
OllyDbg only disassembles the first
few instructions, because it thinks
this is a data section, but the actual
bytes match the unpacked putty code.
Building an Executable from Memory
We have now unpacked the code,
so it can run in OllyDbg. But to create
an EXE file, we need to
gather the pieces together and
rebuild the PE header, including the
import table which was destroyed
by UPX.
For simple cases, we can use the automated
tool OllyDump to do that.
Using OllyDump
In the OllyDbg window examining
puttycomp.exe,
from the menu bar,
click Plugins,
OllyDump,
"Dump debugged process".
An OllyDump box pops up,
showing the sections of code,
the Entry Point, and the
method it will use to rebuild
the import table,
as shown below.
Check to see that the Start Address
plus the Modify address matches
the address you see in the upper
left pane of OllyDbg. In this case,
it does, because the file loaded
at the expected address of 400000.
Accept the default options and
click the Dump
button.
Save the file as puttydumped.exe.
Examining the Dumped File in pestudio
Open pestudio and examine puttydumped.exe.
The imports section is now largely
restored, although the process is not
perfect,
as shown below--the original putty had
312 imports but OllyDump only restored
277 of them.
PMA 121.2: Entry Point (10 pts)
Examine the sections of puttydumped.exe.
Find its entry-point. That's
the flag,
covered by a green box in the image below.
Note: in recent versions of pestudio, the entry point is on the lower right.
PMA 121.3: Strings (15 pts)
Unpack the Lab18-01.exe sample.
Examine the strings of the unpacked file
and find the URL.
That's
the flag,
covered by a green box in the image below.
