\documentclass{beamer} \usepackage[latin1]{inputenc} \usetheme{default} \setbeamertemplate{navigation symbols}{} \author{Gérard Wagener} \date{October 18, 2007} \title{Analyzing heavily protected P2P voice over IP software} \begin{document} \begin{frame} %\maketitle \begin{center} \scalebox{1.2}{ { \color{blue} Analyzing heavily protected P2P voice over IP software } } \end{center} \vspace{0.1cm} \begin{center} Gérard Wagener \end{center} \vspace{0.1cm} \begin{center} October 18, 2007 \end{center} \normalsize \begin{center} \includegraphics[scale=0.4]{./graphs/Hl2007banner.png} \end{center} \end{frame} \begin{frame} \frametitle{Introduction} \begin{itemize} \item Such software does not like dis-assemblers. \item And it does not like debuggers like soft-ice. \item Messages are encrypted, $\dots$ \item Such software gathers hardware information \footnote{http://www.pagetable.com/?p=27} i.e. bios scan and does not like virtual machines $\dots$ \item Many such obscure rumors exists $\dots$ \item We want to: \begin{itemize} \item Check these statements. \item Understand such clients. \item We are presenting how internals of such software can be revealed. \end{itemize} \item One example of p2p clients for voip is \alert{Skype}. \end{itemize} \end{frame} \begin{frame} \frametitle{Analysis concept} \begin{itemize} \item Analysis problems: \begin{itemize} \item Soft-ice, gdb, objdump does not work. \item Use \alert{wine} to start the software. \item If it works patch wine to discover internals ... \end{itemize} \item Solution \begin{itemize} \item Download voice over IP software. \item Download wine source from http://www.wine-hq.com \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Installation problems} \begin{itemize} \item Software crashes during installation. \item Configure wine as Windows 98\footnote{Recommendations} $\to$ still crash. \item Solution: Use wine 0.9.22 (old version) \end{itemize} \begin{center} \includegraphics[scale=0.2]{graphs/instfail.png} \end{center} \end{frame} \begin{frame} Ok it boots :-) \begin{center} \includegraphics[scale=0.2]{./graphs/login.png} \end{center} \end{frame} \begin{frame} \frametitle{Analyzing debug messages of wine} \begin{itemize} \item Looking at the executed function calls: \begin{itemize} \item export WINEDEBUG=trace+relay \item wine Skype.exe 2\&$>$1 $|$ tee relay.trace \end{itemize} \item Examine network information \begin{itemize} \item export WINEDEBUG=trace + winsock \item wine Skyp.exe 2\&$>$1 $|$ tee winsock.trace \end{itemize} \item Some observations: \begin{itemize} \item Skype created 142 sockets! \end{itemize} \end{itemize} \begin{block}{Output} {\tt 0009:Call kernel32.CreateFileW(0056abb8 L"$\backslash \backslash . \backslash \backslash$ NTICE",0,0,0,3,0,0) ret=0056ac17 trace:winsock:WS\_bind socket 0248, ptr 0x21e030 \{ family 2, address 127.0.0.1 } \end{block} \end{frame} \begin{frame} \frametitle{Analyzing Skype with the tool fiw} \begin{block}{Advantage} \begin{itemize} \item Block execution. \item Inspect memory, disassemble, read or write $\dots$ \end{itemize} \end{block} \begin{example}[Check if functions returns are checked] \begin{center} \includegraphics[scale=0.2]{./graphs/fiw.png} \end{center} \end{example} \end{frame} \begin{frame} \frametitle{Injecting data into the p2p software} \begin{itemize} \item Via network. \item Via files, temp files, config files, $\cdots$ \item Via windows events! (i.e. Skype API) \end{itemize} \end{frame} \begin{frame} \frametitle{Having fun with Windows events $\dots$} \includegraphics[scale=0.3]{./graphs/skype_screen_shot.png} \end{frame} \begin{frame} \frametitle{Having fun with Windows events $\dots$} \begin{itemize} \item How it works! (w32) \begin{itemize} \item Enumerate all windows on Desktop {\tt EnumWindows}. \item Map them with processes {\tt GetWindowThreadProcessId}. \item Opens the processes {\tt OpenProcess}. \item Get the process \alert{name} {\tt GetModuleBaseName}. \item \alert{If} our client is found examine handles. \item Get windows class info \& name. \end{itemize} Ready to start \alert{fuzzing} the handles. \end{itemize} \end{frame} \begin{frame} \frametitle{Having fun with Windows events $\dots$} Discovering the handles of the application that should be analyzed. \includegraphics[scale=0.3]{./graphs/sp1.png} \end{frame} \begin{frame} \frametitle{Having fun with Windows events $\dots$} Sending the events $\dots$ \includegraphics[scale=0.3]{./graphs/et2.png} \end{frame} \end{document}