Michael Bailey is a Manager in the FLARE Offensive Task Force (OTF) at FireEye, and an alumnus of the Mandiant Red Team. Michael has a background leading teams to research and develop Linux and Windows kernel capabilities, machine learning applications, custom instrumentation, and cryptographic applications. Michael holds a Bachelor of Science in Computer Engineering from Milwaukee School of Engineering. He most enjoys building custom debuggers to aid in malware analysis, and spinning Drum & Bass music very, very loudly.
Abstract: Unobfuscated malware can still be overwhelming to analyze. Even accomplished reverse engineers may feel hand-wavey about STL and COM code. Take for example Gophe, a spambot associated with Dyre campaigns and Trickbot C2, which weighs in around 2.6 MB with a 10 KB WinMain, three embedded binaries, copious STL template-generated code, and multiple flavors of atypical COM usage. COM is 27 years old, and plugins are starting to materialize to automate its analysis, but Gophe presents a strong case for understanding COM directly and applying that knowledge to decompilation instead of assembly listings. Meanwhile, C++ reversing is well-covered, but the literature is largely orthogonal to STL code. In this talk, Michael Bailey of FireEye's FLARE Team will share how to tame STL code with knowledge of a few key structures and how to investigate COM usage that doesn't conform to the norm. This will include a guided tour of a Gophe sample to focus on tactics for effective STL and COM reversing by enriching decompilation in Hex-Rays. We'll examine what Gophe is doing with Outlook.Application, Microsoft's Messaging API (MAPI), and one other COM interface that it uses to hide from view. This reverse engineering case study is all ham and no spam, so bring your appetite!