Executable encryption for Pocket PC and SmartPhone devices
Nicolas Brulez Websense Security Labs
Technical stream: Thursday 6 October 2005, 12:00 - 12:40.
download slides (PDF)
Nowadays, mobile devices are popular and attacks targeting them are starting to surface. Cabir for Symbian OS or WinDust for Pocket PC are good examples. It is relatively easy to analyse them because they don't use encryption techniques. A natural evolution would be self-decrypting binaries, like we have on Windows for PC or Linux.
I suspected Pocket PC/SmartPhones executables would be encryptable because they use the same file format, which is the ‘Portable Executable’ format. My research has been done with IDA and MS EVC++ 4 debugger, as well as the code I have written in the past, for PE file encryption on X86-based computers. The paper presents the modifications and various 'hacks' needed to get the binaries to run. Assumptions from Windows for PC are false sometimes, and research has been done in order to obtain working self-decrypting programs.
As a result, we obtain working executables that cannot be disassembled directly because they are encrypted. There are not a lot of powerful tools to debug Windows CE programs, which makes it even harder. The encrypted EXE also evades anti-virus detection. Pocket PC/Smartphones could therefore be targeted by PE encrypted malware, like we currently see on Windows for PC. A lot of techniques can be used to defeat analysis. My paper describes those techniques and the paper should be seen as a proof of concept.
VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland.
A call for papers will be issued in December.