The mysterious programming language framework Duqu defined
Two weeks ago, Kaspersky Lab asked the community to help determine the programming language in which the Duqu Trojan was written. Discovered in October 2011, she still baffled experts.
Kaspersky Lab first turned to experts in reverse engineering, but they could not help. It was clear that the programming language is definitely not C ++, not Objective C, not Java, not Python, not Ada, not Lua and not yet 30 other programming languages ​​that they tested. After several months of unsuccessful attempts at analysis, it remained only to assume that the key fragment of the malicious program was written in a certain unknown language.
However, thanks to the help of the community, this puzzle was still solved.
Constructor function for a linked list class
')
Destructor function for a linked list class
Kaspersky Lab specialists received over 200 comments and over 60 letters indicating various languages ​​and frameworks. Thanks to help from the Reddit forums and from independent developers, it was finally possible to understand that the authors of Duqu used the compiler supplied by Microsoft Visual Studio.
After several experiments with different versions of MSVC and compilation options, Kaspersky Lab's specialist Igor Sumenkov managed to reproduce the code of the designer’s function from the first screenshot and get the binary code from this code that matches the one found in Duqu.
Here is the manually recovered code for this function in C.
“When compiling the above C code with the help of the compiler supplied by MSVC 2008 with the / O1 (size optimization) and / Ob1 options (expand only __inline functions), the machine code coincides with the original code of this function in Duqu, - writes Igor Sumenkov . He also tries to analyze the reasons why the unknown author Duqu decided to use OO C instead of C ++, and suggests that there could be two reasons: 1) broad portability and 2) distrust of C ++ compilers. "This is typical of developers with many years of experience, who started with assembler and then gradually switched to C. When C ++ appeared, many refused to use it because of implicit memory management and intricate constructs that caused implicit code execution (designers, operators etc.). Both reasons clearly indicate that the framework code was written by “old school” developers with years of experience. ”
Kaspersky Lab first turned to experts in reverse engineering, but they could not help. It was clear that the programming language is definitely not C ++, not Objective C, not Java, not Python, not Ada, not Lua and not yet 30 other programming languages ​​that they tested. After several months of unsuccessful attempts at analysis, it remained only to assume that the key fragment of the malicious program was written in a certain unknown language.
However, thanks to the help of the community, this puzzle was still solved.
Constructor function for a linked list class
')
Destructor function for a linked list class
Kaspersky Lab specialists received over 200 comments and over 60 letters indicating various languages ​​and frameworks. Thanks to help from the Reddit forums and from independent developers, it was finally possible to understand that the authors of Duqu used the compiler supplied by Microsoft Visual Studio.
After several experiments with different versions of MSVC and compilation options, Kaspersky Lab's specialist Igor Sumenkov managed to reproduce the code of the designer’s function from the first screenshot and get the binary code from this code that matches the one found in Duqu.
Here is the manually recovered code for this function in C.
“When compiling the above C code with the help of the compiler supplied by MSVC 2008 with the / O1 (size optimization) and / Ob1 options (expand only __inline functions), the machine code coincides with the original code of this function in Duqu, - writes Igor Sumenkov . He also tries to analyze the reasons why the unknown author Duqu decided to use OO C instead of C ++, and suggests that there could be two reasons: 1) broad portability and 2) distrust of C ++ compilers. "This is typical of developers with many years of experience, who started with assembler and then gradually switched to C. When C ++ appeared, many refused to use it because of implicit memory management and intricate constructs that caused implicit code execution (designers, operators etc.). Both reasons clearly indicate that the framework code was written by “old school” developers with years of experience. ”
Source: https://habr.com/ru/post/140288/
All Articles