HBGary Responder™ User’s Guide
1
REcon
REcon is the dynamic analysis system for Responder PRO. It allows you to record a program's
behavior and graph it along with data samples. You will find a copy of REcon.exe in the "REcon"
folder in the directory where Responder is installed. The "Collecting a Malware Sample" and
"Viewing Tracks" topics will give you information on how to use REcon and import the data it
outputs into Responder.
Collecting a Malware Sample
The recommended way to trace a malware sample with REcon is in conjunction with VMWare.
VMWare allows you to run the malware in a quarantined environment. Also, REcon interferes
with the operation of the computer, therefore using VMWare is required so you don't interfere
with your host machine. Finally, since Responder can import .vmem files, it is very easy to
import a VMWare snapshot file in conjunction with the REcon log file.
The recommended process for using REcon to record a program's behavior is as follows:
Step 1:
Set up a virtual machine to be used as quarantined "sandbox" that you will use to run the
program and record its behavior. Make sure you take a snapshot of the virtual machine in the
state right before you use REcon so that you can revert back to a clean virtual machine for more
REcon use.
NOTE: If you are using REcon to analyze malware it is a good idea to disable all networking on
your virtual machine so that there is no chance of the malware finding its way onto your host
machine via the network.
Step 2:
Copy REcon.exe and the program you wish to trace to your VM. Optionally, you can also copy
dbgview.exe (Which can be downloaded from Microsoft) to your VM as well.
Step 3:
Open REcon.exe and select the options you want to use. These options are explained in more
detail in the REcon Settings topic. Once you have the options that you wish to use selected,
press the "Start" button to begin capturing program execution information.
Step 4:
Use the "Launch New" button in REcon to launch the program you wish to gather information
for. This will execute that program and begin tracing it.
NOTE: Tracing a program with REcon may slow it down quite a bit.
Step 5:
Run your test program for however long you like. Your test program will execute as normal
(albeit much slower), so if it has a GUI feel free to interact with it as much as you want. You can
also set markers at different points during execution by can entering text into the Markers field
and clicking the button to add the marker.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
2
Step 6:
Use VMware's snapshot capabilities to take a snapshot of the VM once you are satisfied with
the test program run.
NOTE: Taking the snapshot before you stop REcon ensures that all of the program information
will be in the memory snapshot. Malware has a tendency to delete itself so you may not get all
of the program information if you take the snapshot after stopping REcon.
After taking a snapshot of the VM, click the "Stop" button to stop capturing program information.
After you click "Stop" there will be a file in your C:\ directory called "REcon.fbj", this is the file
that you will need to copy to your analysis machine and import in conjunction with the .vmem
memory snapshot that you have just created.
Step 7:
Import the .vmem file that you created in the snapshot process into Responder Professional
Edition. After the memory image has been imported go to the "Working Canvas" and use the
"Journal Tracks" tab to import the .fbj file.
The following pages will provide you with more information about the REcon GUI.
VMware Workstation Window
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
3
Using VMWare products such as VMWare Workstation is the recommended way to capture
REcon data. You must copy the REcon.exe utility into the virtual machine before you can use it.
REcon should be started before running any malware samples. Once REcon is running, you
can launch a malware sample and record its behavior.
VMWare
VMWare workstation is running and a VM has already been installed. The commerical version
of VMWare workstation allows memory snapshots to be taken. The resulting .vmem files can
be imported into Responder.
Virtual Machine
This virtual machine is a standard Windows XP OS, an easy target for most malware programs.
The configuration must be single processor for REcon to work properly.
REcon Tool
The REcon utility has been copied into the VM. REcon.exe is launched before the malware
program is executed.
Malware to test
The malware to test is also copied into the VM. Be careful not to execute malware samples on
your host machine or network by accident. A common practice is to keep them zipped and
rename the file extension to something other than .EXE until you are ready to launch it.
DbgView (optional)
DbgView is an optional tool that can be downloaded from Microsoft. The REcon device driver
will print useful information that can be observed in realtime with DbgView. Be sure to enable
kernel-messages to see this output.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
Networking ON/OFF (optional)
It is usually a good idea to disable networking before you launch the malware program. You
can right click here and turn networking on or off.
Using REcon
Launch REcon.exe first. REcon will allow you to attach to or launch a program for tracing.
REcon will create a special log file called an 'FBJ' which is placed in the root of the C: drive.
Once recording is complete, you can retrieve this FBJ file and import it into Responder PRO.
REcon
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
4
HBGary Responder™ User’s Guide
This is the REcon user interface. You can launch programs, attach to programs, and make
settings from here.
Process List
This is the list of currently running processes on the system. You can select a process and
trace it. You can also launch a process and trace it from startup.
Refresh Process List
Use this button to refresh the process list.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
5
HBGary Responder™ User’s Guide
6
Start REcon
You must press this button to start / stop REcon. You have to start REcon before any tracing
can occur.
Stop REcon
You can exit REcon at any time. All tracing will stop.
Kernel Messages
If you are using DbgView, be sure to enable kernel messages.
Debug Messages
All debug messages print to this screen.
Launching Malware
The best way to trace a malware program is to launch it from REcon using the "Launch New..."
button. This will trace the malware from startup and capture all behavior.
Launch Malware
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
Use this button to select a program to launch and trace.
Choose Malware EXE
When you launch a new program, you can browse to and select the program to execute.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
7
HBGary Responder™ User’s Guide
8
Malware being traced
Once tracing has started, the target program will likely appear in the process list. The tracing
will introduce overhead on the process, so it may execute slower than expected.
malware process
The malware program being traced.
Malware trace starting
If you are using DbgView, helpful debugging messages will indicate behavior on the system. In
this case, the malware program was detected as executing and it has been added into the trace
log.
Child process being traced
The malware program launched a second, child process. REcon automatically detects this and
starts tracing the child process as well.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
9
Results file
When tracing is complete, you should stop REcon. This will flush the FBJ file to disk. This file
will contain all your traced data.
FBJ file
The FBJ file is named 'flypaper2.fbj' by default. You can drag and drop this file out of the VM if
you have VMWare Tools installed.
samplepoints file
The samplepoints.ini file can be customized to set specific tracepoints. If you know what
specific API calls you want to log, you can add them here.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
10
REcon settings
REcon offers advanced settings. These control how programs will be traced, and also if some
behavior will be blocked.
REcon settings
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
11
Use this tab to make settings.
Behavior Blocking
REcon will block programs from exiting, and also prevent TCP/IP communication using the
standard windows stack. In addition, threads are not allowed to exit, and memory is never
freed.
Trace settings
By default, REcon will trace any new process that is launched while REcon is running.
Optionally you can also trace any new threads that are created, even if they are in a process
that is not currently traced. "Trace Only New Behavior" causes REcon to log a control flow
location only the first time it is executed - this can be used in conjunction with markers to isolate
the code specific to each program behavior. "Step Over System Calls" will prevent REcon from
logging the control flow within commonly used system libraries, this saves space in the FBJ log
and usually this data is not required for the analysis.
Trace Mode
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
12
Branch trace logs an event whenever a branch is taken. This is the default mode.
Viewing Tracks
Tracks are the way data is organized in a dynamic analysis. Use tracks wisely to quickly isolate
behaviors.
Track and Canvas
The track control renders the currently imported FBJ file. The track control is used in
conjunction with the canvas. The currently selected region on the track will be rendered on the
canvas.
Working Canvas
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
13
The working canvas will show any nodes that are selected on the track control.
Track Control
The track control illustrates the data held in the FBJ file. The data is organized into a timeline.
The data is also organized into tracks. Tracks can be viewed by process and thread, or by
sample group. The user can add additional tracks by modifying the samplepoints.ini file.
Samples Window (click to expand)
Once a region is selected on the track, the data samples for this selection are shown in the
samples window. If you select a node on the graph, the samples window is update to show only
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
14
the samples for that one location.
Basic Track Control
The track control has many features. From the track control you can carve out specific
behaviors and graph just those selected regions.
Open REcon log (.fbj file)
Use this button to load an FBJ file.
WARNING! This will clear any nodes that you currently have on the graph. If you are currently
using the graphing canvas make sure you save your graph BEFORE you import an FBJ file if
you would like to use this graph at a later time.
Track Zoom
Depending on the size of the FBJ, the track may be longer than the visible screen. To move the
track, you can hold down space while hovering over it and drag right or left. You can also use
the zoom in / zoom out.
Track Search
Use this button to search all the data samples on the entire track. This is highly useful. The
results will be sent to the samples window.
Play Pause Stop
You can replay the behavior for the selected region by using these controls.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
Individual track
Each individual track has a color and can be toggled on/off.
Selected region
Select a region to view it on the graph and also see the samples taken during this period.
Data on track
Colored bars indicate that behavior was recorded at this point in time.
Track Grouping
Track Group setting
You can view tracks by process and thread, or by sample group. This will modify the way
samples are organized on the tracks.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
15
HBGary Responder™ User’s Guide
16
Track grouped by Process and Thread
When in Process & Threads mode, each track represents a single thread that was executing.
Each track represents a unique process and thread ID
Each thread is given its own track
Track grouped by Sample Group
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
17
When in samplegroup mode, each track represents one of the behavior groups defined in the
samplepoints.ini file.
Each sample group is given its own track
The samplegroups are controlled by the samplepoints.ini file
Color coding
The color of each track is reflected on the graph. You can quickly find the nodes that belong to
a given track by using color.
Red node on process track
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.
HBGary Responder™ User’s Guide
18
The red node shown here belongs to the process track of the same color.
Tan nodes on UNGROUPED track
The tan nodes are part of the UNGROUPED track, which are general control flow events that
are not part of the samplepoints.ini file
Green nodes on FILE track
This green node is part of the FILE track.
Toggle the visbility of a track
Use this icon to toggle visibility of a track.
Change the color of a track
Use this icon to change the color of a track.
Copyright © 2003 - 2008, HBGary, Inc. All rights reserved.