Download - How to drive a malware analyst crazy
![Page 1: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/1.jpg)
How to drive a malware analyst crazyMICHAEL BOMAN, MALWARE RESEARCH INSTITUTE
![Page 2: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/2.jpg)
About me
4th year speaking at 44CON- 2012: Malware as a hobby [P]- 2013: Controlling a PC using Arduino [WS]- 2014: Malware analysis as a big data problem [P]- 2015: Malware anti-reversing [P], Indicators of Compromise [WS]
Malware Researcher, Founder Malware Research Institute
6 kids, one more on the way…
![Page 3: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/3.jpg)
Malware Research Lab, 2012
![Page 4: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/4.jpg)
Malware Research Lab, 2015
![Page 5: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/5.jpg)
Disclaimer
These are the techniques I’ve come across trying to keep malware researchers out of the game Or just waste a heck of a lot time doing quite silly things… Not a complete list of techniques
The techniques discussed are aimed towards a x86/win32 environment
![Page 6: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/6.jpg)
Technique #1: Breakpoints
INT 3h Memory Breakpoints Hardware Breakpoints
![Page 7: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/7.jpg)
How INT3 breakpoints work
mov eax, fs:[0x30]
mov eax, [eax + 0x0c] // <- Break here
mov eax, [eax + 0x0c]
mov dword ptr [eax + 0x20], NewSize
![Page 8: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/8.jpg)
How INT3 breakpoints work
mov eax, fs:[0x30]
int 3h [garbage] // <- EP
mov eax, [eax + 0x0c]
mov dword ptr [eax + 0x20], NewSize
![Page 9: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/9.jpg)
How INT3 breakpoints work
mov eax, fs:[0x30]
mov eax, [eax + 0x0c] // <- restored by debugger
mov eax, [eax + 0x0c]
mov dword ptr [eax + 0x20], NewSize
![Page 10: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/10.jpg)
Memory Breakpoints
Allocate memory, mark PAGE_GUARD
When accessed STATUS_GUEARD_PAGE_VIOLATION is raised, handled by program
Allocate memory as bufferFill buffer with RET instructionMark buffer with PAGE_GUARDPUSH potential return address to stackJMP to bufferIf debugger:
RET will jump back to potential return addresselse:
STATUS_GUARD_PAGE_VIOLATOIN exception occur
![Page 11: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/11.jpg)
Hardware breakpoints
Hardware breakpoints are a technology implemented by Intel in their processor architecture, and are controlled by the use of
Special registers DR0 - DR7 DR0 - DR3 - 32 bit registers for the breakpoint address DR4, DR5 - obsolete synonyms for DR6 and DR7 DR6 – Debug status DR7 – Debug control
![Page 12: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/12.jpg)
Technique #1: Breakpoints
INT 3h Look for code that scans memory for 0xCC [INT3] and/or 0xCD 0x03 [INT
(immediate) 3] Memory Breakpoints
Look for memory allocations with PAGE_GUARD flag set Hardware Breakpoints
Win32 GetThreadContext and SetThreadContext Structured Exception Handling
![Page 13: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/13.jpg)
Technique #2: Timing
RDTSC (ReaD TimeStampClock) Win32 Timing Functions
GetTickCount timeGetTime QueryPerformanceCounter […]
![Page 14: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/14.jpg)
Technique #2: Timing
RDTSC (ReaD TimeStampClock) Mark RDTSC as a elevated instruction (can then be intercepted and modified)
Win32 Timing Functions Use DLL-injection to overload the function with one that lies nicely in our
favour
Please remember to lie consistently to all timing methods.
![Page 15: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/15.jpg)
Technique #3: Windows Internals
ProcessDebugFlags Debug Object Handle Thread Hiding BlockInput OutputDebugString
![Page 16: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/16.jpg)
ProcessDebugFlags
Pass undocumented class ProcessDebugFlags (0x1f) to the NtQueryProcessInformation() function.
When NtQueryProcessInformation is called with the ProcessDebugFlags class, returns the inverse of EPROCESS -> NoDebugInherit
FALSE == Debugger present
![Page 17: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/17.jpg)
Debug Object Handle
Windows XP or later When debugged a Debug Object created Can be queried using NtQueryInformationProcess
Originating from kernel -> hard to hide
![Page 18: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/18.jpg)
Thread Hiding
Windows 2000 and later HideThreadFromDebugger class, passed into NtSetInformationThread, The class prevents debuggers from receiving events from any thread
that has had NtSetInformationThread with the HideThreadFromDebugger class called on it.
These events include breakpoints, and the exiting of the program if it is called on the main thread of an application.
![Page 19: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/19.jpg)
BlockInput
BlockInput() blocks mouse and keyboard messages from reaching the desired application
Only the thread that called BlockInput can call it to remove the block Not really Anti-RE, but can mess with you
![Page 20: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/20.jpg)
OutputDebugString
Call OutputDebugString() GetLastError() No error == debugger present
![Page 21: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/21.jpg)
Technique #3: Windows Internals
ProcessDebugFlags Check NtQueryProcessInformation() calls for [undocumented] ProcessDebugFlags (0x1f) object Hook NtQueryProcessInformation(), lie about the ProcessDebugFlags value
Debug Object Handle Hook NtQueryInformationProcess(), remove any links to debug objects
Thread Hiding Remove any HideThreadFromDebugger class passed into NtSetInformationThread
BlockInput Hook it to a NO-OP
OutputDebugString Hook it to always return error
![Page 22: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/22.jpg)
Technique #4: Process Exploitation
Open Process Parent Process Self-Debugging UnhandledExceptionFilter NtQueryObject
![Page 23: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/23.jpg)
Open Process
Debugger not properly resets process privileges Open privileged process like csrss.exe If succeed we are running under a debugger
![Page 24: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/24.jpg)
Parent Process
Check if GetParentProcessId() and GetExplorerPIDbyShellWindow()) is the same Or however you are expecting your malware to be executed
![Page 25: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/25.jpg)
Self-Debugging
Parent spawns child who debugs the parent
Prevents debugger to attach to parent
Child
Parent
![Page 26: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/26.jpg)
UnhandledExceptionFilter
UnhandledExceptionFilter is the exception handler that is called when there are no other handlers to handle the exception.
When utilizing this technique, the process will exit instead of resuming execution which is fine for Anti-RE purposes.
UnhandledExceptionFilter
SEH Chain
Vectored Exception Handlers
![Page 27: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/27.jpg)
NtQueryObject
NtQueryObject() called with ObjectAllTypesInformation class, returns information about the host system and the current process including DebugObjects in the environment.
ObjectAllTypesInformation can be traversed to locate DebugObjects
![Page 28: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/28.jpg)
Technique #4: Process Exploitation
Open Process – Make sure debugger drops SeDebugPrivilege Parent Process – Fake GetParentProcessId() Self-Debugging - Set PsGetProcessId()->EPROCESS->DebugPort to 0 UnhandledExceptionFilter – Make sure the debugger do “the right thing” NtQueryObject – Intercept and filter
![Page 29: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/29.jpg)
Technique #5: Anti-dumping
Nanomites Stolen Bytes (Stolen Code) SizeOfImage Virtual Machines Guard Pages Removing the PE Header
![Page 30: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/30.jpg)
Nanomites
Replace JUMP (Jxx) instructions with INT 3h breakpoints Store original JUMP (Jxx) instruction in an encrypted table Use self-debugging, debugger process will substitute the INT 3h code
with the correct JUMP instruction depending on encryption algorithm. Put some stray INT 3h in the execution flow and you have made a real
mess
![Page 31: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/31.jpg)
Stolen Bytes (Stolen Code)
Code or bytes from the original process protected by the packer are copied and encrypted somewhere inside the packing code
The original (copied) code is replaced with jumps to a dynamic allocated buffer for the decrypted bytes and then jumps back to the original flow
![Page 32: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/32.jpg)
SizeOfImage
Modifying PE -> IMAGE_OPTION_HEADER -> SizeOfImage can cause problems for tools that weren't developed to handle this problem.
![Page 33: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/33.jpg)
Virtual Machines (think JVM, not VBox)
Protectors like Themida and VMProtect already use virtual machines in their protection schemes.
Themida uses a technology that creates a unique virtual machine for every protected executable
Prevents the use of a generic attack against its virtualization protection Many protection schemes implement junk code instructions
![Page 34: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/34.jpg)
Guard Pages
Discussed earlier Can be used for an on-demand decryption/decompression system Mark all pages that were not immediately needed as guard pages When accessed, an EXCEPTION_GUARD_PAGE exception will be raised Additional data can be decrypted or decompressed either from file or
memory.
![Page 35: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/35.jpg)
Removing the PE Header
Removes an executable's portable executable from memory at runtime A dumped image would be missing important information such as the
RVA (Relative Virtual Address) of important tables (Reloc, Import, Export etc..), the entry point, and other information that the Windows loader needs to utilize when loading an image
![Page 36: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/36.jpg)
Technique #5: Anti-dumping
Nanomites Stolen Bytes (Stolen Code) SizeOfImage Virtual Machines Guard Pages Removing the PE Header
![Page 37: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/37.jpg)
Technique #6: Exploiting IA-32 Instructions
Interrupt 2D Stack Segment Instruction Prefixes
![Page 38: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/38.jpg)
Interrupt 2D
INT 2D instruction can be used as a debugger detection method When executed
No Debugger Present -> Exception Debugger Present -> No Exception
Debugger specific
![Page 39: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/39.jpg)
Stack Segment
Manipulate stack segment using push ss and pop ss cause the debugger to execute instructions unwillingly
In the following code, when stepping over the code with any debugger, the mov eax, 9 line will execute, but will not be stepped on by the debugger.
push ss
pop ss
mov eax, 9 // This line executes but is stepped over
xor edx, edx // This is where the debugger will step to
![Page 40: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/40.jpg)
Instruction Prefixes
Takes advantage of the way debuggers handle instruction prefixes.
When stepping over this code in OllyDBG or in Visual Studio 2008, we will reach the first emit and immediately be taken to the end of the __try block. What happens is that the debugger essentially skips over the prefix and handles the INT 1.
When running this code without a debugger, there will be an exception that SEH will catch and the program will continue along.
inline bool IsDbgPresentPrefixCheck()
{
__try
{
__asm __emit 0xF3 // 0xF3 0x64 disassembles as PREFIX REP:
__asm __emit 0x64
__asm __emit 0xF1 // One byte INT 1
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
return true;
}
![Page 41: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/41.jpg)
Technique #6: Exploiting IA-32 Instructions
Interrupt 2D Stack Segment Instruction Prefixes
![Page 42: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/42.jpg)
Technique #7: VM Detection
VM Artefacts Hardware Drivers OS version / serial number Add-ons WMI calls
Interactivity Is the computer being used? Click on invisible or very small buttons no human could see
![Page 43: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/43.jpg)
Technique #7: VM Detection
VM Artefacts Hardware – Clone real system configuration Drivers – Don’t use VM-specific drivers OS version / serial number – Use ”real” serial numbers Add-ons – Never install VM Guest tools WMI calls – Patch hypervisor, use real hardware
Interactivity Is the computer being used? – Fake interactivity Click on invisible or very small buttons no human could see – Make sure your fake
interactivity is plausible
![Page 44: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/44.jpg)
Debugger specific techniques
OllyDBG FindWindow OutputDebugString Exploit
WinDBG FindWindow
Cuckoo Sandbox Check if hooked
![Page 45: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/45.jpg)
Debugger specific techniques
OllyDBG FindWindow – Hijack function call or modify OllyDBG binary OutputDebugString Exploit – Run patched version
WinDBG FindWindow – Hijack function call or modify WinDBG binary
Cuckoo Sandbox Check if hooked – Run unhooked, patch the hook-check function
![Page 46: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/46.jpg)
Other Techniques
Junk Code Native Code Permutations
![Page 47: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/47.jpg)
Other Techniques
Junk Code Native Code Permutations
Unfortunately there are no quick-fixes for these techniques
![Page 48: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/48.jpg)
AnnouncementRiddle
![Page 49: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/49.jpg)
Announcement
Public VXCage-server Available at vxcage.malwareresearch.institute (http, soon https)
Feel free to apply for a personal account, free of charge: TO: [email protected] SUBJECT: VXCage Access BODY:
Who you are: name, twitter handle (if any, for cyberstalking), other contact info Why you want access Proposed username for the system (the password will be generated for you)
Please contact me at the above address for raw access to the archive
![Page 50: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/50.jpg)
VXCage API: Quick intro
REST with JSON output /malware/add – upload sample /malware/get/<sha256> - download sample /malware/find – search sample based on hash, date, tag /tags/list – list tags
Docs & Source code at https://github.com/mboman/vxcage
![Page 51: How to drive a malware analyst crazy](https://reader038.vdocuments.us/reader038/viewer/2022103010/589e9cec1a28ab9f728b68cb/html5/thumbnails/51.jpg)
Thank you
Michael Boman (@mboman) [email protected] (soon also
[email protected]) Malware repository: vxcage.malwareresearch.institute Malware blog: blog.malwareresearch.institute