44con london 2015 - how to drive a malware analyst crazy

How to drive a malware analyst crazyMICHAEL BOMAN, MALWARE RESEARCH INSTITUTE

About me

4th year speaking at 44CON- 2012: Malware as a hobby [P]- 2013: Controlling a PC using Arduino [WS]- 2014: Malware analysis as a big data problem [P]- 2015: Malware anti-reversing [P], Indicators of Compromise [WS]

Malware Researcher, Founder Malware Research Institute

6 kids, one more on the way…

Malware Research Lab, 2012

Malware Research Lab, 2015

Disclaimer

These are the techniques I’ve come across trying to keep malware researchers out of the game Or just waste a heck of a lot time doing quite silly things… Not a complete list of techniques

The techniques discussed are aimed towards a x86/win32 environment

Technique #1: Breakpoints

INT 3h Memory Breakpoints Hardware Breakpoints

How INT3 breakpoints work

mov eax, fs:[0x30]

mov eax, [eax + 0x0c] // <- Break here

mov eax, [eax + 0x0c]

mov dword ptr [eax + 0x20], NewSize

How INT3 breakpoints work

mov eax, fs:[0x30]

int 3h [garbage] // <- EP

mov eax, [eax + 0x0c]

mov dword ptr [eax + 0x20], NewSize

How INT3 breakpoints work

mov eax, fs:[0x30]

mov eax, [eax + 0x0c] // <- restored by debugger

mov eax, [eax + 0x0c]

mov dword ptr [eax + 0x20], NewSize

Memory Breakpoints

Allocate memory, mark PAGE_GUARD

When accessed STATUS_GUEARD_PAGE_VIOLATION is raised, handled by program

Allocate memory as bufferFill buffer with RET instructionMark buffer with PAGE_GUARDPUSH potential return address to stackJMP to bufferIf debugger:

RET will jump back to potential return addresselse:

STATUS_GUARD_PAGE_VIOLATOIN exception occur

Hardware breakpoints

Hardware breakpoints are a technology implemented by Intel in their processor architecture, and are controlled by the use of

Special registers DR0 - DR7 DR0 - DR3 - 32 bit registers for the breakpoint address DR4, DR5 - obsolete synonyms for DR6 and DR7 DR6 – Debug status DR7 – Debug control

Technique #1: Breakpoints

INT 3h Look for code that scans memory for 0xCC [INT3] and/or 0xCD 0x03 [INT

(immediate) 3] Memory Breakpoints

Look for memory allocations with PAGE_GUARD flag set Hardware Breakpoints

Win32 GetThreadContext and SetThreadContext Structured Exception Handling

Technique #2: Timing

RDTSC (ReaD TimeStampClock) Win32 Timing Functions

GetTickCount timeGetTime QueryPerformanceCounter […]

Technique #2: Timing

RDTSC (ReaD TimeStampClock) Mark RDTSC as a elevated instruction (can then be intercepted and modified)

Win32 Timing Functions Use DLL-injection to overload the function with one that lies nicely in our

favour

Please remember to lie consistently to all timing methods.

Technique #3: Windows Internals

ProcessDebugFlags Debug Object Handle Thread Hiding BlockInput OutputDebugString

ProcessDebugFlags

Pass undocumented class ProcessDebugFlags (0x1f) to the NtQueryProcessInformation() function.

When NtQueryProcessInformation is called with the ProcessDebugFlags class, returns the inverse of EPROCESS -> NoDebugInherit

FALSE == Debugger present

Debug Object Handle

Windows XP or later When debugged a Debug Object created Can be queried using NtQueryInformationProcess

Originating from kernel -> hard to hide

Thread Hiding

Windows 2000 and later HideThreadFromDebugger class, passed into NtSetInformationThread, The class prevents debuggers from receiving events from any thread

that has had NtSetInformationThread with the HideThreadFromDebugger class called on it.

These events include breakpoints, and the exiting of the program if it is called on the main thread of an application.

BlockInput

BlockInput() blocks mouse and keyboard messages from reaching the desired application

Only the thread that called BlockInput can call it to remove the block Not really Anti-RE, but can mess with you

OutputDebugString

Call OutputDebugString() GetLastError() No error == debugger present

Technique #3: Windows Internals

ProcessDebugFlags Check NtQueryProcessInformation() calls for [undocumented] ProcessDebugFlags (0x1f) object Hook NtQueryProcessInformation(), lie about the ProcessDebugFlags value

Debug Object Handle Hook NtQueryInformationProcess(), remove any links to debug objects

Thread Hiding Remove any HideThreadFromDebugger class passed into NtSetInformationThread

BlockInput Hook it to a NO-OP

OutputDebugString Hook it to always return error

Technique #4: Process Exploitation

Open Process Parent Process Self-Debugging UnhandledExceptionFilter NtQueryObject

Open Process

Debugger not properly resets process privileges Open privileged process like csrss.exe If succeed we are running under a debugger

Parent Process

Check if GetParentProcessId() and GetExplorerPIDbyShellWindow()) is the same Or however you are expecting your malware to be executed

Self-Debugging

Parent spawns child who debugs the parent

Prevents debugger to attach to parent

Child

Parent

UnhandledExceptionFilter

UnhandledExceptionFilter is the exception handler that is called when there are no other handlers to handle the exception.

When utilizing this technique, the process will exit instead of resuming execution which is fine for Anti-RE purposes.

UnhandledExceptionFilter

SEH Chain

Vectored Exception Handlers

NtQueryObject

NtQueryObject() called with ObjectAllTypesInformation class, returns information about the host system and the current process including DebugObjects in the environment.

ObjectAllTypesInformation can be traversed to locate DebugObjects

Technique #4: Process Exploitation

Open Process – Make sure debugger drops SeDebugPrivilege Parent Process – Fake GetParentProcessId() Self-Debugging - Set PsGetProcessId()->EPROCESS->DebugPort to 0 UnhandledExceptionFilter – Make sure the debugger do “the right thing” NtQueryObject – Intercept and filter

Technique #5: Anti-dumping

Nanomites Stolen Bytes (Stolen Code) SizeOfImage Virtual Machines Guard Pages Removing the PE Header

Nanomites

Replace JUMP (Jxx) instructions with INT 3h breakpoints Store original JUMP (Jxx) instruction in an encrypted table Use self-debugging, debugger process will substitute the INT 3h code

with the correct JUMP instruction depending on encryption algorithm. Put some stray INT 3h in the execution flow and you have made a real

mess

Stolen Bytes (Stolen Code)

Code or bytes from the original process protected by the packer are copied and encrypted somewhere inside the packing code

The original (copied) code is replaced with jumps to a dynamic allocated buffer for the decrypted bytes and then jumps back to the original flow

SizeOfImage

Modifying PE -> IMAGE_OPTION_HEADER -> SizeOfImage can cause problems for tools that weren't developed to handle this problem.

Virtual Machines (think JVM, not VBox)

Protectors like Themida and VMProtect already use virtual machines in their protection schemes.

Themida uses a technology that creates a unique virtual machine for every protected executable

Prevents the use of a generic attack against its virtualization protection Many protection schemes implement junk code instructions

Guard Pages

Discussed earlier Can be used for an on-demand decryption/decompression system Mark all pages that were not immediately needed as guard pages When accessed, an EXCEPTION_GUARD_PAGE exception will be raised Additional data can be decrypted or decompressed either from file or

memory.

Removing the PE Header

Removes an executable's portable executable from memory at runtime A dumped image would be missing important information such as the

RVA (Relative Virtual Address) of important tables (Reloc, Import, Export etc..), the entry point, and other information that the Windows loader needs to utilize when loading an image

Technique #5: Anti-dumping

Nanomites Stolen Bytes (Stolen Code) SizeOfImage Virtual Machines Guard Pages Removing the PE Header

Technique #6: Exploiting IA-32 Instructions

Interrupt 2D Stack Segment Instruction Prefixes

Interrupt 2D

INT 2D instruction can be used as a debugger detection method When executed

No Debugger Present -> Exception Debugger Present -> No Exception

Debugger specific

Stack Segment

Manipulate stack segment using push ss and pop ss cause the debugger to execute instructions unwillingly

In the following code, when stepping over the code with any debugger, the mov eax, 9 line will execute, but will not be stepped on by the debugger.

push ss

pop ss

mov eax, 9 // This line executes but is stepped over

xor edx, edx // This is where the debugger will step to

Instruction Prefixes

Takes advantage of the way debuggers handle instruction prefixes.

When stepping over this code in OllyDBG or in Visual Studio 2008, we will reach the first emit and immediately be taken to the end of the __try block. What happens is that the debugger essentially skips over the prefix and handles the INT 1.

When running this code without a debugger, there will be an exception that SEH will catch and the program will continue along.

inline bool IsDbgPresentPrefixCheck()

{

__try

{

__asm __emit 0xF3 // 0xF3 0x64 disassembles as PREFIX REP:

__asm __emit 0x64

__asm __emit 0xF1 // One byte INT 1

}

__except(EXCEPTION_EXECUTE_HANDLER)

{

return false;

}

return true;

}

Technique #6: Exploiting IA-32 Instructions

Interrupt 2D Stack Segment Instruction Prefixes

Technique #7: VM Detection

VM Artefacts Hardware Drivers OS version / serial number Add-ons WMI calls

Interactivity Is the computer being used? Click on invisible or very small buttons no human could see

Technique #7: VM Detection

VM Artefacts Hardware – Clone real system configuration Drivers – Don’t use VM-specific drivers OS version / serial number – Use ”real” serial numbers Add-ons – Never install VM Guest tools WMI calls – Patch hypervisor, use real hardware

Interactivity Is the computer being used? – Fake interactivity Click on invisible or very small buttons no human could see – Make sure your fake

interactivity is plausible

Debugger specific techniques

OllyDBG FindWindow OutputDebugString Exploit

WinDBG FindWindow

Cuckoo Sandbox Check if hooked

Debugger specific techniques

OllyDBG FindWindow – Hijack function call or modify OllyDBG binary OutputDebugString Exploit – Run patched version

WinDBG FindWindow – Hijack function call or modify WinDBG binary

Cuckoo Sandbox Check if hooked – Run unhooked, patch the hook-check function

Other Techniques

Junk Code Native Code Permutations

Other Techniques

Junk Code Native Code Permutations

Unfortunately there are no quick-fixes for these techniques

AnnouncementRiddle

Announcement

Public VXCage-server Available at vxcage.malwareresearch.institute (http, soon https)

Feel free to apply for a personal account, free of charge: TO: michael@michaelboman.org SUBJECT: VXCage Access BODY:

Who you are: name, twitter handle (if any, for cyberstalking), other contact info Why you want access Proposed username for the system (the password will be generated for you)

Please contact me at the above address for raw access to the archive

VXCage API: Quick intro

REST with JSON output /malware/add – upload sample /malware/get/<sha256> - download sample /malware/find – search sample based on hash, date, tag /tags/list – list tags

Docs & Source code at https://github.com/mboman/vxcage

Thank you

Michael Boman (@mboman) michael@michaelboman.org (soon also

michael.boman@malwareresearch.institute) Malware repository: vxcage.malwareresearch.institute Malware blog: blog.malwareresearch.institute