![Page 1: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/1.jpg)
Win32/Flamer: Reverse Engineering and
Framework Reconstruction
Aleksandr Matrosov
Eugene Rodionov
![Page 2: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/2.jpg)
Outline of The Presentation
Typical malware vs. Stuxnet/Flame What the difference?
Flamer code reconstruction problems C++ code reconstruction
Library code identification
Flamer framework overview
Object oriented code reconstruction
Relationship Stuxnet/Duqu/Flamer
![Page 3: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/3.jpg)
Typical Malware vs. Stuxnet/Flamer
![Page 4: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/4.jpg)
What’s the Difference?
![Page 5: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/5.jpg)
What’s the Difference?
Typical malware
Different motivation, budget …
Use 1-days for distribution
Anti-stealth for bypassing AV
Stealth timing: months
Developed in C or C++ in C style
Simple architecture for plugins
Traditional ways for obfuscation:
packers
polymorphic code
vm-based protection
…
Stuxnet/Flame … Different motivation, budget …
Use 0-days for distribution
Anti-stealth for bypassing all sec soft
Stealth timing: years
Tons of C++ code with OOP
Industrial OO framework platform
Other ways of code obfuscation:
tons of embedded static code
specific compilers/options
object oriented wrappers for typical OS utilities
![Page 6: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/6.jpg)
Stuxnet/Duqu/Flamer/Gauss Appearance
![Page 7: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/7.jpg)
Code Complexity Growth
Gauss miniFlamer Stuxnet Duqu Flamer
![Page 8: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/8.jpg)
Code Complexity Growth
![Page 9: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/9.jpg)
C++ Code REconstruction
Problems
![Page 10: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/10.jpg)
C++ Code Reconstruction Problems
Object identification Type reconstruction
Class layout reconstruction Identify constructors/destructors
Identify class members
Local/global type reconstruction
Associate object with exact method calls
RTTI reconstruction Vftable reconstruction
Associate vftable object with exact object
Class hierarchy reconstruction
![Page 11: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/11.jpg)
C++ Code Reconstruction Problems
Class A
vfPtr
a1()
a2()A::vfTable
meta
A::a1()
A::a2()
RTTI Object Locator
signature
pTypeDescriptor
pClassDescriptor
![Page 12: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/12.jpg)
C++ Code Reconstruction Problems
![Page 13: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/13.jpg)
Identify Smart Pointer Structure
![Page 14: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/14.jpg)
Identify Exact Virtual Function Call in vtable
![Page 15: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/15.jpg)
Identify Exact Virtual Function Call in vtable
![Page 16: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/16.jpg)
Identify Exact Virtual Function Call in vtable
![Page 17: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/17.jpg)
Identify Custom Type Operations
![Page 18: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/18.jpg)
Identify Objects Constructors
![Page 19: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/19.jpg)
Identify Objects Constructors
![Page 20: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/20.jpg)
Library code identification
problems
![Page 21: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/21.jpg)
Library Code Identification Problems
Compiler optimization
Wrappers for WinAPI calls
Embedded library code Library version identification problem
IDA signatures used syntax based detection methods Recompiled libraries problem
Compiler optimization problem
![Page 22: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/22.jpg)
Library Code Identification Problems
![Page 23: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/23.jpg)
Object Oriented API Wrappers and Implicit Calls
![Page 24: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/24.jpg)
Object Oriented API Wrappers and Implicit Calls
![Page 25: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/25.jpg)
Object Oriented API Wrappers and Implicit Calls
![Page 26: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/26.jpg)
Festi: OOP in kernel-mode
![Page 27: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/27.jpg)
Main Festi Functionality store in kernel mode
Win32/FestiDropper
Win32/Festikernel-mode
driver
Win32/FestiPlugin 1
Win32/FestiPlugin 2
Win32/FestiPlugin N...
Install kernel-mode driver
Download plugins
user-mode
kernel-mode
![Page 28: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/28.jpg)
Main Festi Functionality store in kernel mode
Win32/FestiDropper
Win32/Festikernel-mode
driver
Win32/FestiPlugin 1
Win32/FestiPlugin 2
Win32/FestiPlugin N...
Install kernel-mode driver
Download plugins
user-mode
kernel-mode
![Page 29: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/29.jpg)
Festi: Architecture
Win32/FestiC&C Protocol
Parser
Win32/FestiNetwork Socket
Win32/FestiPlugin Manager
Win32/FestiMemory Manager
![Page 30: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/30.jpg)
Festi: Plugin Interface
Plugin1Plugin 1
struct PLUGIN_INTERFACE
Plugin 1
struct PLUGIN_INTERFACE
Plugin2
Plugin3
PluginN
Plugin 2
struct PLUGIN_INTERFACE
Plugin 3
struct PLUGIN_INTERFACE
Plugin N
struct PLUGIN_INTERFACE
...
Array of pointers to plugins
![Page 31: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/31.jpg)
Festi: Plugins
Festi plugins are volatile modules in kernel-mode address space:
downloaded each time the bot is activated
never stored on the hard drive
The plugins are capable of:
sending spam – BotSpam.dll
performing DDoS attacks – BotDoS.dll
providing proxy service – BotSocks.dll
![Page 32: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/32.jpg)
Flamer Framework Overview
![Page 33: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/33.jpg)
An overview of the Flamer Framework
The main types used in Flamer Framework are:
Command Executers –the objects exposing interface that allows
the malware to dispatch commands received from C&C servers
Tasks – objects of these type represent tasks executed in
separate threads which constitute the backbone of the main
module of Flamer
Consumers – objects which are triggered on specific events
(creation of new module, insertion of removable media and etc.)
Delayed Tasks – these objects represent tasks which are executed
periodically with certain delay.
![Page 34: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/34.jpg)
An overview of the Flamer Framework
Vector<Command Executor>
DB_Query ClanCmd
Vector<Task>
IDLER CmdExec
Vector<DelayedTasks>
EuphoriaShare
Supplier
Vector<Consumer>
MobileConsumer
CmdConsumer
MunchSniffer FileFinder
FileCollect Driller GetConfig
LSSSender
Frog Beetlejuice
LuaConsumer
MediaConsumer
![Page 35: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/35.jpg)
Some of Flamer Framework Components
Security Identifying processes in the systems corresponding to security software: antiviruses, HIPS, firewalls, system information utilities and etc.
Microbe Leverages voice recording capabilities of the system
Idler Running tasks in the background
BeetleJuice Utilizes bluetooth facilities of the system
Telemetry Logging of all the events
Gator Communicating with C&C servers
![Page 36: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/36.jpg)
Flamer SQL Lite Database Schema
![Page 37: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/37.jpg)
Flamer SQL Lite Database Schema
![Page 38: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/38.jpg)
REconstructing Flamer Framework
![Page 39: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/39.jpg)
Data Types Being Used
Smart pointers
Strings
Vectors to maintain the objects
Custom data types: wrappers, tasks, triggers and etc.
![Page 40: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/40.jpg)
Data Types Being Used: Smart pointers
typedef struct SMART_PTR
{
void *pObject; // pointer to the object
int *RefNo; // reference counter
};
![Page 41: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/41.jpg)
Data Types Being Used: Strings
struct USTRING_STRUCT
{
void *vTable; // pointer to the table
int RefNo; // reference counter
int Initialized;
wchar_t *UnicodeBuffer; // pointer to unicode string
char *AsciiBuffer; // pointer to ASCII string
int AsciiLength; // length of the ASCII string
int Reserved;
int Length; // Length of unicode string
int LengthMax; // Size of UnicodeBuffer
};
![Page 42: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/42.jpg)
Data Types Being Used: Vectors
struct VECTOR
{
void *vTable; // pointer to the table
int NumberOfItems; // self-explanatory
int MaxSize; // self-explanatory
void *vector; // pointer to buffer with elements
};
Used to handle the objects: tasks
triggers
etc.
![Page 43: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/43.jpg)
Using Hex-Rays Decompiler
Identifying constructors/destructors Usually follow memory allocation
The pointer to object is passed in ecx (sometimes in other registers)
Reconstructing object’s attributes Creating custom type in “Local Types” for an object
Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
![Page 44: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/44.jpg)
Using Hex-Rays Decompiler
Identifying constructors/destructors Usually follow memory allocation
The pointer to object is passed in ecx (sometimes in other registers)
Reconstructing object’s attributes Creating custom type in “Local Types” for an object
Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
![Page 45: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/45.jpg)
Reconstructing Object’s Attributes
![Page 46: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/46.jpg)
Reconstructing Object’s Attributes
![Page 47: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/47.jpg)
Reconstructing Object’s Methods
![Page 48: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/48.jpg)
Reconstructing Object’s Methods
![Page 49: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/49.jpg)
Reconstructing Object’s Methods
![Page 50: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/50.jpg)
DEMO
![Page 51: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/51.jpg)
Relationship
Stuxnet/Duqu/Gauss/Flamer
![Page 52: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/52.jpg)
Source Code Base Differences
![Page 53: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/53.jpg)
Exploit Implementations
Stuxnet Duqu Flame Gauss
MS10-046 (LNK)
MS10-046 (LNK)
MS10-046 (LNK)
MS10-061 (Print Spooler)
MS10-061 (Print Spooler)
MS08-067 (RPC)
MS08-067 (RPC)
MS10-073 (Win32k.sys)
MS10-092 (Task Scheduler)
MS11-087 (Win32k.sys)
![Page 54: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/54.jpg)
Exploit Implementations: Stuxnet & Duqu
The payload is injected into processes from both kernel-mode driver & user-mode module
Hooks: ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX
SHELL32.DLL.ASLR.XXXXXXXX
![Page 55: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/55.jpg)
Exploit Implementations: Stuxnet & Duqu
The payload is injected into processes from both kernel-mode driver & user-mode module
Hooks: ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX
SHELL32.DLL.ASLR.XXXXXXXX
![Page 56: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/56.jpg)
Injection mechanism: Flame
The payload is injected into processes from user-mode module
The injection technique is based on using: VirtualAllocEx
WriteProcessMemory\ReadProcessMemory
CreateRemoteThread\RtlCreateUserThread
The injected module is disguised as shell32.dll
Hooks the entry point of msvcrt.dll by modifying PEB
![Page 57: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/57.jpg)
Injection mechanism: Flame
The payload is injected into processes from user-mode module
The injection technique is based on using: VirtualAllocEx
WriteProcessMemory\ReadProcessMemory
CreateRemoteThread\RtlCreateUserThread
The injected module is disguised as shell32.dll
Hooks the entry point of msvcrt.dll by modifying PEB
![Page 58: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/58.jpg)
Exploit Implementations: Gauss
The payload is injected into processes from user-mode
module
![Page 59: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/59.jpg)
![Page 60: Win32/Flamer: Reverse Engineering and Framework …...An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface](https://reader033.vdocument.in/reader033/viewer/2022042910/5f414566f90a3073e8651552/html5/thumbnails/60.jpg)
Thank you for your attention!
Aleksandr Matrosov [email protected] @matrosov
Eugene Rodionov [email protected] @vxradius