Upload File

recommendation of perfect unpacking

40
Recommendation of Perfect Unpacking 2014/04/24 JPCERT/CC Analysis Center NAKATSURU You

Upload: others

Post on 18-Feb-2022

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Recommendation of Perfect Unpacking

Recommendation ofPerfect Unpacking

2014/04/24JPCERT/CC Analysis CenterNAKATSURU You

Page 2: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.1

Windows Malware Analysis

Data

Code

HeaderSurface• Properties• The Internet

Runtime• Execution &

monitoring

Static• Reading code

Analysis

Page 3: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.2

What Packing/Unpacking is"Pack" original code for compression/obfuscation

Data

Code

Header Header

Compresseddata

Unpack code

Pack

Exec(Unpack)

Page 4: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.3

Unpacking Tools

Unpacker

UPX, etc.

Debugger

OllyDbg

Immunity Debugger

IDA

IAT reconstructor

ImpREC

Hex editor

FileInsight

HxD

Page 5: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.4

CLASSIC UNPACKING

Page 6: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.5

What "Classic Unpacking" is

.header

Memory

UPX0

UPX1

.rsrc

.header

UPX1

.rsrc(Compressed

data)

UPX0

Empty section

.header

UPX1

.rsrc(Compressed

data)

Page 7: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.6

What "Classic Unpacking" is

.header

Memory

UPX0

UPX1

.rsrc

.header

UPX1

.rsrc(Compressed

data)

UPX0 UPX0(Original code)

.header

UPX1

.rsrc(Compressed

data)

Execute until Original Entry Point (OEP)

Page 8: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.7

What "Classic Unpacking" is

.header

Memory

UPX0

UPX1

.rsrc

.header

UPX1

.rsrc(Compressed

data)

UPX0

.header

UPX0

UPX1

.rsrc(Compressed

data)

.mackt

UPX0(Original code)

.header

UPX1

.rsrc(Compressed

data)

Memory dump & reconstruct PE file

Page 9: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.8

Classic Unpacking Flow

1. Execute unpack code•Find OEP

2. Dump as a PE file• reconstruct PE header, etc.

3. Reconstruct Import Address Table (IAT)

Page 10: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.9

Reconstructing IAT

extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword

kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess

PE File IAT on MemoryImport Directory

IAT

Page 11: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.10

Reconstructing IAT

extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword

kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess

extrn RegQueryValueExA:dwordextrn RegSetValueExA:dwordextrn RegEnumKeyA:dwordextrn RegEnumValueA:dwordextrn RegOpenKeyExA:dwordextrn RegDeleteKeyA:dwordextrn RegDeleteValueA:dwordextrn RegCloseKey:dwordextrn RegCreateKeyExA:dword

PE File IAT on Memory

Created by unpack code

IATIAT

Page 12: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.11

Reconstructing IAT

extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword

kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess

extrn RegQueryValueExA:dwordextrn RegSetValueExA:dwordextrn RegEnumKeyA:dwordextrn RegEnumValueA:dwordextrn RegOpenKeyExA:dwordextrn RegDeleteKeyA:dwordextrn RegDeleteValueA:dwordextrn RegCloseKey:dwordextrn RegCreateKeyExA:dword

PE File IAT on Memory

Can not import required APIs

IAT

Page 13: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.12

Reconstructing IAT

extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword

kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess

extrn RegQueryValueExA:dwordextrn RegSetValueExA:dwordextrn RegEnumKeyA:dwordextrn RegEnumValueA:dwordextrn RegOpenKeyExA:dwordextrn RegDeleteKeyA:dwordextrn RegDeleteValueA:dwordextrn RegCloseKey:dwordextrn RegCreateKeyExA:dword

RegQueryValueExARegSetValueExARegEnumKeyARegEnumValueARegOpenKeyExARegDeleteKeyARegDeleteValueARegCloseKeyRegCreateKeyExA

PE File IAT on Memory

IATIAT

Page 14: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.13

Classic UnpackingReconstruct PE file

Page 15: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.14

Classic UnpackingReconstruct PE file

Page 16: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.15

Classic UnpackingReconstruct IAT

Input OEP

Page 17: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.16

Classic UnpackingReconstruct IAT

Page 18: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.17

Classic Unpacking Issue

.header

.text

.data

.rsrc

.mackt

.header

.text

.data

.reloc

hash("Original") != hash("Unpacked")

.header

.data

.rsrc

.text

Page 19: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.18

Classic Unpacking Issue.header

.text

.data

.rsrc

.mackt

.header

.text

.data

.reloc

.header

.data

.rsrc

.text

.header

.data

.rsrc

.text

.header

.data

.rsrc

.text

.header

.text

.data

.rsrc

.mackt

.header

.text

.data

.rsrc

Page 20: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.19

PERFECT UNPACKING

Page 21: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.20

Concept

.header

.data

.rsrc

.text

.header

.text

.data

.reloc

hash("Original") == hash("Unpacked")

.header

.text

.data

.reloc

Page 22: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.21

Recent Packer

.header

Memory

.text

.data

.rsrc

.header

.data

.rsrc

.text.header

.data

.rsrc

.text

Page 23: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.22

Recent Packer

.header

Memory

.text

.data

.rsrc

.header

.data

.rsrc

.text

Unpack code

.header

.data

.rsrc

.text

Page 24: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.23

Recent Packer

.header

Memory

.text

.data

.rsrc

Original PE file

.header

.data

.rsrc

.text

Unpack code

.header

.data

.rsrc

.text

Page 25: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.24

Recent Packer

.header

Memory

.text

.data

.rsrc

Original PE file

.header

.data

.rsrc

.text

Unpack code

.header

.data

.reloc

.text.header

.data

.rsrc

.text

Overwrite own process / Inject into other process

Page 26: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.25

Recent Packer

.header

Memory

.text

.data

.rsrc

Original PE file

.header

.data

.rsrc

.text

Unpack code

.header

.data

.reloc

.text.header

.data

.rsrc

.text

.header

.text

.data

.reloc

Page 27: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.26

Perfect Unpacking Flow

1. Execute unpack code• Let unpack code unpack

original PE file

2. Dump memory section contains original PE file

3. Trim PE file

Page 28: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.27

1. Unpack Code ExecutionSet breakpoints on

•WriteProcessMemory•ZwWriteVirtualMemory•CreateProcessW•VirtualFree / RtlFreeHeap•etc.

Windows APIs

•Hardware breakpoint on "M"

PE header

Page 29: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.28

2. Dumping Memory SectionSearch "MZ" string

Ctrl + B

Page 30: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.29

2. Dumping Memory SectionSearch "MZ" string

Ctrl + B

Search next (Ctrl+L) until you can see PE header

Page 31: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.30

2. Dumping Memory SectionSearch "MZ" string

Ctrl + B

Search next (Ctrl+L) until you can see PE header

Page 32: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.31

2. Dumping Memory SectionSearch "MZ" string

Ctrl + B

Search next (Ctrl+L) until you can see PE header Raw address

Page 33: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.32

2. Dumping Memory SectionDump

Page 34: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.33

3. Trimming PE fileParse PE file using FileInsight

Page 35: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.34

Consideration

0. Limited availability•Depends on packer's implementation

1. Unpacking code execution•Debugger & VM detection• Breakpoint detection

3. Trimming PE file•Overlay data

•Data used by malware• e.g. ZeuS variants

• Digital signature

Page 36: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.35

Demo MovieGet same original file from different binaries using "Perfect Unpacking"

Page 37: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.36

CONCLUSION

Page 38: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.37

Summary

Classic unpacking issue•Unpacked file's hash value depends on

analyst/tools

Resent packer implementation•Packed malware contains original PE file

We have to perform"Perfect Unpacking"•Dump original PE file from virtual

memory

Page 39: Recommendation of Perfect Unpacking

Copyright©2014 JPCERT/CC All rights reserved.38

Recommended Unpacking Flow

Unpacker

Perfect Unpacking

Classic Unpacking

.header

.text

.data

.rsrc

.header

.text

.data

.reloc

Page 40: Recommendation of Perfect Unpacking

Thank you!

[email protected]://www.jpcert.or.jp

Incident [email protected]://www.jpcert.or.jp/form/

mailto:[email protected]
https://www.jpcert.or.jp/
mailto:[email protected]
https://www.jpcert.or.jp/form/

Unpacking GPS Standards

Unpacking - billiger.deimg.billiger.de/dynimg/tfJE4RyzzgFX90aFpmTDmHt4H9... · 2020-06-10 · Unpacking 1 Unpacking Thank you for buying the MSI® Z170A PC MATE motherboard.Check

Unpacking Decentralization

UNPACKING - BIC America

Unpacking Risk Shifting

Unpacking the Reasonable Accommodation Conversation ...forumworkplaceinclusion.org/wp-content/uploads/2017/12/Unpacking... · Unpacking the Reasonable Accommodation Conversation:

Unpacking quotes

KIDBOX: Unpacking Happiness

Unpacking Kiwi Picnic's

Unpacking Prayer

unpacking standards

Product Recommendation: RedSeal - Pratt and Lambert courtesy of Traditional Home. Product Recommendation: RedSeal® Offers the perfect combination of beauty, durability and value

Unpacking, Installation, and Customization Manual...2 NetShelter SX Networking Enclosure — Unpacking, Installation, and Customization Manual Unpacking the Enclosure Disclaimer American

Unpacking HB 5

Unpacking Unit 1

Human Interaction with Recommendation Systemsproceedings.mlr.press/v84/schmit18a/schmit18a.pdf · Human Interaction with Recommendation Systems sumptions are a perfect re ection of

[PPT]“Unpacking the Standards” - Griffin Middle Schoolgriffinmiddleschool.typepad.com/files/unpacking-the... · Web view“Unpacking the Standards” Last modified by install

4 Unpacking

T1 unpacking leadership

Unpacking the Suitcase

UNPACKING, ASSEMBLY, PREPARATION FOR USEmeijitechno.com/pdfs/emz_manual.pdf · NOMENCLATURE AND FUNCTION UNPACKING, ASSEMBLY, PREPARATION FOR USE Unpacking Assembly OPERATING PROCEDURES

Unpacking Synthetic Biology

“Unpacking the Standards” - Griffin Middle Schoolgriffinmiddleschool.typepad.com/files/unpacking-the... · PPT file · Web view2010-11-05 · “Unpacking the Standards”:Civil

Unpacking Standards.ppt

Unpacking LGC 1991

The ultimate guide to getting the perfect letter of recommendation

Bendavid unpacking archival_silences_guest_lecture_18022013

Standards & Unpacking

Funder Collaboration: Unpacking the toolkitwordpress.collaboratei.com/wp-content/uploads/...Unpacking-the-To… · FUNDER COLLABORATION: UNPACKING THE TOOLKIT 5 This report builds

Unpacking a poem

Unpacking The Question

Unpacking Transnational Citzenship

Unpacking and Installation

Unpacking the Standards

Unpacking Tripod Results