Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Copyright©2014 JPCERT/CC All rights reserved.1
Windows Malware Analysis
Data
Code
HeaderSurface• Properties• The Internet
Runtime• Execution &
monitoring
Static• Reading code
Analysis
Copyright©2014 JPCERT/CC All rights reserved.2
What Packing/Unpacking is"Pack" original code for compression/obfuscation
Data
Code
Header Header
Compresseddata
Unpack code
Pack
Exec(Unpack)
Copyright©2014 JPCERT/CC All rights reserved.3
Unpacking Tools
Unpacker
UPX, etc.
Debugger
OllyDbg
Immunity Debugger
IDA
IAT reconstructor
ImpREC
Hex editor
FileInsight
HxD
Copyright©2014 JPCERT/CC All rights reserved.5
What "Classic Unpacking" is
.header
Memory
UPX0
UPX1
.rsrc
.header
UPX1
.rsrc(Compressed
data)
UPX0
Empty section
.header
UPX1
.rsrc(Compressed
data)
Copyright©2014 JPCERT/CC All rights reserved.6
What "Classic Unpacking" is
.header
Memory
UPX0
UPX1
.rsrc
.header
UPX1
.rsrc(Compressed
data)
UPX0 UPX0(Original code)
.header
UPX1
.rsrc(Compressed
data)
Execute until Original Entry Point (OEP)
Copyright©2014 JPCERT/CC All rights reserved.7
What "Classic Unpacking" is
.header
Memory
UPX0
UPX1
.rsrc
.header
UPX1
.rsrc(Compressed
data)
UPX0
.header
UPX0
UPX1
.rsrc(Compressed
data)
.mackt
UPX0(Original code)
.header
UPX1
.rsrc(Compressed
data)
Memory dump & reconstruct PE file
Copyright©2014 JPCERT/CC All rights reserved.8
Classic Unpacking Flow
1. Execute unpack code•Find OEP
2. Dump as a PE file• reconstruct PE header, etc.
3. Reconstruct Import Address Table (IAT)
Copyright©2014 JPCERT/CC All rights reserved.9
Reconstructing IAT
extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword
kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
PE File IAT on MemoryImport Directory
IAT
Copyright©2014 JPCERT/CC All rights reserved.10
Reconstructing IAT
extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword
kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
extrn RegQueryValueExA:dwordextrn RegSetValueExA:dwordextrn RegEnumKeyA:dwordextrn RegEnumValueA:dwordextrn RegOpenKeyExA:dwordextrn RegDeleteKeyA:dwordextrn RegDeleteValueA:dwordextrn RegCloseKey:dwordextrn RegCreateKeyExA:dword
PE File IAT on Memory
Created by unpack code
IATIAT
Copyright©2014 JPCERT/CC All rights reserved.11
Reconstructing IAT
extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword
kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
extrn RegQueryValueExA:dwordextrn RegSetValueExA:dwordextrn RegEnumKeyA:dwordextrn RegEnumValueA:dwordextrn RegOpenKeyExA:dwordextrn RegDeleteKeyA:dwordextrn RegDeleteValueA:dwordextrn RegCloseKey:dwordextrn RegCreateKeyExA:dword
PE File IAT on Memory
Can not import required APIs
IAT
Copyright©2014 JPCERT/CC All rights reserved.12
Reconstructing IAT
extrn GetProcAddress:dwordextrn VirtualProtect:dwordextrn VirtualAlloc:dwordextrn VirtualFree:dwordextrn ExitProcess:dword
kernel32.dllGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
extrn RegQueryValueExA:dwordextrn RegSetValueExA:dwordextrn RegEnumKeyA:dwordextrn RegEnumValueA:dwordextrn RegOpenKeyExA:dwordextrn RegDeleteKeyA:dwordextrn RegDeleteValueA:dwordextrn RegCloseKey:dwordextrn RegCreateKeyExA:dword
RegQueryValueExARegSetValueExARegEnumKeyARegEnumValueARegOpenKeyExARegDeleteKeyARegDeleteValueARegCloseKeyRegCreateKeyExA
PE File IAT on Memory
IATIAT
Copyright©2014 JPCERT/CC All rights reserved.17
Classic Unpacking Issue
.header
.text
.data
.rsrc
.mackt
.header
.text
.data
.reloc
hash("Original") != hash("Unpacked")
.header
.data
.rsrc
.text
Copyright©2014 JPCERT/CC All rights reserved.18
Classic Unpacking Issue.header
.text
.data
.rsrc
.mackt
.header
.text
.data
.reloc
.header
.data
.rsrc
.text
.header
.data
.rsrc
.text
.header
.data
.rsrc
.text
.header
.text
.data
.rsrc
.mackt
.header
.text
.data
.rsrc
Copyright©2014 JPCERT/CC All rights reserved.20
Concept
.header
.data
.rsrc
.text
.header
.text
.data
.reloc
hash("Original") == hash("Unpacked")
.header
.text
.data
.reloc
Copyright©2014 JPCERT/CC All rights reserved.21
Recent Packer
.header
Memory
.text
.data
.rsrc
.header
.data
.rsrc
.text.header
.data
.rsrc
.text
Copyright©2014 JPCERT/CC All rights reserved.22
Recent Packer
.header
Memory
.text
.data
.rsrc
.header
.data
.rsrc
.text
Unpack code
.header
.data
.rsrc
.text
Copyright©2014 JPCERT/CC All rights reserved.23
Recent Packer
.header
Memory
.text
.data
.rsrc
Original PE file
.header
.data
.rsrc
.text
Unpack code
.header
.data
.rsrc
.text
Copyright©2014 JPCERT/CC All rights reserved.24
Recent Packer
.header
Memory
.text
.data
.rsrc
Original PE file
.header
.data
.rsrc
.text
Unpack code
.header
.data
.reloc
.text.header
.data
.rsrc
.text
Overwrite own process / Inject into other process
Copyright©2014 JPCERT/CC All rights reserved.25
Recent Packer
.header
Memory
.text
.data
.rsrc
Original PE file
.header
.data
.rsrc
.text
Unpack code
.header
.data
.reloc
.text.header
.data
.rsrc
.text
.header
.text
.data
.reloc
Copyright©2014 JPCERT/CC All rights reserved.26
Perfect Unpacking Flow
1. Execute unpack code• Let unpack code unpack
original PE file
2. Dump memory section contains original PE file
3. Trim PE file
Copyright©2014 JPCERT/CC All rights reserved.27
1. Unpack Code ExecutionSet breakpoints on
•WriteProcessMemory•ZwWriteVirtualMemory•CreateProcessW•VirtualFree / RtlFreeHeap•etc.
Windows APIs
•Hardware breakpoint on "M"
PE header
Copyright©2014 JPCERT/CC All rights reserved.28
2. Dumping Memory SectionSearch "MZ" string
Ctrl + B
Copyright©2014 JPCERT/CC All rights reserved.29
2. Dumping Memory SectionSearch "MZ" string
Ctrl + B
Search next (Ctrl+L) until you can see PE header
Copyright©2014 JPCERT/CC All rights reserved.30
2. Dumping Memory SectionSearch "MZ" string
Ctrl + B
Search next (Ctrl+L) until you can see PE header
Copyright©2014 JPCERT/CC All rights reserved.31
2. Dumping Memory SectionSearch "MZ" string
Ctrl + B
Search next (Ctrl+L) until you can see PE header Raw address
Copyright©2014 JPCERT/CC All rights reserved.34
Consideration
0. Limited availability•Depends on packer's implementation
1. Unpacking code execution•Debugger & VM detection• Breakpoint detection
3. Trimming PE file•Overlay data
•Data used by malware• e.g. ZeuS variants
• Digital signature
Copyright©2014 JPCERT/CC All rights reserved.35
Demo MovieGet same original file from different binaries using "Perfect Unpacking"
Copyright©2014 JPCERT/CC All rights reserved.37
Summary
Classic unpacking issue•Unpacked file's hash value depends on
analyst/tools
Resent packer implementation•Packed malware contains original PE file
We have to perform"Perfect Unpacking"•Dump original PE file from virtual
memory
Copyright©2014 JPCERT/CC All rights reserved.38
Recommended Unpacking Flow
Unpacker
Perfect Unpacking
Classic Unpacking
.header
.text
.data
.rsrc
.header
.text
.data
.reloc