counter

View My Stats

Monday, September 2, 2019

Virtual Memory Analysis: The overlooked part of Dynamic Analysis


When we talk about dynamic analysis of malware in windows environment,we see file modification ,Registry modification, Network communication ,Process creation but I feel people overlook the virtual memory of a process .Well most experienced researchers might be using it but  an amateur researcher might miss as there is rare mention of it in any,blogs or tutorials. Please do not confuse this with memory forensics .

Before getting into details , I would recommend readers to have some basic idea on virtual memory of windows. I have explained some of windows internal concept including virtual memory in chapter 2 of my book  Preventing Ransomware .

To analyse Virtual Memory you can use
1)Process Explorer from sysinternals
2)Process Hacker

While Process Explorer limits itself to displaying memory strings of a specific area (only the main module or main function )of memory only but process hacker can show much more details like memory blocks,permission of memory blocks, page states, modules  etc . Also process Hacker shows strings of the entire user space virtual memory unlike process explorer

To inspect memory strings process explorer,double click a process and go to strings tab and click on "memory" radio button .


As I said process explorer limits itself to the strings. From strings you can derive a lot of stuff. We will see that in sometime

To view memory with process hacker you can double click a process and go to memory tab.


The image displayed has a page whose state is commit and permission is RW(read write). Don't think that these properties are of no use. These can be used to find out injected code, memory allocated by API's like VirtualAlloc etc. In this article I will stress more what we can derive from strings available in memory.

you can view strings in process hacker by clicking on strings button shown in the above image



Well you can see lot more strings in process hacker compared to process explorer ,even the address of the strings. You can use this data while reverse engineering too. If you are analyzing strings using process hacker you also need to find out which areas of memory you should omit and what to look into and some more filtering ,otherwise you will get millions of strings to analyse. Well I am keeping the string filtering stuff restricted to my training .

Here are some stuff you can derive by looking into the strings in memory
1)Was the file malware file packed or not?
you can compare strings in file and virtual memory. If you get useful strings in memory and not in file then ,the malware file is packed and unpacks in memory. Well you need a bit of practice to find out if the strings are important or not. I have mentioned some important strings in the following points but there are lot more.

2)malware was armored or not?
Often malwares do not execute completely if they detect virtual machines or security tool or due to any other reasons but still you can see relevant data
example:

This is screenshot strings of a malware memory which did not execute completely as it seems like it is looking for presence of virtual machines but at the same time I found other string like run entry and URL patterns which helped me to conclude that it is a malware even though nothing conclusive was visible in dynamic analysis other than a process being created.

3)Command and control patterns.URL's etc.


Even though the malware did not execute for me I could see the following pattern. This pattern is likely to be used by malware to send victim's system information to the hacker's server 

4)Malware Classification,naming
Sometimes you can see see string like names of malwares, author names . you can google for certain patterns and find that similar malware has been analysed in some blogs or sandbox.
Here is one of my blogs on Kronos Ransomware . If you see strings like "data_before,data_after,data_inject,data_end", it's more likely to be a banking malware.

Well it's important to mention that a lot of times you might not get an opportunity to view strings as the malware process might terminate quickly or memory pages may be overwritten but there is always workaround for such problems . you can try my process stopper tool even though it's not perfect. Other techniques can include efficiently using debuggers.

Well you can do lot more by analyzing the memory. Well I stress a lot on memory analysis in my training "Malware Analysis made Easy Training"(The site is still under construction) . Sometimes the techniques can eliminate the need to go through complex reverse engineering process.



Wednesday, August 7, 2019

Static Analysis with Hiew

In my previous post, I talked about using far manager in speeding up malware analysis work. I also talked about integrating hiew(Hacker's view) into far manager.
With arrival of new tools like IDA pro , Hiew is being forgotten .  But it's still worth to look into the tool. It is a lightweight tool with Hex Editor,PE(Portable Executable) parser, x86 Disassembler,string viewer and some other notable features  which can help antivirus researcher's to do some quick static analysis on a suspect file . I have been using it for years for writing AV signatures.

If you open a file in hiew ,it tries shows content of the file in text mode of hiew. This mode is  It is same as opening a file in notepad.


To know what all you can do with hiew see the pane a the bottom.


F1 is for help
F5 can be used to go to particular offset in file
F7 for searching a string.
To change mode you can use F4.
Hiew has two other modes other than text , that is Hex and Decode. you can switch modes by pressing F4 and then select the mode using arrow keys and press enter.


Hiew has a hex editor embedded in it. If you want to see the equivalent hex bytes you need change the mode to hex . you can do it by pressing the keys F4, then use arrow key to go to hex and then press enter. The third mode is decode which can disassemble a line .Also you can press enter to switch between modes.


The first column is file offset(in case of PE files this shows as Virtual address by default . you need to press ALT+F1 to see file offsets). Middle column is hex bytes. Third is text.
To see strings in a file in any mode you can press Alt+ F6. This eliminates the need to use another string viewer tool like strings from sysinternal.


The blue strings are ascii while red are unicode. To see the offset of the string in the file you can move the cursor to the string and press enter .

You can see at offset "0x00334DF0" ,"October " string is there .


Let's look into the PE parser of hiew. Open windows executable(32 bit) in hex mode.  By default Virtual address is shown instead of file offsets.


If you want to see offsets you can press "Alt+F1".
Also notice what comes at the bar at bottom of hiew.

F4-changing mode
F5- to go to an address. If you want to go a offset press F5 then type the address . If it is virtual address start with a "." and the type the virtual adress.
F6 stands for Reference . This is like XRefs feature of IDA pro of "find reference " of ollydbg. It tells where a particular data or piece of code is referenced .
F8 for viewing the PE header .

Let me press F8 and see what happens.

The PE header pops up and the options at bottom of screen also changes. If you press F4 it goes to PE Header in disassemble.
F5 goes to entry point
F6 displays section header
F9 shows exports if it is a dll
F10 is used to show data directories
F7 shows import table

To go to a section in the PE file you can press enter. To go to the Entry point go to header then press F6. Then press enter to see the disassembly at entry point.


Hiew has got lot more features . One can go through the help or play around by pressing different keys. Though the tool does not have too many features still can save time of researchers.




Tuesday, July 30, 2019

Using Far Manager and Hiew duo in malware Analysis

I have been using the Far Manager and Hiew Combo for a really long time while doing Malware Analysis . (Unfortunately I could not fix the formatting issues to words the end of the blog)

Far Manager is not a malware Analysis tool at all but an alternative to windows explorer . But certainly it solves some basic level of problems for malware analysis like sorting based on size, see hidden files ,view processes . Far manager is a command line alternative to windows Explorer(Explorer.exe) which is used to browse the file system .It speeds up your work as it is you can browser your file system quicker the the conventional windows explorer . you can do a lot of quick stuff using keyboard shortcuts  . Don't worry about remembering shortcuts. After sometime it will be on your finger tips.

You can download far manager from https://farmanager.com/. You can run it by extracting and double clicking the Far.exe .Default far manager has two panes left and right. you can two locations of you file system at a time.left side pane is displaying contents in folder "C:\Program Files\7-Zip" and right side pane is displaying contents in folder "D:\books\c-prog" . you can browse through files in the directories using up and down arrow keys. cursor is the green color.

At the bottom you can see 1.Help, 2.User Menu,3.View..... 5.Copy
This means F5 is used for copy. If you want to explore more options press the keys left ctrl+ right ctrl, left shift, right shift , alt and see whether these options change. 



If I press ctrl, I see 12-sort . Now if I press ctrl+F12 let's see what happens .

You can sort the files in the directory using size,extension etc. Note:This can be useful for analysts when they are dealing with huge set of files. Often malwares in a same family which are close to each other have similar size. You can sort by size and cluster the same size files.

The cursor or control is on left pane on the file "History.txt" . If you want to copy paste History.txt from "C:\Program Files\7-Zip" to "D:\books\c-prog" you need to press F5. For cut paste you need to press F6. See how quick it is to do a cut paste. Multiple files can be copy pasted at same time. to select a file to copy paste you need to press "shift+down/up arrow" key. Same keys for de-selecting a selected file. To select all the files below the cursor you need to "shift+right arrow" for above "shift+left arrow". you can then use F5 or F6 for starting the copy .
to shift between the panes or go from "C:\Program Files\7-Zip" to "D:\books\c-prog" , you can press tab. You can use use up and down arrow keys to browse the files in same directory.


The exe is green(7z.exe,unistall.exe) colored text and directory is white("lang").
If you want to open a file in directory you just need to move the corsor there and then press enter. An exe will execute and a .txt file will open in notepad. Hidden files are seen in light blue color. This can be often used in malware analysis if the malware hides any of it's dropped file by using hidden properties of windows .



You can see more details of files in the directory  by pressing “”left Ctrl + 3”. you can see the extension, file size, creation date time

We can also browse directories using keyboard shortcuts .If you want to go into the "lang" directory move your cursor to lang using the up or down arrow key and then press enter. If you want to go to the directory above press "Ctrl + pgUp".

Searching Files in a Directory:
This is done by pressing alt+(alphabets of the key- u can use wildchars too).






Sorting files in a directory:
you can sort files in a directories by pressing F12. This gives you option to sort by size,extension,write time etc .you can use this feature to cluster similar size files etc




Creating shortcuts to directories and accessing them:
save shortcuts to directories- you can save upto 10 directories in shortcut with keys  0 to 9.
To create shortcut for directory go to the directory on number 1 and press :ctrl+shift+1 .  
Now to go to the shortcut saved in number 1 key  press right ctrl +1 . similarly you can create shortcuts to 10 directories .

Adding tool Shortcuts to  Far Manager:
As malware researcher we need to use all lot of tools on the samples. you can add shortcuts of tools to far manager. I want to add hiew (hacker's view) to my far manager and would like to open samples with it.
Before adding hiew to Far, I have downloaded hiew from http://www.hiew.ru/ and extracted to "D:\tools\hiew" in my system. I need to Hiew32Demo.exe to the Far manager.

to open a file in hiew ,from command line, I need to type the command hiew32demo.exe file__full_path where file__full_path is the parameter to hiew32demo.exe .

To add a command I need to press F2. 
you can see a window popping up over far manager which asks you to press Del,Ins,F4, Alt+F4 keys . you can try out each of these keys. To add Hiew I press Ins key.

After I press a insert key I get a windows like below.

hotkey - stands for shortcut key. I have put h here. Label is just for your reference ,I have added hiew here. I commands I have put D:\tools\hiew\hiew32demo.exe "!.!" . Here "!.!" means selected file which is the parameter to hiew32demo.exe .
Now in order to save the command use arrow button to reach [ok] in menu and then press enter.
Now hiew is added to my tools. In order to open a file in hiew I can browse to a files then press F2+h to open the file in Hiew.


Hiew to be continued in next blog.

Tuesday, July 16, 2019

Simplifying Malware Analysis:


The article is meant for people who want to start their career in Malware Analysis . Malware analysis is a growing need in the cyber security industry with increase in attacks involving malware. The article  talks about how to approach malware analysis. Before that it’s important to know how the malware works. Here are some of the topics I would be covering in the article.
  1. Malware Components 
  2. Malware Analysis Steps

Malware Components
In order to understand malware in a better manner I have broken down the malware into components. Below is a diagram for understanding the various components.

I have broken down the malware into the following components:
  1. Payload
  2. Packer
  3. Persistence 
  4. Armoring
  5. Stealth
  6. Communication
  7. Propagation
Malware Components












Payload is the mandatory component while malware while rest are optional.
  • Payload is the core  component of the malware. Payload executes the final intention of the malware. A malware may steal credentials from browser, steal banking credentials . Malware should be classified or provided name based on the payload .
    • Password Stealer(PWS)-steals passwords from browser,ftp clients etc
    • Banking Malware-Specially meant to steal banking credentials or do a man in the middle attack.
    • Ransomware-Asks the victim to pay ransom. Usually does by hijacking sensitive data or system resources.
    • Adware-displays unwanted advertisement to victims
    • Point of Sales-This is used to steal credit card information from system linked to POS devices


Packer is a enevepe over the payload. While reverse engineering malware , you need to remove this envelope in order to see the actual payload or functionality of the malware. Packer has algorithms which are used to compress code . Since the actual malware code is compressed by packer, it’s hard to see the actual payload by static analysis(I will talk about static analysis of later in the article. For the time being consider static analysis in this case as viewing an executable in an hex editor). Packer is a program that takes an executable as input and produces packed executable. The original executable and the packed  executable will look different if static analysis is done on it. A polymorphic packer takes one executable program as input and creates multiple(can be in millions) packed executables which look different from each other with static analysis .These executable are released in the wild through various channels like spams , exploit kit. These packed executables are different from other if the analysts performs static analysis on them but their behavior (dynamic analysis would be same). So if an antivirus engineer writes static detection signature on few of the packed executables ,there are chances that the signature may not detect all the executables created by the polymorphic packer . This is one of the methods by which malware can evade static antivirus signatures.
Polymorphic Packer
Persistence:
Malware needs to stay in the system and sustain reboots. A banking malware or stealer needs to stay active in the system even after reboot. The techniques with which malware survives reboot are called persistence mechanism. Most of the malware exploit the operating system features to persist .

Armoring:
Malware’s don’t want to analysed or detected. Security researchers try to break the maware. Armoring is used by malware to protect itself . Anti-debugging,VM-Detection , Sandbox detection , Analysis tool detection are various armoring techniques employed by malware.

Stealth:
Malwares need to hide themselves in the system so that user does not suspect it. Stealth technique can range from simply changing the file property hidden to Code injection techniques and Rootkits can be considered as stealth mechanism . Often Rootkit is considered as type of malware but I would say rootkit is a technique to hide a malware. The payload could be something like a banking trojan that wants to hide itself . Most of the rootkits alter the functionality of the API’s or data structures used by operating system . For example windows task manager refers  to a double linked list in which nodes represent a process. Removing a node from the linked list can hide a process . This rootkit technique is called DKOM. 

Communication:
Malwares would like to communicate with the hacker through command and control servers (CnC). The reason could be anything uploading stolen data, receive commands etc.

Propagation:
Malware need to spread across computers in a network or outside network . Autorun worms used pen drive to spread from one machine to another. The infamous Wannacry used Eternal Blue exploit to propagate through the network . PE File infection(File Infectors) is a spreading mechanism used by 

Malware Analysis
Malware analysis is done in order to find if a program is malware and if so find the impact on the system.
  1. Static
  2. Dynamic 
  3. Reverse Engineering

Static Analysis:
Static analysis is done without executing the sample. A sample is opened in a static analysis tool to view static properties.  
It’s hard to derive conclusion from static analysis as malwares maybe obfuscated. Then why do we perform static analysis?
Static analysis can form the basis of dynamic analysis. Here is an analysis step. I get a sample and check its first few bytes in a hex editor . I see that first MZ at the start of the file. I consider this as a windows executable . Then I check if it 32 bit or 64 bit executable. If it is 64 bit,I would use a 64 bit windows OS for dynamic analysis.

Malware Analysis Steps
If I find a file is a microsoft document file(.docx) then I would need to install a microsoft word in my analysis machine for further dynamic analysis.

Dynamic Analysis:
Dynamic analysis is performed in order to find the changes done by the malware to the system. The changes can include :
  • file modification 
  • configuration changes 
  • network communication 
  • Process changes -code injections,API hooks
  • Mutexes created
  • System code modifications(kernel level API hooks and data structure modifications)


Reverse Engineering:
Reverse Engineering is performed if it is hard to conclude from dynamic analysis . A malware may not execute completely if it detects virtual machine environment(armoring) hence we won’t get conclusive results from dynamic analysis . In this case reverse engineering is performed to locate the code that detects virtual machines and patch the code in order to execute the malware . There can be many other purposes of reverse engineering:

  • Finding out algorithms used my malwares
  • Writing better antivirus signatures
  • Finding out more secrets in malware like similarity with any existing malware used in some attack

 Malware Analysis Training:
All the topics are covered in detail my training. Apart from this malware detection is also included in the training. Contact me abhijit.mohanta.15.08@gmail.com for training's.

Friday, March 3, 2017

Unpacking Malware in minutes

Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking.
sample used:
sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7
md5:dca9106dc8556f9a15d7e18b4fad5d44
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.








Fig : PE header- entry point 0x1D16

Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static
















Fig: memory string in process Explorer

Now dump the header  from memory .I have used process hacker for the purpose. Other tools can also be used.








Fig:Process Hacker dump header from memory

Now see the dumped header Entry Point








Fig dumped header EP-0x4C00

The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)









Fig: ollydbg set hardware breakpoint on expected OEP

Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point









Fig: Olly Dbgbreaks at OEP

Now you can dump the unpacked file and analyse. OllyDumpEx is one of best options to unpack. you need not fix imports if you do that.
Hope this helps .

Saturday, October 4, 2014

Dynamic Automatic Unpacking for RunPE,Process Hollowing Malware(winappdbg)

 

The code shows simple usage of winappdbg. This can be implemented in other debugger in Pydbg.

Process Hollowing ,RunPE or Process Forking are more or less the same terms used for the same technique. In this method a malware creates a process in suspended mode then injects decrypted PE into the suspended process and then executes it.

There are lot of POCs for process hollowing in internet.

One of the method is as follows:

1)Process Created in Suspended mode

2)Call to GetThreadContext

3)Call VirtualAlloc and copy unpacked PE to it

4)Call WriteProcessMemory to write the decrypted PE to suspended process

5)Call SetThreadContext

6) Call to ResumeThread

My objective is to dump the unpacked PE in Step 3 to disk.

Following is code. This is just a crude code. I have not done any sort to validation and error checking here. I have used some code available on internet.Feel free to modify the code.

NOTE: This wont work for all types of process hollowing

CODE:

#please pass absolute path of the file to be unpacked
from winappdbg import Debug, EventHandler,Process, System, CrashDump, HexInput, HexDump,win32
 
 
def process_read( pid, address, length ):
 
    process = Process( pid )
    # Read the process memory.
    data = process.read( address, length )
    return data
 
def action_WriteProcessMemoryW(event):
    # Get the return address of the call
    address = event.get_thread().read_stack_dwords(1)[0]
    fo = open("C:/unpacked.bin", "w")
 
    # Get the process and thread IDs
    pid     = event.get_pid()
    tid     = event.get_tid()
 
    process         = Process(pid)
 
    bufferAddr=event.get_thread().read_stack_dwords(6)[3] #6 is no of dwords grabbed from stack [0] is retuen addr [3] is 3rd argument
    print hex(bufferAddr)
    print "xxxxxxx"
    memoryMap       = process.get_memory_map()
    readable    = 0
    writeable   = 0
    executable  = 0
    private     = 0
    mapped      = 0
    image       = 0
    total       = 0
    for mbi in memoryMap:
        #print hex(mbi.BaseAddress)
        if mbi.BaseAddress == bufferAddr:
            print "dumping data"
            print hex(mbi.BaseAddress)
            print hex(mbi.RegionSize)
            data=process_read(pid,mbi.BaseAddress,mbi.RegionSize)
            fo.write(data)
            fo.close()
 
 
# This function will be called when our breakpoint is hit
def action_CreateProcessW( event ):
 
 
    address = event.get_thread().read_stack_dwords(1)[0]
    # Get the process and thread IDs
    pid     = event.get_pid()
    tid     = event.get_tid()
 
 
class MyEventHandler( EventHandler ):
 
    def load_dll( self, event ):
 
        # Get the new module object
        module = event.get_module()
 
        # If it's kernel32.dll...
        if module.match_name("kernel32.dll"):
 
            # Get the process ID
            pid = event.get_pid()
 
            # Get the address of CreateFile
            address = module.resolve( "CreateProcessW" )
            addressWPW = module.resolve( "WriteProcessMemory" )
 
            # Set a breakpoint at CreateFile
            event.debug.break_at( pid, address, action_CreateProcessW )
            event.debug.stalk_at( pid, addressWPW, action_WriteProcessMemoryW )
 
 
 
 
def simple_debugger( argv ):
 
    # Instance a Debug object, passing it the MyEventHandler instance
    debug = Debug( MyEventHandler() )
    try:
 
        debug.execv( argv )
 
        debug.loop()
 
    # Stop the debugger
    finally:
        debug.stop()
 
 
# When invoked from the command line,
# the first argument is an executable file theat needs tp be unpacked. Please provide absolute path
# and the remaining arguments are passed to the newly created process
if __name__ == "__main__":
    import sys
    simple_debugger( sys.argv[1:] )