Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Fairytale

No description
by

Marion Marschalek

on 23 December 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Fairytale

The BIG Evil
A Malware Reverser's Fairytale
Marion Marschalek @pinkflawd
IKARUS Security Software
hack.lu 2013

My Favorite Piece Of Malware
The Big Bad Wolf:
MSVC++ SEH
The Magic
Multi-Threaded Labyrinth
Into The Unknown with C++
Outline
Malware Fairytale
How The Story Began
Anti-Analysis
The Big Bad Wolf: MSVC++ SEH
Into The Unknown with C++
The Magic Multi-Threaded Labyrinth
Trolls & Junk & Obfuscation
Analysts' Headaches
Once upon a time...
An asian
multi-threaded
non-polymorphic
file-infecting
spy-bot.
Old-School
File Infector
Picky
Selection
Infection
Re-
Infection
when Qihoo360 or Rising AV running
stop!
when process name contains
- netthief
- visual studio
- world of warcraft, ...
exclude!
Filter Function
Now.. What does that mean?
Startup &
Instance
Management
START
File Infected?
Start original
Binary
Malware
running?
Terminate
happily
Start
Malware
Malware
running?
Start
Malware
New
Version?
Disinfect
Terminate
happily
Start new
Malware
Summary of a Crash Course on the Depths of Win32 Structured Exception Handling
Long live Matt Pietrek!
TIB (FS:[0])
Exception
Registration
Callback Handler
Pointer
Previous
Pointer
EXCEPTION_REGISTRATION*
Exception
Registration
Callback Handler
Pointer
Previous
Pointer
Exception
Registration
Callback Handler
Pointer
Previous
Pointer
End of List
0xFFFFFFFF
except_handler (...)
{
// Handler Code

}
push offset _except_handler
mov eax, large fs:0
push eax
mov large fs:0, esp
CONTEXT.EIP =
wonderland
EH-Registration for Reversers:
Visual C++ Exception Handling
On Top of SEH
Every Function has one dedicated EH
These call into _CxxFrameHandler
FuncInfo Data Structure says what to do
Handler defines where to continue
Back to my beloved Malware ...
Trolls, Junk & Obfuscation
Analysts'
Headaches
Registration Sequence
Exception
Compiler Generated Handler
User Generated Handler
New Entry Point
1==2
Opaque Predicates
JUNK
KNUJ
JKNU
UKNJ
F*U
Program Code
.
.
.
retn
Slightly Obfuscated
Opaque Predicates
.text:0040F2E3 mov [esp+7Ch+var_78], ecx
.text:0040F2ED lea eax, [esp+7Ch+var_78]
.text:0040F2F1 lea ecx, [esp+7Ch+var_78]
.text:0040F2F5

imul eax, ecx
.text:0040F2F8 lea edx, [esp+7Ch+var_78]
.text:0040F2FC lea ecx, [esp+7Ch+var_78]
.text:0040F301
sub edx, ecx
.text:0040F305
cmp edx, eax
.text:0040F312 jnz short loc_40F35A
How To Get There
1. Realize there are multiple threads that you have to follow
2. Spot inter-thread communication & synchronization
3. Analyze function bodies with significant functionality
4. Bring down what information is exchanged between
threads and how one thread influences the other
YES
No
Multiple inheritance
Indirect calls
Binary overhead for "glue code"
Non-linear code
Few documentation for reversers
C++
Special thanks to Igor Skochinski & OpenRCE
class A
{
int a1;
public:

virtual
int A_virt1();

virtual
int A_virt2();
static void A_static1();
void A_simple1();
};
class B
{
int b1;
int b2;
public:

virtual
int B_virt1();

virtual
int B_virt2();
};
class C: public A, public B
{
int c1;
public:

virtual int A_virt2();
virtual int B_virt2();
};
class A size(8):
+---
0 |
{vfptr}
4 | a1
+---
class B size(12):
+---
0 |
{vfptr}
4 | b1
8 | b2
+---
class C size(24):
+---
| +---

(base class A)
0 | | {vfptr}
4 | | a1
| +---
| +---
(base class B)
8 | | {vfptr}
12 | | b1
16 | | b2
| +---
20 | c1
+---
A's vftable:
0 | &A::A_virt1
4 | &A::A_virt2
B's vftable:
0 | &B::B_virt1
4 | &B::B_virt2
C's vftable for A:
0 | &A::A_virt1
4 |
&C::A_virt2

C's vftable for B:
0 | &B::B_virt1
4 |
&C::B_virt2
23 commands,
23 cross references
Memory Allocation
Instantiation
Constructor
Base Class Constructor
Virtual Function Call
Command: move_file
DIY Links

Thomas Dulliens Blog & The Malware
http://addxorrol.blogspot.co.at

Igor Skochinski
http://www.hexblog.com/wp-content/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf
http://www.openrce.org/articles/full_view/21
http://www.openrce.org/articles/full_view/23

Matt Pietrek
http://www.microsoft.com/msj/0197/Exception/Exception.aspx

Mark Yason & Paul Sabanal
http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf

Vishal Kochhar
http://www.codeproject.com/Articles/2126/How-a-C-compiler-implements-exception-handling?display=Print

Selvam
http://www.codeproject.com/Articles/7953/Thread-Synchronization-for-Beginners

Josh Haberman
http://blog.reverberate.org/2013/05/deep-wizardry-stack-unwinding.html

Ilfak Guilfanov
http://www.hexblog.com/?p=19
In Practice: Back To The Bot
Bot Internals
In Small Pieces
me
Marion Marschalek
Malware Analyst
Reverse Engineering Hobbyist
Nut Cracker by Heart
Full-Contact Martial Artist
A Fairytale in 5 Acts
1. Oh..
2. Oh..
3. Oh..
4. Crap..
5. HOORAY..
Anti-Analysis!
It's Multi-Threaded!
It's a File-Infector!
Timing Defense, C++, Virtual Function Calls, Junk Code, Headache
Got to the Core Functionality!!
Anti-Analysis at a Glance
Deliberate Exceptions
Simulator Check
Junk Code
String Obfuscation
Jump Table for APIs
Timing Defense
Multiple Threads
Virtual Function Calls
Green Branch
to rule them all!
Twitter @pinkflawd
Back To Business: C&C Command Switching
Fairy Tale's Happy Ending
Control
Multimedia
File System
Desinfection
self_terminate
system_shutdown
shell_execute
gdi_capture_window
gdi_screenshot
list_directory
copy_files
delete_files
rename_files
check_fingerprint
Happy Ending
Thank you,
Igor & OpenRCE!
Anti-Analysis
Anti-Analysis
Fairytale
Headache
Headache
Full transcript