Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

DEFCON21 (Thorny Malware)

No description
by

Marion Marschalek

on 28 July 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of DEFCON21 (Thorny Malware)

A Thorny Piece
of Malware
(And Me)

A Talk about Excepetion Handlers, VFTables, Multi-Threading and other Nastiness
Marion Marschalek @pinkflawd
IKARUS Security Software
DEFCON21

My Favorite Piece of Malware
Anti-Analysis:
Exceptions for Fun & Profit
Thread Me To Hell
C++ or:
Function Calls to Nirvana
Outline
Malware Overview
Fancy Fun Facts
Anti-Analysis
Exceptions for Fun & Profit
C++ or: Function Calls to Nirvana
Thread me to Hell
Auto-Junk & Obfuscation
Analysts' Headaches
What is it?
Fancy Fun Facts
An asian
multi-threaded
non-polymorphic
file-infecting
spy-bot.
Old-School
File Infector
Picky
Selection
Infection
Re-
Infection
when Qihoo360 or Rising AV running
stop!
when process name contains
- netthief
- visual studio
- world of warcraft, ...
exclude!
Filter Function
Now.. What does that mean?
Startup &
Instance
Management
START
File Infected?
Start original
Binary
Malware
running?
Terminate
happily
Start
Malware
Malware
running?
Start
Malware
New
Version?
Disinfect
Terminate
happily
Start new
Malware
Summary of a Crash Course on the Depths of Win32 Structured Exception Handling
Long live Matt Pietrek!
TIB (FS:[0])
Exception
Registration
Callback Handler
Pointer
Previous
Pointer
EXCEPTION_REGISTRATION*
Exception
Registration
Callback Handler
Pointer
Previous
Pointer
Exception
Registration
Callback Handler
Pointer
Previous
Pointer
End of List
0xFFFFFFFF
except_handler (...)
{
// Handler Code

}
push offset _except_handler
mov eax, large fs:0
push eax
mov large fs:0, esp
CONTEXT.EIP = wonderland
EH-Registration for Reversers:
Visual C++ Exception Handling
On Top of SEH
Every Function has one dedicated EH
These call into _CxxFrameHandler
FuncInfo Data Structure says what to do
Handler defines where to continue
Back to my beloved Malware ...
Anti-Analysis:
Auto Junk Code
Analysts'
Headaches
Registration Sequence
Exception
Compiler Generated Handler
User Generated Handler
New Entry Point
1==2
Opaque Predicates
JUNK
KNUJ
JKNU
UKNJ
F*U
Program Code
.
.
.
retn
Slightly Obfuscated
Opaque Predicates
.text:0040F2E3 mov [esp+7Ch+var_78], ecx
.text:0040F2ED lea eax, [esp+7Ch+
var_78
]
.text:0040F2F1 lea ecx, [esp+7Ch+
var_78
]
.text:0040F2F5

imul eax, ecx
.text:0040F2F8 lea edx, [esp+7Ch+
var_78
]
.text:0040F2FC lea ecx, [esp+7Ch+
var_78
]
.text:0040F301
sub edx, ecx
.text:0040F305
cmp edx, eax
.text:0040F312 jnz short loc_40F35A
Green Branch
for President!
How To Get There
1. Realize there are multiple threads that you have to follow
2. Spot inter-thread communication & synchronization
3. Analyze function bodies with significant functionality
4. Bring down what information is exchanged between
threads and how one thread influences the other
YES
No
Multiple inheritance
Indirect calls
Binary overhead for "glue code"
Non-linear code
Few documentation for reversers
C++
Special credits to Igor Skochinski & OpenRCE
class A
{
int a1;
public:

virtual
int A_virt1();

virtual
int A_virt2();
static void A_static1();
void A_simple1();
};
class B
{
int b1;
int b2;
public:

virtual
int B_virt1();

virtual
int B_virt2();
};
class C: public A, public B
{
int c1;
public:

virtual int A_virt2();
virtual int B_virt2();
};
class A size(8):
+---
0 |
{vfptr}
4 | a1
+---
class B size(12):
+---
0 |
{vfptr}
4 | b1
8 | b2
+---
class C size(24):
+---
| +---

(base class A)
0 | | {vfptr}
4 | | a1
| +---
| +---
(base class B)
8 | | {vfptr}
12 | | b1
16 | | b2
| +---
20 | c1
+---
A's vftable:
0 | &A::A_virt1
4 | &A::A_virt2
B's vftable:
0 | &B::B_virt1
4 | &B::B_virt2
C's vftable for A:
0 | &A::A_virt1
4 |
&C::A_virt2

C's vftable for B:
0 | &B::B_virt1
4 |
&C::B_virt2
23 commands,
23 cross references
Memory Allocation
Instantiation
Constructor
Base Class Constructor
Virtual Function Call
Back To Business: C&C Command Switching
Command: move_file
DIY Links

Thomas Dulliens Blog & The Malware
http://addxorrol.blogspot.co.at

Igor Skochinski
http://www.hexblog.com/wp-content/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf
http://www.openrce.org/articles/full_view/21
http://www.openrce.org/articles/full_view/23

Matt Pietrek
http://www.microsoft.com/msj/0197/Exception/Exception.aspx

Mark Yason & Paul Sabanal
http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf

Vishal Kochhar
http://www.codeproject.com/Articles/2126/How-a-C-compiler-implements-exception-handling?display=Print

Selvam
http://www.codeproject.com/Articles/7953/Thread-Synchronization-for-Beginners

Josh Haberman
http://blog.reverberate.org/2013/05/deep-wizardry-stack-unwinding.html

Ilfak Guilfanov
http://www.hexblog.com/?p=19
In Practice: Back To The Bot
Bot Internals
Full transcript