Following Malware Execution in Ghidra Following Malware Execution

  • Slides: 27
Download presentation
Following Malware Execution in Ghidra

Following Malware Execution in Ghidra

Following Malware Execution § The decompilation view and control flow graphs are very useful

Following Malware Execution § The decompilation view and control flow graphs are very useful for analyzing the malware’s possible execution paths q Function calls, loops, if statements, etc. § But execution can change in ways other than jumps and calls § Often need to find out how the malware is executing different areas of code 2

DLLs

DLLs

DLL review § Dynamic Link Library § Exports functions for other executables to use

DLL review § Dynamic Link Library § Exports functions for other executables to use § Advantage: can be shared among running processes, saving memory 4

How Malware Uses DLLs § By storing malicious code q q May export functions

How Malware Uses DLLs § By storing malicious code q q May export functions to other malware files May be loaded into another process § By using Windows DLLs q To interact with the operating system via Windows API functions § By using third-party DLLs q q To interact with other non-Windows programs To use a library that may not be on the victim’s machine 5

Analyzing DLLs § DLLs have many points from which code can be executed q

Analyzing DLLs § DLLs have many points from which code can be executed q q Each exported function Dll. Main § Dll. Main is called whenever a process loads or unloads the DLL q Normally used for managing any resources specific to a process, but malware sometimes uses it for other purposes 6

Processes

Processes

Process Review § Process – program in execution § Used to keep programs from

Process Review § Process – program in execution § Used to keep programs from interfering with each other q q Each process has a separate address space (whereas threads share address space) OS manages how processes access shared resources (CPU, RAM, filesystem, hardware, etc) 8

Creating a Process § The Create. Process function is typically used to create a

Creating a Process § The Create. Process function is typically used to create a process § Has many parameters, gives caller a large amount of control over how the process is created q How many parameters? See here 9

Running an Embedded Executable § Malware contains an executable as a resource § Uses

Running an Embedded Executable § Malware contains an executable as a resource § Uses Find. Resource, Load. Resource, Create. File, etc to write resource to disk § Uses Create. Process to run the resource 10

Creating a Remote Shell § Remote shell – allows an attacker to run commands

Creating a Remote Shell § Remote shell – allows an attacker to run commands on the victim’s computer remotely § Can create a remote shell by opening a socket and using a single call to Create. Process! 11

Creating a Remote Shell § Need to pass specific arguments to Create. Process q

Creating a Remote Shell § Need to pass specific arguments to Create. Process q q The lp. Startup. Info parameter points to a STARTUPINFO struct This struct contains handles to stdin, stdout, and stderr Point stdin, stdout, and stderr to the socket Call Create. Process § All input from the malware actor over the socket is run on the command line 12

Creating a Remote Shell – Sample Code Practical Malware Analysis pg 148 13

Creating a Remote Shell – Sample Code Practical Malware Analysis pg 148 13

Process Injection § Malware can inject its own code into a different process §

Process Injection § Malware can inject its own code into a different process § Typically performed using the Virtual. Alloc, Write. Process. Memory, and Create. Remote. Thread API calls § Will cover this and other covert launching techniques later 14

Threads

Threads

Thread Review § Thread – sequence of instructions belonging to a process that is

Thread Review § Thread – sequence of instructions belonging to a process that is executed by the CPU § Each process contains one or more threads q q All threads share the process’s memory space Each thread has its own values for registers and the stack § Storing and restoring these is the substance of a “context switch” 16

Creating a Thread § Done using the Create. Thread function q q q Takes

Creating a Thread § Done using the Create. Thread function q q q Takes lp. Start. Address, a pointer to a function Also takes lp. Parameter, a single parameter to the function The thread executes the function until it returns 17

Covertly Loading a Malicious Library § Can use Create. Thread to covertly load a

Covertly Loading a Malicious Library § Can use Create. Thread to covertly load a malicious library into a process § Need to set certain parameters to Create. Thread q q Pass the address of the Load. Library Windows API function as the lp. Start. Address parameter Pass the name of the desired library as lp. Parameter § Even more stealthy if “Load. Library” and the name of the library are obfuscated – which is easy to do 18

Services

Services

Services Review § Service – a task that runs in the background without an

Services Review § Service – a task that runs in the background without an associated process or thread or user § Managed by the Windows service manager 20

Why Malware Uses Services § Can be set to automatically run when the computer

Why Malware Uses Services § Can be set to automatically run when the computer boots q Gives persistence § Often run with SYSTEM privileges q But need admin to specify this 21

Creating / Starting a Service § Open. SCManager – Returns a handle to the

Creating / Starting a Service § Open. SCManager – Returns a handle to the service control manager, which is needed for all other service-related API calls § Create. Service – Adds a new service to the service control manager q Can specify that the service automatically runs at boot § Start. Service – Starts a service manually 22

Types of Services § WIN 32_SHARE_PROCESS – Stores code for a service in a

Types of Services § WIN 32_SHARE_PROCESS – Stores code for a service in a DLL, run by svchost. exe § WIN 32_OWN_PROCESS – Stores code in an EXE, runs as an independent process § KERNEL_DRIVER – Used for loading code into the kernel 23

Exceptions

Exceptions

Exceptions Review § Exception – allows a program to handle events outside its normal

Exceptions Review § Exception – allows a program to handle events outside its normal execution path § Can be triggered by: q q q Errors (such as a divide by 0) Hardware (such as invalid memory access) Manual call to Raise. Exception 25

Structured Exception Handling § Structured Exception Handling (SEH) – Windows mechanism for handling exceptions

Structured Exception Handling § Structured Exception Handling (SEH) – Windows mechanism for handling exceptions q q q List of functions for handling exceptions Each function can handle the exception or pass it to the next handler If an exception makes it to the end of the list without being handled, it is considered an unhandled exception and crashes the process 26

How Malware Uses Exceptions § The SEH is a type of flow control that

How Malware Uses Exceptions § The SEH is a type of flow control that can’t be followed by disassemblers and can fool debuggers § Malware can add its own custom exception handler to the SEH and then use trigger an exception to transfer execution to the handler 27

Lines of Defense against Malware Prevention Keep MalwareLines of Defense against Malware Prevention Keep Malware
Malware Malicious Software 1112020 Malware 1 Viruses WormsMalware Malicious Software 1112020 Malware 1 Viruses Worms
SICUREZZA INFORMATICA I MALWARE Malware Nella sicurezza informaticaSICUREZZA INFORMATICA I MALWARE Malware Nella sicurezza informatica
Malware Fighting Spyware Viruses and Malware Ch 1Malware Fighting Spyware Viruses and Malware Ch 1
Chapter 9 Applications Benevolent Malware q Benevolent malwareChapter 9 Applications Benevolent Malware q Benevolent malware
Malware Classification And Detection Matt Banick Malware AMalware Classification And Detection Matt Banick Malware A
Malware Malicious Software 11262020 Malware 1 Viruses WormsMalware Malicious Software 11262020 Malware 1 Viruses Worms
Chapter 4 Malware CSCI 455 2242021 Malware 1Chapter 4 Malware CSCI 455 2242021 Malware 1
MALWARE Ksztette Borsi Rebeka MI AZ A MALWAREMALWARE Ksztette Borsi Rebeka MI AZ A MALWARE
Malware Malicious Software 332021 Malware 1 Viruses WormsMalware Malicious Software 332021 Malware 1 Viruses Worms
Malware Malicious Software 332021 Malware 1 Viruses WormsMalware Malicious Software 332021 Malware 1 Viruses Worms
Malware Malicious Software 392021 Malware 1 Viruses WormsMalware Malicious Software 392021 Malware 1 Viruses Worms
Malware Malicious Software 3112021 Malware 1 Viruses WormsMalware Malicious Software 3112021 Malware 1 Viruses Worms
Execution time Execution Time processorrelated IC x CPIExecution time Execution Time processorrelated IC x CPI
C P Code EXECUTION Execution Scheme under theC P Code EXECUTION Execution Scheme under the
The Secrets to Successful Strategy Execution Background ExecutionThe Secrets to Successful Strategy Execution Background Execution
STRATEGIC PLANNING Execution Vision without execution is hallucinationSTRATEGIC PLANNING Execution Vision without execution is hallucination
Programming and Using ECLi PSe Execution Basics ExecutionProgramming and Using ECLi PSe Execution Basics Execution
Chapter 3 Concurrent Execution Concurrency concurrent execution 1Chapter 3 Concurrent Execution Concurrency concurrent execution 1
Intel Wide Dynamic Execution Intel Wide Dynamic ExecutionIntel Wide Dynamic Execution Intel Wide Dynamic Execution
Quantifying Overhead in Todays Execution Models and ExecutionQuantifying Overhead in Todays Execution Models and Execution
Cell Theory The following theory was proposed followingCell Theory The following theory was proposed following
Following in a Jesus PostChristian Culture Following JesusFollowing in a Jesus PostChristian Culture Following Jesus
FOLLOWING TOO CLOSELY FOLLOWING DISTANCES THE TIMEINTERVAL FORMULAFOLLOWING TOO CLOSELY FOLLOWING DISTANCES THE TIMEINTERVAL FORMULA
Following Jesus To the Cross Following Jesus IfFollowing Jesus To the Cross Following Jesus If
Following in a Jesus PostChristian Culture Following JesusFollowing in a Jesus PostChristian Culture Following Jesus
Following in a Jesus PostChristian Culture Following JesusFollowing in a Jesus PostChristian Culture Following Jesus
Diffusion Farming Following Inventions Copy the following mapDiffusion Farming Following Inventions Copy the following map
Building Line Following and Food Following Robots ABuilding Line Following and Food Following Robots A
Services in digital libraries Following functions Following newServices in digital libraries Following functions Following new
Following Peter Following Jesus Opening Question When wereFollowing Peter Following Jesus Opening Question When were
CAP 6135 Malware and Software Vulnerability Analysis FindCAP 6135 Malware and Software Vulnerability Analysis Find
CAP 6135 Malware and Software Vulnerability Analysis BufferCAP 6135 Malware and Software Vulnerability Analysis Buffer
Malware original slides provided by Prof Vern PaxsonMalware original slides provided by Prof Vern Paxson
TamperEvident Digital Signatures Protecting Certification Authorities Against MalwareTamperEvident Digital Signatures Protecting Certification Authorities Against Malware
FINANCIAL SECTOR CYBER ATTACKS MALWARE TYPES REMEDIATION BESTFINANCIAL SECTOR CYBER ATTACKS MALWARE TYPES REMEDIATION BEST
CIT 380 Securing Computer Systems Malware CIT 380CIT 380 Securing Computer Systems Malware CIT 380
CAP 6135 Malware and Software Vulnerability Analysis BufferCAP 6135 Malware and Software Vulnerability Analysis Buffer
Blackbox analysis of malware Vt Buka CROCS FacultyBlackbox analysis of malware Vt Buka CROCS Faculty
Malware Attribution ROUGH DRAFT OUTLINE Evolution of CybercrimeMalware Attribution ROUGH DRAFT OUTLINE Evolution of Cybercrime