Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
- DBI Evasion
- DEMO
Arancino
Arancino
Hooking Module
Hooking Function Module Hooking Syscall Module
Arancino
Arancino
Hooking Module
Hooking Function Module Hooking Syscall Module
Malware Analysis
Malware Analysis
Static Dynamic
mov eax, esi
mov edi, ebx
mov ecx, 14h
rep stosd
mov dword ptr [esp+0Ch],
0Ah
mov dword ptr [esp+8], 50h
mov [esp+4], ebx
mov dword ptr [esp], 0 Malware
call sub_8048C30
cmp eax, 0FFFFFFFFh
Run in a
jz short loc_80488F8 Traces
sandbox instances
mov [esp], ebx loc_80488F8:
call sub_8048A50 mov edx, [esp+6Ch]
test eax, eax xor edx, large gs:14h
jz short jnz short
loc_8048858 loc_804890D
loc_8048858:
cmp ds:dword_804C3C0, 1 cmp ds:dword_804C3C0, 1
CreateFile
mov [esp+8], ebx mov dword ptr [esp+4], 804960Bh VirtualAlloc( ... )
mov dword ptr [esp+4], mov dword ptr [esp], 1 (_T("File.txt"),...)
offset aSInvalidComman sbb eax, eax
sbb eax, eax not eax
not eax add eax, 24h
add eax, 24h mov [esp+8], eax
mov [esp+0Ch], eax call ___printf_chk
mov dword ptr [esp], 1 jmp short loc_8048882
call ___printf_chk
ReadFile(hout, buf, 40, 0, NULL);
loc_8048882:
mov eax, ds:stdout
mov [esp], eax
call _fflush
CloseHandle(hout)
Malware Evasive
If (amIUnderAnalysis())
{
die();
}
else
{
beMalicious();
}
Dynamic Binary
Instrumentation
What is a DBI Tool?
.text
.rodata
Memory
.data
stack
What is a DBI Tool?
/////////////////////////
/////////////////////////
/////////////////////////
/////////////////////////
.text
/////////////////////////
/////////////////////////
/////////////////////////
.rodata
DBI Memory
.data
stack
What is a DBI Tool?
Trace
BB3 BB2
BB4
BB9
BB10
What is a DBI Tool?
BB1 BB1
BB9
BB4
JIT BB3 BB2
BB6 Compiler
BB7 BB8
BB9
User Defined
BB10 Code Cache
Code
DBI - Evasive Malware
Valgrind rev.ng
DBI - Evasive Malware
Valgrind rev.ng
DBI - Evasive Malware
Environment Overhead
Artifact Detection
Code Cache Artifacts
Code Cache Artifacts
BB3 BB2
● IP Detection
● Self-Modifying Code
Code Cache
CCA - IP Detection
PATCH DISPATCHER
add eax,4
int 2e
jmp 0x0804856c
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
int 2e
fsave
fxsave
CCA - IP Detection RT
0x00200003
EDX
0x00400003
EDX
BB3 BB2
● IP Detection
● Self-Modifying Code
Code Cache
CCA - Self Modifying Code
code
cache
Collected
Trace
ins1
ins2
wrong_ins3
ins4
.text
ins5
ins6
ins7
...
CCA - Self Modifying Code
ins1
ins2
code
wrong_ins3
cache
ins4
ins5
Collected
Trace
ins1
ins2
wrong_ins3
ins4
.text
ins5
ins6
ins7
...
CCA - Self Modifying Code
ins1
ins2 Instruction Pointer
code
wrong_ins3
cache
ins4
ins5
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
CCA - Self Modifying Code
ins1
ins2
code
wrong_ins3 Instruction Pointer
cache
ins4
ins5
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
CCA - Self Modifying Code
ins1
ins2
code
wrong_ins3 Instruction Pointer
cache
ins4
ins5
Crash
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
Arancino - Self Modifying Code
Module
Arancino
- MarkWrittenAddress:
store which address has Fake Memory Handler Modules
ins1
ins2
.text wrong_ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten()
cache ins2
CheckEipWritten()
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text wrong_ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1 Instruction Pointer
code CheckEipWritten()
cache ins2
CheckEipWritten()
wrong_ins3
address_ins3
Patch CheckEipWritten()
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten() Instruction Pointer
cache ins2
CheckEipWritten()
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten()
cache ins2
CheckEipWritten()
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten()
cache ins2 Instruction Pointer
CheckEipWritten()
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten()
cache ins2
CheckEipWritten() Instruction Pointer
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten()
cache ins2
CheckEipWritten()
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
MarkWrittenAddress()
ins1
code CheckEipWritten()
cache ins2
CheckEipWritten() Instruction Pointer
wrong_ins3
Cache
CheckEipWritten() address_ins3
Invalidated
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
code
cache
address_ins3
ReCollected
Trace
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CCA - Self Modifying Code
CheckEipWritten()
ins3
code CheckEipWritten()
cache ins4
CheckEipWritten()
ins5
address_ins3
ReCollected
Trace
ins1
ins2
.text ins3
ins4
ins5
ins6
...
Environment Artifacts
Environment Artifacts
● Parent Detection
● Memory Fingerprinting
EA - Parent Detection
.text
ImageLoad Memory
Pintool.dll
Arancino - Hook Functions
.text
new.dll
ImageLoad Memory
Pintool.dll
Arancino - Hook Functions
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Memory
VirtualFree
Pintool.dll
VirtualQueryEx
...
Arancino - Hook Functions
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Memory
VirtualFree
Pintool.dll
VirtualQueryEx
...
Arancino - Hook Functions
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Check if
Memory
Functions are
in the List
VirtualFree
Pintool.dll
VirtualQueryEx
...
Arancino - Hook Functions
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Memory
VirtualFree
Pintool.dll
VirtualQueryEx
...
Arancino - Hook Functions
HOOK DISPATCHER
.text
new.dll Function
new.dll
ImageLoad
...
EA - Parent Detection
Hooked NtQuerySystemInformation
pin.exe -> cmd.exe
Hooked NtOpenProcess
to deny access to CSRSS.exe
Environment Artifacts
● Parent Detection
● Memory Fingerprinting
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
EA - Memory Fingerprinting
0x00400000
.text
0x00402000
0x55100000
new.dll
0x55101000
0x6f100000
Pintool.dll
0x6f103000
EA - Memory Fingerprinting
0x00400000
.text
0x00402000
0x55100000
new.dll
0x55101000
0x58402000
0x6f100000
Pintool.dll
0x6f103000
EA - Memory Fingerprinting
0x00400000
.text
0x00402000
0x55100000
new.dll Crash
0x55101000
0x58402000
0x6f100000
Pintool.dll
0x6f103000
EA - Memory Fingerprinting
.text
new.dll VirtualQuery
Pintool.dll
EA - Memory Fingerprinting
We Hook NtQueryVirtualMemory
We create a Whitelist of accessible memory regions updated
at runtime.
● Main Module
● Libraries
● Heap and Stack
● PEB, TEB, etc.
● Mapped files
JIT Compiler Detection
JIT Compiler Detection
● Memory Allocations
JIT Compiler Detection
● Memory Allocations
JITC Detection - DLL Hook
A process can search through memory for discrepancy
caused by Hooks.
Hooking Module
Hooking Function Module Hooking Syscall Module
JITC Detection - DLL Hook
TRACE FAKE_READ_HANDLER MEMORY
0x77C76F58 LEA
JMPEAX, [ESP+2D]
0x5B680BE0
JITC Detection - DLL Hook
TRACE FAKE_READ_HANDLER MEMORY
add eax,2
mov edx, [eax] add
cmp edx,0x8d eax,2
jnz ebx
Is memory read
operation?
eax = 0x77C76F58
Nope! 0x77C76F58 JMP 0x5B680BE0
Go next
JITC Detection - DDL Hook
TRACE FAKE_READ_HANDLER MEMORY
add eax,2
mov edx, [eax] mov edx,
cmp edx,0x8d [eax]
jnz ebx
Is memory read
operation?
eax = 0x77C76F58
Yes 0x77C76F58 JMP 0x5B680BE0
JITC Detection - DDL Hook
TRACE FAKE_READ_HANDLER MEMORY
add eax,2
mov edx, [eax] mov edx,
cmp edx,0x8d [eax]
jnz ebx
add eax,2
mov edx, [eax] mov edx,
cmp edx,0x8d [eax]
jnz ebx
0x77C76F58
eax = 0x77C76F58
0x77C76F58 JMP 0x5B680BE0
0x77C76F5F
JITC Detection - DDL Hook
TRACE FAKE_READ_HANDLER MEMORY
add eax,2
mov edx, [eax] mov edx,
cmp edx,0x8d [eax]
jnz ebx
Instrumented process
read the fake value:
LEA EAX, [ESP+2D]
and doesn’t detect 0x77C76F58 JMP 0x5B680BE0
PIN
JIT Compiler Detection
● Memory Allocations
JIT Compiler - API Hook
Counter Fun
.text
ZwAllocateVirtualMemory
ntdll.dll
Pintool.dll
JIT Compiler - API Hook
Counter Fun
.text
Write
ZwAllocateVirtualMemory
ntdll.dll
Pintool.dll
Arancino
Arancino
Hooking Module
Hooking Function Module Hooking Syscall Module
JIT Compiler - API Hook
Counter Fun
.text
Write
ZwAllocateVirtualMemory
ntdll.dll
Pintool.dll
JIT Compiler - API Hook
Counter Fun
.text
Write
ZwAllocateVirtualMemory
ntdll.dll
Pintool.dll
JIT Compiler - API Hook
Counter Fun
.text
Write
ZwAllocateVirtualMemory
ntdll.dll
Pintool.dll
JIT Compiler - API Hook
Counter Fun
.text
Read
ZwAllocateVirtualMemory
ntdll.dll
Pintool.dll
Overhead Detection
Overhead Detection
● Windows Time
○ Use windows API
■ GetTickCount and timeGetTime
○ Or Windows Structures
■ KUSER_SHARED_DATA.
● CPU Time
○ Count CPU cycles (rdtsc)
Evasive Malware
Measurement
Anti-Instrumentation
Measurement
Dataset
● 7006 Binaries
sfone 19 19 (100.0%) 1
unruy 11 11 (100.0%) 1
vilsel 13 8 (61.5%) 2
urelas 18 9 (47.4%) 2
confuser 52 8 (44.4%) 1
vobfus 29 19 (36.5%) 1
Technique #
Hooking
Parent Detection 850 870 2%
Module
Pattern
EIP Detection - int2e 710 1,150 62% Match
Module
Fake Write
Module +
Memory Allocations 2,000 2,900 45%
Hooking
Module
Unpacking Approach
MessageBox.exe
WinRAR.exe
MessageBox.exe
WinRAR.exe
N° %
Unpacked and
working 669 63
DEMO Time!
eXait https://www.coresecurity.com/corelabs-research/open-source-tools/exait
Black Hat Sound Bytes
● Malware authors employ Anti-Instrumentation techniques to
detect when their samples are being instrumented
● We proposed an approach to practically defeat such techniques
● We studied the common techniques adopted by modern
malware authors to evade of instrumentation systems
● On top of Arancino ~> dynamic, evasion-resilient unpacker
○ Known packers use anti-instrumentation techniques!
Arancino - GitHub
Thanks!
https://github.com/necst/arancino
Mario Polino
<mario.polino@polimi.it>
Arancino - GitHub
Questions?
https://github.com/necst/arancino
Mario Polino
<mario.polino@polimi.it>
Arancino - GitHub
Questions?
https://github.com/necst/arancino
Mario Polino
<mario.polino@polimi.it>
Credits
● Icons, CC from Noun Project:
○ Vicons Design
○ Aya Sofya
○ Adnen Kadri
○ Stock Image Folio
○ Icon Fair
○ Creative Stall
○ Gregor Cresnar
Arancino - GitHub