Eu 17 Polino Hiding Pins Artifacts To Defeat Evasive Malware PDF

Hiding PIN's Artifacts
to Defeat Evasive Malware

Mario Polino, Andrea Continella, Sebastiano Mariani,
Lorenzo Fontana, Stefano D'Alessio, Fabio Gritti, Stefano Zanero
Agenda
- Arancino
- Dynamic Binary Instrumentation Tools
- DBI Evasion
- Evasive Malware Measurement
- Evasive Resilient Unpacking Tool
- DEMO
Arancino
Arancino
Fake Memory Handler Modules

Fake Read Handler Fake Write Handler Fake Free Handler
Module Module Module
Pattern Matching Self Modifying Code

Module Module
Process Information Module
Hooking Module
Hooking Function Module Hooking Syscall Module
Arancino
Arancino


Module Module
Hooking Module
Malware Analysis
Malware Analysis
Static Dynamic
mov eax, esi
mov edi, ebx
mov ecx, 14h
rep stosd
mov dword ptr [esp+0Ch],
0Ah
mov dword ptr [esp+8], 50h
mov [esp+4], ebx
mov dword ptr [esp], 0 Malware
call sub_8048C30
cmp eax, 0FFFFFFFFh
Run in a
jz short loc_80488F8 Traces
sandbox instances
mov [esp], ebx loc_80488F8:
call sub_8048A50 mov edx, [esp+6Ch]
test eax, eax xor edx, large gs:14h
jz short jnz short
loc_8048858 loc_804890D
loc_8048858:
cmp ds:dword_804C3C0, 1 cmp ds:dword_804C3C0, 1
CreateFile
mov [esp+8], ebx mov dword ptr [esp+4], 804960Bh VirtualAlloc( ... )
mov dword ptr [esp+4], mov dword ptr [esp], 1 (_T("File.txt"),...)
offset aSInvalidComman sbb eax, eax
sbb eax, eax not eax
not eax add eax, 24h
add eax, 24h mov [esp+8], eax
mov [esp+0Ch], eax call ___printf_chk
mov dword ptr [esp], 1 jmp short loc_8048882
call ___printf_chk
ReadFile(hout, buf, 40, 0, NULL);
loc_8048882:
mov eax, ds:stdout
mov [esp], eax
call _fflush
CloseHandle(hout)
Malware Evasive
If (amIUnderAnalysis())
{
die();
}
else
{
beMalicious();
}
Dynamic Binary
Instrumentation
What is a DBI Tool?
.text
.rodata
Memory
.data
stack
What is a DBI Tool?
/////////////////////////
/////////////////////////
/////////////////////////
/////////////////////////
.text
/////////////////////////
/////////////////////////
/////////////////////////
.rodata
DBI Memory
.data
stack
What is a DBI Tool?
Basic Block BB1
Trace
BB3 BB2
BB4
Control Flow BB6
Graph BB7 BB8
BB9
BB10
What is a DBI Tool?
BB1 BB1
BB3 BB2 BB3 BB2

Trace is
BB4 copied in the
BB6
code cache
BB7 BB8
BB9
BB10 Code Cache

What is a DBI Tool?
BB1 User instrumentation BB1
code is added.
BB3 BB2 User Defined
Code
BB4
JIT BB3 BB2
BB6 Compiler
BB7 BB8
BB9
User Defined
BB10 Code Cache
Code
DBI - Evasive Malware
Intel Pin Tools DynamoRIO
Valgrind rev.ng
Intel Pin Tools DynamoRIO
Valgrind rev.ng
Code Cache JIT Compiler

Artifacts Detection
Environment Overhead
Artifact Detection
Code Cache Artifacts
All those artifacts caused by having a Code BB1
Cache User Defined

Code
BB3 BB2
● IP Detection
● Self-Modifying Code
Code Cache
CCA - IP Detection
Nt Sycall (EIP -> EDX) code cache

ins1
int 2e ins2
EIP ins3
ins4
Floating Point Context on the Stack ins1

ins2
fsave/ fxsave/ fstenv ins3
ins4
ins5
When we find one of those in a trace we patch the env ins6
after the execution of the instruction. ...
NB call Instruction is handled by Pin

Arancino - Pattern Matching
Module
Arancino
- PatchMap: List of
instructions and func Fake Memory Handler Modules
pointers Fake Read Handler

Module
Fake Write Handler
Module
Fake Free Handler
Module

- PatchDispatcher: Module Module
check and add patch Process Information Module
to instructions during
trace building. Hooking Module
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
add eax,4
int 2e
jmp 0x0804856c
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
add eax,4 add eax,4

int 2e
jmp 0x0804856c
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
add eax,4 add eax,4

int 2e
jmp 0x0804856c
Is it in the list?
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
add eax,4 add eax,4

int 2e
jmp 0x0804856c
Nope!
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
add eax,4 add eax,4 add eax,4

int 2e
jmp 0x0804856c
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
add eax,4 int 2e add eax,4

int 2e
jmp 0x0804856c
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE

int 2e
jmp 0x0804856c
Is it in the list?
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE

int 2e
jmp 0x0804856c
Yes!
int 2e
fsave
fxsave
CCA - IP Detection
PATCH DISPATCHER
TRACE PATCHED TRACE
int 2e add eax,4

add eax,4
int 2e
int 2e
patch_int2e()
jmp 0x0804856c
int 2e
fsave
fxsave
CCA - IP Detection RT
0x00200000 add eax,4

0x00200003 int 2e Code
patch_int_2e() Cache
0x00200005
Jmp 0x0804856c
0x00200003
EDX
0x00400000 add eax,4

int 2e Main
0x00400003 Jmp 0x0804856c module
0x00400005 […]
CCA - IP Detection RT
0x00200000 add eax,4

0x00200003 int 2e Code
patch_int_2e() Cache
0x00200005
Jmp 0x0804856c
0x00400003
EDX
0x00400000 add eax,4

int 2e Main
0x00400003 Jmp 0x0804856c module
0x00400005 […]
All those artifacts caused by having a Code BB1
Cache User Defined

Code
BB3 BB2
● IP Detection
● Self-Modifying Code
Code Cache
CCA - Self Modifying Code
code
cache
Collected
Trace
ins1
ins2
wrong_ins3
ins4
.text
ins5
ins6
ins7
...
ins1
ins2
code
wrong_ins3
cache
ins4
ins5
Collected
Trace
ins1
ins2
wrong_ins3
ins4
.text
ins5
ins6
ins7
...
ins1 Instruction Pointer

ins2
code
wrong_ins3
cache
ins4
ins5
Patch
ins1
ins2
wrong_ins3
.text ins4
ins5
ins6
ins7
...

ins2
code
wrong_ins3
cache
ins4
ins5
Patch
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
ins1
code
wrong_ins3
cache
ins4
ins5
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
ins1
ins2
code
wrong_ins3 Instruction Pointer
cache
ins4
ins5
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
ins1
ins2
code
wrong_ins3 Instruction Pointer
cache
ins4
ins5
Crash
ins1
ins2
ins3
.text ins4
ins5
ins6
ins7
...
Arancino - Self Modifying Code
Module
Arancino
- MarkWrittenAddress:
store which address has Fake Memory Handler Modules
been overwritten Fake Read Handler

Module
Fake Write Handler
Module
Fake Free Handler
Module

- CheckEIPWritten: Module Module
check if next Process Information Module
instruction has been
overwritten. Hooking Module
CheckEipWritten()
MarkWrittenAddress()
Analysis
ins1
Routines CheckEipWritten()
ins2
CheckEipWritten()
code
wrong_ins3
cache CheckEipWritten()
Collected
Trace
ins1
ins2
.text wrong_ins3
ins4
ins5
ins6
...
CheckEipWritten()
MarkWrittenAddress() Instruction Pointer
ins1
code CheckEipWritten()
cache ins2
CheckEipWritten()
wrong_ins3
CheckEipWritten()
ins1
ins2
.text wrong_ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
cache ins2
CheckEipWritten()
wrong_ins3
CheckEipWritten() address_ins3
ins1
ins2
.text wrong_ins3
ins4
ins5
ins6
...
CheckEipWritten()
cache ins2
CheckEipWritten()
wrong_ins3
address_ins3
Patch CheckEipWritten()
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
code CheckEipWritten() Instruction Pointer
cache ins2
CheckEipWritten()
wrong_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
cache ins2
CheckEipWritten()
wrong_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
cache ins2 Instruction Pointer
CheckEipWritten()
wrong_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
cache ins2
CheckEipWritten() Instruction Pointer
wrong_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
cache ins2
CheckEipWritten()
wrong_ins3
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins1
cache ins2
CheckEipWritten() Instruction Pointer
wrong_ins3
Cache
Invalidated
ins1
ins2
.text ins3
ins4
ins5
ins6
...
code
cache
address_ins3
ReCollected
Trace
ins1
ins2
.text ins3
ins4
ins5
ins6
...
CheckEipWritten()
ins3
cache ins4
CheckEipWritten()
ins5
address_ins3
ReCollected
Trace
ins1
ins2
.text ins3
ins4
ins5
ins6
...
Environment Artifacts
● Parent Detection
● Memory Fingerprinting
EA - Parent Detection
Malware can check which is the process father.

● NtQuerySystemInformation
● CSRSS.exe
Arancino - Hooking Module
Arancino
- Hooking Function
Module: Install an Fake Memory Handler Modules
Hook on dll’s Fake Read Handler

Module
Fake Write Handler
Module
Fake Free Handler
Module
Functions
Module Module
- Hooking Syscall Process Information Module
Module: Install an
Hook on dll’s Hooking Module
Functions Hooking Function Module Hooking Syscall Module

Arancino - Hooking Module
Arancino
- Hooking Function
Module: Install an Fake Memory Handler Modules
Hook on dll’s Fake Read Handler

Module
Fake Write Handler
Module
Fake Free Handler
Module
Functions
Module Module
- Hooking Syscall Process Information Module
Module: Install an
Hook on dll’s Hooking Module
Functions Hooking Function Module Hooking Syscall Module

Arancino - Hook Functions
.text
ImageLoad Memory
Pintool.dll
.text
new.dll
ImageLoad Memory
Pintool.dll
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Memory
VirtualFree
Pintool.dll
VirtualQueryEx
...
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Memory
VirtualFree
Pintool.dll
VirtualQueryEx
...
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Check if
Memory
Functions are
in the List
VirtualFree
Pintool.dll
VirtualQueryEx
...
HOOK DISPATCHER
.text
new.dll
new.dll
ImageLoad Memory
VirtualFree
Pintool.dll
VirtualQueryEx
...
HOOK DISPATCHER
.text
new.dll Function
new.dll
ImageLoad
VirtualFree Hook Function

Pintool.dll
VirtualQueryEx
...
EA - Parent Detection
Hooked NtQuerySystemInformation
pin.exe -> cmd.exe
Hooked NtOpenProcess
to deny access to CSRSS.exe
● Parent Detection
● Memory Fingerprinting
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
.text
new.dll
Pintool.dll
.text
new.dll
Pintool.dll
.text
new.dll
Pintool.dll
.text
new.dll
Pintool.dll
0x00400000
.text
0x00402000
0x55100000
new.dll
0x55101000
0x6f100000
Pintool.dll
0x6f103000
0x00400000
.text
0x00402000
0x55100000
new.dll
0x55101000
0x58402000
0x6f100000
Pintool.dll
0x6f103000
0x00400000
.text
0x00402000
0x55100000
new.dll Crash
0x55101000
0x58402000
0x6f100000
Pintool.dll
0x6f103000
.text
new.dll VirtualQuery
Pintool.dll
We Hook NtQueryVirtualMemory
We create a Whitelist of accessible memory regions updated
at runtime.
● Main Module
● Libraries
● Heap and Stack
● PEB, TEB, etc.
● Mapped files
JIT Compiler Detection
● Memory Page Permissions

○ Checks if there are WX pages
● DLL Hook Detection
● Memory Allocations

JITC Detection - DLL Hook
A process can search through memory for discrepancy
caused by Hooks.
KiUserApcDispatcher - normal execution
KiUserApcDispatcher - Instrumented execution

Arancino
Arancino


Module Module
Hooking Module
TRACE FAKE_READ_HANDLER MEMORY
0x77C76F58 LEA
JMPEAX, [ESP+2D]
0x5B680BE0
0x77C76F58 JMP 0x5B680BE0

add eax,2
mov edx, [eax] add
cmp edx,0x8d eax,2
jnz ebx
Is memory read
operation?
eax = 0x77C76F58
Nope! 0x77C76F58 JMP 0x5B680BE0
Go next
JITC Detection - DDL Hook
add eax,2
mov edx, [eax] mov edx,
cmp edx,0x8d [eax]
jnz ebx
Is memory read
operation?
eax = 0x77C76F58
Yes 0x77C76F58 JMP 0x5B680BE0
add eax,2
cmp edx,0x8d [eax]
jnz ebx
Is the target address inside a

fake memory item?
eax = 0x77C76F58
Yes
fake memory function
invoked
add eax,2
cmp edx,0x8d [eax]
jnz ebx
0x01C00A2B LEA EAX, [ESP+2D]

FakeMemoryFunc()
0x77C76F58
eax = 0x77C76F58
0x77C76F5F
add eax,2
cmp edx,0x8d [eax]
jnz ebx
0x01C00A2B LEA EAX, [ESP+2D]
Instrumented process
read the fake value:
LEA EAX, [ESP+2D]
and doesn’t detect 0x77C76F58 JMP 0x5B680BE0
PIN

JIT Compiler - API Hook
JIT Compiler needs Memory to perform the compiling
We can monitor the allocation by Hooking at

ZwAllocateVirtualMemory
Counter Fun
.text
ntdll.dll
Pintool.dll
Counter Fun
.text
Write
ntdll.dll
Pintool.dll
Arancino
Arancino


Module Module
Hooking Module
Counter Fun
.text
Write
ntdll.dll
Pintool.dll
Counter Fun
.text
Write
ntdll.dll
Pintool.dll
Counter Fun
.text
Write
ntdll.dll
Pintool.dll
Counter Fun
.text
Read
ntdll.dll
Pintool.dll
Overhead Detection
Overhead Detection
● Windows Time
○ Use windows API
■ GetTickCount and timeGetTime
○ Or Windows Structures
■ KUSER_SHARED_DATA.
● CPU Time
○ Count CPU cycles (rdtsc)
Evasive Malware
Measurement
Anti-Instrumentation
Measurement
Dataset
● 7006 Binaries
● Virus Total Intelligence (3+ AV Detection)
● From October 2016 to February 2017

Anti-Instrumentation
Measurement
Environment Setup
● Virtual Machine (VirtualBox)
● Windows 7 (64-bit)
● Custom Apps (Adobe Reader, Chrome, and media players)
● User Data (saved credentials, browser history, etc.)
● Basic User Activity (moving the mouse, launching applications)
● 5 min run
Evasive Malware
At least one evasive behavior: 1,093 / 7006 (15.6%)
Family Name [1] Samples Evasive Techniques
virlock 619 (8.8%) 600 (96.9%) 2
confidence 505 (7.2%) 68 (13.5%) 4
virut 242 (3.5%) 13 (5.4%) 2
mira 230 (3.3%) 9 (3.9%) 1
upatre 187 (2.7%) 2 (1.1%) 1
lamer 171 (2.4%) 0 (0.0%) 0
sivis 168 (2.4%) 0 (0.0%) 0
[1] AvClass https://github.com/malicialab/avclass

Top Evasive Malware
Family Name [1] Samples Evasive Techniques
sfone 19 19 (100.0%) 1
unruy 11 11 (100.0%) 1
virlock 619 600 (96.9%) 2
vilsel 13 8 (61.5%) 2
urelas 18 9 (47.4%) 2
confuser 52 8 (44.4%) 1
vobfus 29 19 (36.5%) 1
[1] AvClass https://github.com/malicialab/avclass

Top Techniques Used
Technique #
Code Cache Artifacts Self-modifying code 897
Environment Artifacts Parent detection 259
JIT Compiler Detection Write on protected 40

memory region
Environment Artifacts Check DEBUG flag 5
Environment Artifacts Memory fingerprinting 3

Overhead
Arancino
Pin time Arancino Module
overhead
[ms] [ms] activated
[%]
Hooking
Parent Detection 850 870 2%
Module
Pattern
EIP Detection - int2e 710 1,150 62% Match
Module
Memory Fake Read

2,000 7,090 254,5%
Fingerprinting Module
Fake Write
Module +
Memory Allocations 2,000 2,900 45%
Hooking
Module
Unpacking Approach
Detect W and Dump Deobfuscate Recognize

X memory the the Import the correct
regions Program Address dump
Table
Experiment 1 : known packers
Upx FSG Mew mpress PeCompact Obsidium ExePacker ezip
MessageBox.exe
WinRAR.exe
Xcomp PElock ASProtect ASPack eXpressor exe32packer beropacker Hyperion
MessageBox.exe
WinRAR.exe
Original code dumped but Import directory not reconstructed

Experiment 2 : wild samples
Number of packed (checked manually) samples 1096
N° %
Unpacked and
working 669 63
Unpacked but not

executable 139 13
Not unpacked 258 24

Arancino - GitHub
DEMO Time!
eXait https://www.coresecurity.com/corelabs-research/open-source-tools/exait
Black Hat Sound Bytes
● Malware authors employ Anti-Instrumentation techniques to
detect when their samples are being instrumented
● We proposed an approach to practically defeat such techniques
● We studied the common techniques adopted by modern
malware authors to evade of instrumentation systems
● On top of Arancino ~> dynamic, evasion-resilient unpacker
○ Known packers use anti-instrumentation techniques!
Arancino - GitHub
Thanks!
https://github.com/necst/arancino
Mario Polino
<mario.polino@polimi.it>
Arancino - GitHub
Questions?
Mario Polino
Arancino - GitHub
Questions?
Mario Polino
Credits
● Icons, CC from Noun Project:
○ Vicons Design
○ Aya Sofya
○ Adnen Kadri
○ Stock Image Folio
○ Icon Fair
○ Creative Stall
○ Gregor Cresnar
Arancino - GitHub

Eu 17 Polino Hiding Pins Artifacts To Defeat Evasive Malware PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Eu 17 Polino Hiding Pins Artifacts To Defeat Evasive Malware PDF

Caricato da

Copyright:

Formati disponibili

Hiding PIN's Artifacts

to Defeat Evasive Malware

- Dynamic Binary Instrumentation Tools

- Evasive Malware Measurement

- Evasive Resilient Unpacking Tool

Fake Memory Handler Modules

Pattern Matching Self Modifying Code

Process Information Module

Fake Memory Handler Modules

Pattern Matching Self Modifying Code

Process Information Module

Basic Block BB1

Control Flow BB6

Graph BB7 BB8

BB3 BB2 BB3 BB2

BB10 Code Cache

Intel Pin Tools DynamoRIO

Intel Pin Tools DynamoRIO

Code Cache JIT Compiler

All those artifacts caused by having a Code BB1

Cache User Defined

Nt Sycall (EIP -> EDX) code cache

Floating Point Context on the Stack ins1

NB call Instruction is handled by Pin

pointers Fake Read Handler

Pattern Matching Self Modifying Code

TRACE PATCHED TRACE

TRACE PATCHED TRACE

add eax,4 add eax,4

TRACE PATCHED TRACE

add eax,4 add eax,4

TRACE PATCHED TRACE

add eax,4 add eax,4

TRACE PATCHED TRACE

add eax,4 add eax,4 add eax,4

TRACE PATCHED TRACE

add eax,4 int 2e add eax,4

TRACE PATCHED TRACE

add eax,4 int 2e add eax,4

TRACE PATCHED TRACE

add eax,4 int 2e add eax,4

TRACE PATCHED TRACE

int 2e add eax,4

0x00200000 add eax,4

0x00400000 add eax,4

0x00200000 add eax,4

0x00400000 add eax,4

All those artifacts caused by having a Code BB1

Cache User Defined

ins1 Instruction Pointer

ins1 Instruction Pointer

been overwritten Fake Read Handler

Pattern Matching Self Modifying Code

Malware can check which is the process father.

Hook on dll’s Fake Read Handler

Functions Hooking Function Module Hooking Syscall Module

Hook on dll’s Fake Read Handler

Functions Hooking Function Module Hooking Syscall Module

VirtualFree Hook Function

● Memory Page Permissions

● DLL Hook Detection

● Memory Page Permissions

● DLL Hook Detection