Bangeter 01-basic_malware_techniques_4.2.pdf
Malware analysis Bangeter 01-basic_malware_techniques_4.2.pdf
Malware analysis Bangeter 01-basic_malware_techniques_4.2.pdf
Set of flashcards Details
| Flashcards | 45 |
|---|---|
| Language | English |
| Category | Computer Science |
| Level | Other |
| Created / Updated | 18.06.2019 / 29.06.2021 |
| Weblink |
https://card2brain.ch/box/20190618_bangeter_malware_analysis
|
| Embed |
<iframe src="https://card2brain.ch/box/20190618_bangeter_malware_analysis/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What are the 7 steps of how DLL injection is done?
- Process A enables debug prrivilege (SE_DEBUG_PRIVILEGE).
- Process A opens a handle to Process B by calling OpenProcess.
- Process A allocates memory in Proces B using VirtualAllocEx.
- Process A transfers a string to process B containing the full path to the malicous DLL.
- Process A calls CreateRemoteThread to start a new thread in Process B that executes the LoadLibrary function.
- At this point the injection is complete and Process B has loaded the DLL. Process A calls VirtualFree to free the memory containing the DLLs path.
- Process A calls CloseHandle on Process Bs process to clean up.
Explain what happens in this sample code (DLL injection)
...
What are the artefacts of DLL injection?
- Look for loaded DLLs in processes.
- LoadLibrary() function is a legit technique exposed by the image loader for loading DLLs, is not designed for stealth.
- LoadLibrary() creates various artefacts:
- Entries in the PEB
- PEB containes 3 double linkded lists of the DLLs loaded in a process.
- Entires in the VAD
- Entries in the PEB
How can you hide DLLs and how can it be detected?
The PEB is stored in the user mode memory of each process. Therefor the PEB can be modified to perform a DLL unlinking.
Detection: The VAD runs in kernel mode and also containes a list off DLLs. So the VAD can be cross referenced with the PEB to see if an unlinking occoured.
Why is code injection done insted of DLL injection? (Idea)
- LoadLibrary() in DLL injection leaves traces.
- Code injection avoides using LoadLibrary() by directly injecting the entire malware code from the launcher process into the victim process.
How is direct code injection done? (5 steps)
- Iterate over process list to select victiom process.
- Some malware injects in all processes it gets access to other malware is more slective.
- Run OpenProcess() to get handle of victim porcess.
- Allocate memory in the victim useing VitualAllocEx(). Alocated memory needs to be writable + executable.
- Inject code using WriteProcessMemory()
- Use CreateReamoteThread() to start injected code in a seperate thread.
What steps need to be performed manualy when injecting code, that would be handeled by the LoadLibrary() in DLL injection.
Since LoadLibrary() is not used the steps of the Windows loader need to be performed by the malware:
- Map sections into memory
- Loading of DLLs (DLLs used by the malicious code that arn't already loaded)
- Fill IAT
- Apply relocations
(Relocations con be avouded if so called "shell code" is injected; shell code is position independent code.
How can you detect code injection, what are the artefacts?
Direct code injections don't show up as process or DLLs.
They still leave following traces:
- Memory allocated by VirtualAllocEx() will be tracked in the VAD tree.
- Memory allocated by malware is mostly RWX, which is uncomon and suspicious.
How can malware as a process be detected and what tools can be used?
Detecting the process using:
- pslist
- pstree
- psscan
If proces is trying to hide useing DKOM unlinking use:
- psxview
Use dlllist to get full path of the process exe
Traces are left on disk and in autostart mechainsm
How can you detect malware as a DLL?
How can you detect direct code injection?
use:
- malfind
- ldrmodules
- apihooks
What is the underlying idea of hooking?
The underlying ides of hooking is: to insert code into the execution path of a legitimate program and to divert the execution to some malicous code.
* Hookin and code injection are often reoated: The malicous code to which the hooks point, is often injected into the victim process.
Explain how inline hooking works and how it can be detected?
Inline hooking :
- Overwrite a part of the original code in the instruction stream with a jump to your code.
- Jump to your detour code, after the detour code is executed, execute the code that was over written with the initial jump instruction (prevent program crash) then jump back to the original position in the instruction stream of the original code.
Detection heuristic:
- Locate functions in DLLs
- Analyze function code to check whether there are non-legitimate execution trnsfers (JMP, CALL, etc.) to outside function.
*(Not always easy to tell letitimate from non-legitmate execution transferst, executions transferst can be obfuscated and thus difficult to detect)
Describe how IAT hooking is done and how it can be detected?
The IAT is, loosely speaking a table of pointers that links function calls
- IAT entries for each DLL, and each function in DLL
- IAT is filled by the loader
Idea of IAT hookin: Modify slected function pointers, so that they point to your malicous coed.
Detection heuristic:
- Iterate through IAT / EAT entries in DLLs of process being analyzed
- If an entry points outside of the DLL currently being inspected, the hook detected.
What are the limitaions of Inline and IAT hooking detection discussed so far?
- There are legitimate applications of hooking, the heuristics sometimes produce false positives.
- When hooks are places "in the middle" of a function, they will be missed by the heuristics, resultin in false negatives.
What is a Process
A process is an instance of a running program
- Code
- Data
- a process is code loaded and running in memory (by OS loader)
- Process is an abstraction provided by the OS
What is a DLL, and what does it stand for?
DLL = Dynamic Link Library
- A DLL is a library that contains code and data that can be used by more than on program at the same time.
- By using a DLL, a program can be modularized into separate components.
- Additionally, updates are easier to apply to each module without affecting other parts of the program.
- DLLs can often be related to functionalities of a process.
- E.g. crypto functionality, networking, etc...
What types of information / data structures are contained inside the virtual memory?
- Code of main program
- Static / global data
- DLLs of processes including static & global data
- Heap
- Stack
What is contained inside the userspace in virtual memory?
- Executable: Main module -> PE file mapped into memory (eg. Chrome.exe)
- DLLs imported by main module
- One stack per thread. Used for storing local variables.
What atributes are used in the user space of the virtual memory?
- Protection attributes:
- PAGE_EXECUTE
- PAGE_EXECUTE_READ
- PAGE_EXECUTE_READWRITE
- Type
- MEM_IMAGE: Indicates that the memory pages within the region are mapped into the view of an image section.
- MEM_MAPPED Indicates that the memory pages within the region are mapped into the view of a section.
- MEM_PRIVATE Indicates that the memory pages within the region are private (that is not shared by other processes)
- States:
- Commited
- Reserved
"Virtual memory - Contents of user space"
In this context what is an Image?
Image:
The memory represnts an executable file, such as an EXE or DLL, that has been loaded into a process by the image loader.
- Does not include executable files loaded as data files.
- Executable code regions are typically read/execute only and shareable
- Data regions, such as initialized date, are typically read/write or coppy-on-write.
"Virtual memory - Contents of user space"
In this context what is a mapped file?
Mapped File:
The memory is shareble and represents a file on disk. Mapped files are often resource DLLs and typically contain application data.
"Virtual memory - Contents of user space"
What is meant by shareable memory?
Sharable memory is memory that can be shared with other processes and is backed by RAM or by the paging file.
"Virtual memory - Contents of user space"
What is a heap?
A heap represents private memory allocated and managed by the user-mode heap manager and typically contains application data. Application memory allocations that use Heap memory include th C runtime malloc library, the C++ new operator, the Windows Heap APIs, and the legacy Global Alloc and LocalAlloc APIs.
"Virtual memory - Contents of user space"
What is the Managed Heap?
The mamged heap represnts private memory that is allocated and managed by the .NET runtime and typically contains application data.
"Virtual memory - Contents of user space"
What is the meant by the tearm stack?
Stack memory is allocated to each thread in a process to store function parametes, local variables and invacation recors
Typically, a fixed amount of Stack memory is allocated and reserved when a thread is created, but only a relatively small amount is committed.
The amount of memory commited within the allocation will grow as need, but will not shrink.
Stack memory is freed when its thread exits.
"Virtual memory - Contents of user space"
What is meant by the term Private Data?
Private Data memory is memory that is allocated by Virtual Alloc and that is not further handled by the Heap Manager or the .NET runtime, or assigned to the Stoack categroy.
- Private data memory can not be shared with other processes.
Typicaly contians:
- application data
- Process and thread envirnment blocks.
"Virtual memory - Contents of user space"
What is meant by free memory
Free memory regions are spaces in the process virtual address space that are not allocated.
"Virtual memory - Contents of user space"
What is unusable memory?
Unusable memory, is free memory but cannot be used because of allocation granularity restrictions. (e.g. 64KB or 0x10000)
What does PE stand for?
PE = Portable Executable
Features dynamic linking, symbol exporting/importing.
-
- 1 / 45
-
