c2b_default

Bangeter 01-basic_malware_techniques_4.2.pdf

Malware analysis Bangeter 01-basic_malware_techniques_4.2.pdf

Malware analysis Bangeter 01-basic_malware_techniques_4.2.pdf

45
0.0 (0)

Kartei Details

Karten 45
Sprache English
Kategorie Informatik
Stufe Andere
Erstellt / Aktualisiert 18.06.2019 / 29.06.2021
Weblink
https://card2brain.ch/box/20190618_bangeter_malware_analysis
Einbinden
<iframe src="https://card2brain.ch/box/20190618_bangeter_malware_analysis/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
Lernen

What is a Process

A process is an instance of a running program

  • Code
  • Data
  • a process is code loaded and running in memory (by OS loader)
  • Process is an abstraction provided by the OS

What is a DLL, and what does it stand for?

DLL = Dynamic Link Library

  • A DLL is a library that contains code and data that can be used by more than on program at the same time.
  • By using a DLL, a program can be modularized into separate components.
  • Additionally, updates are easier to apply to each module without affecting other parts of the program.
  • DLLs can often be related to functionalities of a process.
    • E.g. crypto functionality, networking, etc...

What types of information / data structures are contained inside the virtual memory?

  • Code of main program
  • Static / global data
  • DLLs of processes including static & global data
  • Heap
  • Stack

What is contained inside the userspace in virtual memory?

Melde dich an, um Bilder anzusehen.

  • Executable: Main module -> PE file mapped into memory (eg. Chrome.exe)
  • DLLs imported by main module
  • One stack per thread. Used for storing local variables.

What atributes are used in the user space of the virtual memory?

  • Protection attributes:
    • PAGE_EXECUTE
    • PAGE_EXECUTE_READ
    • PAGE_EXECUTE_READWRITE
  • Type
    • MEM_IMAGE: Indicates that the memory pages within the region are mapped into the view of an image section.
    • MEM_MAPPED Indicates that the memory pages within the region are mapped into the view of a section.
    • MEM_PRIVATE Indicates that the memory pages within the region are private (that is not shared by other processes)
  • States:
    • Commited
    • Reserved

"Virtual memory - Contents of user space"

In this context what is an Image?

Image:

The memory represnts an executable file, such as an EXE or DLL, that has been loaded into a process by the image loader.

  • Does not include executable files loaded as data files.
  • Executable code regions are typically read/execute only and shareable
  • Data regions, such as initialized date, are typically read/write or coppy-on-write.

"Virtual memory - Contents of user space"

In this context what is a mapped file?

Mapped File:

The memory is shareble and represents a file on disk. Mapped files are often resource DLLs and typically contain application data. 

"Virtual memory - Contents of user space"
What is meant by shareable memory?

Sharable memory is memory that can be shared with other processes and is backed by RAM or by the paging file.

"Virtual memory - Contents of user space"
What is a heap?

A heap represents private memory allocated and managed by the user-mode heap manager and typically contains application data. Application memory allocations that use Heap memory include th C runtime malloc library, the C++ new operator, the Windows Heap APIs, and the legacy Global Alloc and LocalAlloc APIs.

"Virtual memory - Contents of user space"
What is the Managed Heap?

The mamged heap represnts private memory that is allocated and managed by the .NET runtime and typically contains application data.

"Virtual memory - Contents of user space"
What is the meant by the tearm stack?

Stack memory is allocated to each thread in a process to store function parametes, local variables and invacation recors

Typically, a fixed amount of Stack memory is allocated and reserved when a thread is created, but only a relatively small amount is committed.

The amount of memory commited within the allocation will grow as need, but will not shrink.

Stack memory is freed when its thread exits.

"Virtual memory - Contents of user space"
What is meant by the term Private Data?

Private Data memory is memory that is allocated by Virtual Alloc and that is not further handled by the Heap Manager or the .NET runtime, or assigned to the Stoack categroy.

  • Private data memory can not be shared with other processes.

Typicaly contians:

  • application data
  • Process and thread envirnment blocks.

"Virtual memory - Contents of user space"
What is meant by free memory

Free memory regions are spaces in the process virtual address space that are not allocated.

"Virtual memory - Contents of user space"
What is unusable memory?

Unusable memory, is free memory but cannot be used because of allocation granularity restrictions. (e.g. 64KB or 0x10000)

What does PE stand for?

PE = Portable Executable

 

Features dynamic linking, symbol exporting/importing.

What are the differnt sections in a PE file?

Melde dich an, um Bilder anzusehen.

  • .text: Contains the executable code
  • .rdata: Holds read-only data that is globally accessible within the program
  • .data: Stores global data accessed through the program
  • .idata: Sometimes presnte, stores import function informatin; if not present import function information is stored in the .rdata
  • .edata: Sometimes present, sotres the export function infromation; if not present export function informatin is stored in the .rdata
  • .pdata: Present only in 64-bit executables and stores exception-handeling information.
  • .rsrc: Stores resources needed by the executable
  • .reloc:Contains information for relocation of library files.

Describe the Process and DLL loading?

Melde dich an, um Bilder anzusehen.

  • Kernel code creates process data structures such as EPROCESS, page tables etc...
  • The image loader initializes the procesess:
    • virtual address space
    • Provides functionality to load DLLs at runtime

The image loader is user mode code and part of the ntdll.dll, it is the first (user mode) code run when a process starts.

Once loading is done the image loader will transfer exectution to the main image/ the EXEs entry point (which is defined in the PE).

What are the 5 steps the image loader will do when a process starts?

  1. Load the main image/EXE
  2. Identify the DLLs used by the program (import address table, IAT), as well the DLLs used by those DLLs (IAT of DLLs)
  3. Load the DLLs into memory (check if desired imports exist, by looking at the export table)
  4. Link the code
  5. Optionally, if a DLL cannot be loaded at its preferred position, it needs to be relocated.

Where do we find information on memory maps, i.e., the information shown by tools like vmmap?

  • VAD tree (kernel)
  • Page tables (kernel)
  • PEB (user space)

What is the VAD Tree?

Melde dich an, um Bilder anzusehen.

The VAD tree is a kernel data structure:

  • Self balancing binary tree
  • lower addresses are to the left, high addresses are to the right.
  • The nodes in the tree describe memory allocations.

It is used by the Windows memory manager to keep track of memory allocation in virtual address space of processes.

Create entries in VAD tree with VirtualAlloc() / VirtualAllocEx()

VAD tree also keeps track of:

  • Mapped files
  • Attribues of memory regoins (r, w, x, etc..)

What is the PEB and what are the 5 most important fields?

Melde dich an, um Bilder anzusehen.

PEB is in user space, it hold infromation about a process. The information contianed in the PEB is needed by the:

  • image loader
  • heap manager
  • other Windows components that need ta access it from user mode.

The 5 most important fields are:

  1. PEB_LDR_DATA
  2. RTL_USER_PROCESS_PARAMETERS
  3. Process heap
  4. GDI shared hanle table
  5. RTL_CRITICAL_SECTION

PEB what information is contianed in the PEB_LDR_DATA structure?

PEB_LDR_DATA structure contains info on loaded DLLs and main executalbe

Window organizes the loaded DLL list in 3 ways. According to the order the DLLs:

  • were loaded by the windows loader
  • are found in the memory layout
  • were initialized

What tools can be used for the inspectiing a live system?

  • Process hacker
  • Windows Sysinternals
    • process explorer
    • vmmap
    • etc..

What are the 4 stages of a typicall malware lifecycle?

  • Infection: via exploit / social engineering -> results in dropper executing in memory
  • Persistence (optional but typical)
  • Launc and hide
    • Application of root-kit / hiding techniques
    • Installation of malicious functionality
  • Payload exection
    • Execution of malicous functionality
    • Data theft, data exifltration
    • DDOS
    • Initial pauload may load additional code

What are the high level options to execute (malicious) code?

  • As a process
  • As a DLL that is loaded into a process
  • Code that is directly injectied into a process
  • Kernel code

What is a Dropper?

Dropper: is a malware type where the inital malware executable contains the executable to be installed.

What is a Downloader? (malware)

Downloader is a malware type where the inital malware executable downloads the executable to be installed.

How can a malicious process be found?

  • Need to know legitimate processes (-> whitlisting approach)
  • Sometimes malware is using process names that are similar to legitimate ones
  • Inspect path of executable (from where is the process launched)

What is process unlinking and what type of access is needed?

Melde dich an, um Bilder anzusehen.

  • Requires kernel level access
  • Process are unlinked from the process list in order to hide a process
  • Often kalled DKOM = Direct Kernal Object Manipulation
  • Is rare in practice.

What is DLL injection and what are the 3 reasons it is done for?

DLL injection is done by loading a malicous DLL into a legitimate process.

Reasons DLL injection is done:

  1. Hide in victim process, and thus avoud detection
  2. Inherit privileges of victim process (eg. to bypase filtering on firewall)
  3. Manipulate victim process (eg. infiltrate browser to steal credentials)

What are the 7 steps of how DLL injection is done?

Melde dich an, um Bilder anzusehen.

  1. Process A enables debug prrivilege (SE_DEBUG_PRIVILEGE). 
  2. Process A opens a handle to Process B by calling OpenProcess.
  3. Process A allocates memory in Proces B using VirtualAllocEx.
  4. Process A transfers a string to process B containing the full path to the malicous DLL.
  5. Process A calls CreateRemoteThread to start a new thread in Process B that executes the LoadLibrary function.
  6. At this point the injection is complete and Process B has loaded the DLL. Process A calls VirtualFree to free the memory containing the DLLs path.
  7. Process A calls CloseHandle on Process Bs process to clean up.

Melde dich an, um Bilder anzusehen.

Explain what happens in this sample code (DLL injection)

...

What are the artefacts of DLL injection?

  • Look for loaded DLLs in processes.
  • LoadLibrary() function is a legit technique exposed by the image loader for loading DLLs, is not designed for stealth.
  • LoadLibrary() creates various artefacts:
    • Entries in the PEB
      • PEB containes 3 double linkded lists of the DLLs loaded in a process.
    • Entires in the VAD

How can you hide DLLs and how can it be detected?

Melde dich an, um Bilder anzusehen.

The PEB is stored in the user mode memory of each process. Therefor the PEB can be modified to perform a DLL unlinking.

Detection: The VAD runs in kernel mode and also containes a list off DLLs. So the VAD can be cross referenced with the PEB to see if an unlinking occoured.

Why is code injection done insted of DLL injection? (Idea)

Melde dich an, um Bilder anzusehen.

  • LoadLibrary() in DLL injection leaves traces.
  • Code injection avoides using LoadLibrary() by directly injecting the entire malware code from the launcher process into the victim process.

How is direct code injection done? (5 steps)

  1. Iterate over process list to select victiom process.
    • Some malware injects in all processes it gets access to other malware is more slective.
  2. Run OpenProcess() to get handle of victim porcess.
  3. Allocate memory in the victim useing VitualAllocEx(). Alocated memory needs to be writable + executable.
  4. Inject code using WriteProcessMemory()
  5. Use CreateReamoteThread() to start injected code in a seperate thread.

What steps need to be performed manualy when injecting code, that would be handeled by the LoadLibrary() in DLL injection. 

Since LoadLibrary() is not used the steps of the Windows loader need to be performed by the malware:

  • Map sections into memory
  • Loading of DLLs (DLLs used by the malicious code that arn't already loaded)
  • Fill IAT
  • Apply relocations

(Relocations con be avouded if so called "shell code" is injected; shell code is position independent code.

How can you detect code injection, what are the artefacts?

Direct code injections don't show up as process or DLLs.

They still leave following traces:

  • Memory allocated by VirtualAllocEx() will be tracked in the VAD tree.
  • Memory allocated by malware is mostly RWX, which is uncomon and suspicious.

How can malware as a process be detected and what tools can be used?

Detecting the process using:

  • pslist
  • pstree
  • psscan

If proces is trying to hide useing DKOM unlinking use:

  • psxview

Use dlllist to get full path of the process exe

Traces are left on disk and in autostart mechainsm

How can you detect malware as a DLL?

Melde dich an, um Bilder anzusehen.

Lernen