Bangeter 01-basic_malware_techniques_4.2.pdf

Malware analysis Bangeter 01-basic_malware_techniques_4.2.pdf

Malware analysis Bangeter 01-basic_malware_techniques_4.2.pdf


Fichier Détails

Cartes-fiches 45
Langue English
Catégorie Informatique
Niveau Autres
Crée / Actualisé 18.06.2019 / 29.06.2021
Lien de web
https://card2brain.ch/box/20190618_bangeter_malware_analysis
Intégrer
<iframe src="https://card2brain.ch/box/20190618_bangeter_malware_analysis/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>

How can you detect direct code injection?

use:

  • malfind
  • ldrmodules
  • apihooks

What is the underlying idea of hooking?

The underlying ides of hooking is: to insert code into the execution path of a legitimate program and to divert the execution to some malicous code.

* Hookin and code injection are often reoated: The malicous code to which the hooks point, is often injected into the victim process.

Explain how inline hooking works and how it can be detected?

 

Inline hooking :

  1. Overwrite a part of the original code in the instruction stream with a jump to your code.
  2. Jump to your detour code, after the detour code is executed, execute the code that was over written with the initial jump instruction (prevent program crash) then jump back to the original position in the instruction stream of the original code.

 

Detection heuristic:

  1. Locate functions in DLLs
  2. Analyze function code to check whether there are non-legitimate execution trnsfers (JMP, CALL, etc.) to outside function.

*(Not always easy to tell letitimate from non-legitmate execution transferst, executions transferst can be obfuscated and thus difficult to detect)

Describe how IAT hooking is done and how it can be detected?

The IAT is, loosely speaking a table of pointers that links function calls

  • IAT entries for each DLL, and each function in DLL
  • IAT is filled by the loader

Idea of IAT hookin: Modify slected function pointers, so that they point to your malicous coed.

 

Detection heuristic:

  1. Iterate through IAT / EAT entries in DLLs of process being analyzed
  2. If an entry points outside of the DLL currently being inspected, the hook detected.

What are the limitaions of Inline and IAT hooking detection discussed so far?

  • There are legitimate applications of hooking, the heuristics sometimes produce false positives.
  • When hooks are places "in the middle" of a function, they will be missed by the heuristics, resultin in false negatives.