A Thorny Piece Of Malware (And Me): A Talk about Exception Handlers, VfTables, Multi-Threading and other Nastiness
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 112 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/38948 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2156 / 112
3
6
8
9
13
14
15
16
17
22
23
24
25
29
32
33
36
37
39
42
45
47
49
53
60
61
64
65
66
71
76
79
80
82
89
103
106
108
00:00
MalwarePointer (computer programming)Visual systemException handlingData structureException handlingData structureSampling (statistics)Game controllerDataflowRevision controlFrame problemPointer (computer programming)Stack (abstract data type)Point (geometry)Interrupt <Informatik>Bookmark (World Wide Web)Computer fileMotion captureTouchscreenPolymorphism (materials science)BefehlsprozessorMalwareCache (computing)InformationBinary codeThread (computing)Context awarenessReverse engineeringChainCrash (computing)Mathematical analysisTerm (mathematics)CodeMessage passingMultiplication signElectronic mailing listBlock (periodic table)Default (computer science)DiagramRight angleImage registrationCASE <Informatik>Control flowSoftware industryCuboidFunctional (mathematics)Cartesian coordinate systemInformation securitySoftwareVisualization (computer graphics)AuthorizationRobotServer (computing)
08:07
Invertible matrixSpeicheradresseLevel (video gaming)Point (geometry)Exception handlingSystem callFunctional (mathematics)RobotNumbering schemeSequenceOpen setImage registrationRight anglePointer (computer programming)Stack (abstract data type)DampingPhysical systemGoodness of fitFrame problemCompilerTouchscreen
09:38
BitQuantum stateLevel (video gaming)Pointer (computer programming)DiagramException handlingSet (mathematics)Cartesian coordinate systemPoint (geometry)Source codeComputer animation
10:14
CodeInformationPredicate (grammar)CodeSampling (statistics)Exception handlingProgrammschleifePoint (geometry)Branch (computer science)Computer-assisted translationStatement (computer science)Binary fileOperator (mathematics)Computer fileSource code
11:15
MIDIStatement (computer science)Right angleSampling (statistics)Branch (computer science)Green's functionFlagRevision controlHydraulic jumpComputer animation
11:39
Branch (computer science)CuboidGreen's functionUniversal product codeAsynchronous Transfer ModeCode
11:55
Thread (computing)Real numberFunction (mathematics)System callBinary fileOverhead (computing)CodeAuthorizationSampling (statistics)Cartesian coordinate systemRun time (program lifecycle phase)Analytic setMultiplication signOverhead (computing)RobotSlide ruleVirtualizationSynchronizationRight angleMessage passingSheaf (mathematics)System callMultiplicationComplete metric spaceFunctional (mathematics)Event horizonData exchangeBinary fileInstance (computer science)Different (Kate Ryan album)Computer virusInformationInheritance (object-oriented programming)Group actionQuicksortLink (knot theory)TelecommunicationInterface (computing)Error messageFlow separationProcess (computing)Computer fileBitPhysical systemRevision controlThread (computing)Table (information)MetreDemosceneTraffic reportingDrag (physics)Vector spaceDiagram
15:18
Inheritance (object-oriented programming)System callOverhead (computing)CodeBinary fileMIDIRead-only memorySocial classMemory managementFunctional (mathematics)Special functionsCodeCuboidVirtualizationObject (grammar)Table (information)Inheritance (object-oriented programming)Group actionPoint (geometry)Constructor (object-oriented programming)Goodness of fitBitSystem callSemiconductor memory2 (number)Pointer (computer programming)RobotStatement (computer science)SpacetimeWindows RegistryComputer fileOpen setSampling (statistics)QuicksortImplementationComputer animation
17:53
Constructor (object-oriented programming)Object (grammar)VirtualizationConstructor (object-oriented programming)Functional (mathematics)Inheritance (object-oriented programming)SpacetimeTable (information)System callRight angle2 (number)
18:17
RobotFunctional (mathematics)System callGroup actionComputer animation
18:32
System callFunctional (mathematics)Instance (computer science)Object (grammar)Presentation of a groupDeterminantVirtualizationTable (information)TheorySystem callComputer fileOffice suiteComputer animation
19:08
Link (knot theory)TwitterSampling (statistics)Link (knot theory)Presentation of a group
Transcript: English(auto-generated)
00:00
Hello, and welcome to my talk about the thorny piece of malware. My name is Marion, I'm a malware analyst. I'm going to spare you my second name now because people seem to have problems pronouncing it anyway. And I work for the Austrian software company, Eckel Security Software. My talk is going to be about one specifically thorny piece
00:22
of malware I analyzed in and out. And I'm going to start off with some fancy fun facts about that sample. And the rest of the talk is all going to be about analyzing issues I had when looking into that. I'm going to bring two anti-analysis techniques I encountered in the sample and two more analysts' headaches that still provide problems for reverse engineers.
00:43
First one of that is exception handling that can obfuscate the execution path. Second one is chunk of code I encountered in there. That was pretty nasty at first glance but then easy to pass by after all. I'm going to talk about binary analysis of C++ and
01:01
executables and about multi-threaded applications for reverse engineering. All right, let's start over. Now, all together this is my favorite piece of malware. Now, why would it be my favorite piece of malware? Well, I reversed it in and out from top to bottom and I really had a lot of fun. It is a challenging piece of malware but not impossible to pass by even for beginners. It's not packed or encrypted
01:26
but still provides a lot of interesting topics to research. But what does it do after all? Well, all together I summarized it here. It's an Asian multi-threaded non-polymorphic file infecting spy bot. Now, what does it do? Like what spy bots do, it can produce
01:44
screen shots, it can produce screen captures and send them to the CNC server. It can delete files. It can copy files. It can execute files. Most of all, it can update itself so it can download a new version of itself and execute this one. So basically it can do anything the malware controller wants to. Anyway, what were the interesting
02:07
facts about it? This sample uses structured exception handling to obfuscate its execution path. That means by throwing deliberate exceptions, the malware author can pass execution control
02:21
from one place in the executable to another one, namely the exception handler and the interesting thing about exception handlers is in an exception handler, you can define a new entry point that's going to be executed after the exception handler. Now, how does this work? Well, the most accurate documentation I could find still was written in 1997 by a guy called Matt Pietrek who is one of my big heroes now because he did a really nice
02:44
documentation on this issue. Namely, the crash course in terms of ‑‑ well, you can read it. Here comes the summary of this article. Actually, exception handling is implemented as a chain of exception handlers which is located on the stack and intertwined with
03:03
the function stack frames that are on there and it all starts at the thread information block because every thread has its own chain of exception handlers. Every version is zero which points to an exception registration structure which looks more or less like this.
03:23
In the simplest case, the structure contains a pointer to the handler which could eventually handle the thrown exception and a pointer which points to the previous registration block which looks like this and eventually in the end of the chain, there comes a default handler and, well, a minus one. All right. Now, this is based on the stack
03:43
intertwined with the function stack frames and there's a whole science about building the stack and unwinding the stack, but what's really interesting for a malware author is of course he can register his own exception handlers and deliberately throw exceptions and control ‑‑ like put pointer execution flow to some other piece in the code.
04:07
Now, this looks more or less like this. If you're inside of a binary and can spot something like F is zero and see the structure where a new reverse ‑‑ sorry, a new exception handler is linked into the list, that most likely has to do with exception handling.
04:25
Now, I told you there's a pointer in there pointing to the handler code which would be the first switch to some other point in the executable for execution and inside of this handler now, someone can change the ‑‑ the execution flow to a completely
04:42
different point inside of the executable. The magic thing about this is an exception is treated as a software interrupt which means every time an exception occurs, the whole context structure of the thread that's running is saved away and loaded back into the CPU when the exception handler is finished and the interesting thing there is that someone
05:01
can change this context structure and point an instruction pointer somewhere completely different. So, yeah, I know there's a lot of people in there getting excited when they hear they can point instruction pointers somewhere. All right. Now, until today, a lot of things have changed, especially concerning C++. And in visual C++ was still based on structured exception handling. I showed you before.
05:26
But the things have changed mainly is that now every function has its own exception handler and uses a func infrastructure which contains information about try blocks and catch blocks and I think I need to take a break.
05:43
We have a little tradition here at DEF CON. Let me tell you all about it. It involves
06:05
why are we making her drink? Do we have any first‑timers here in the audience? I
06:27
can't believe this is the only guy. That's amazing. Welcome to DEF CON. Where were you?
07:02
Wait. All right. All right. It's still based ‑‑ sorry. It's still based on the
07:24
function. So every function has its own dedicated exception handler which is compiled, generated and uses some structure called func infrastructure that contains a lot of information, namely information for unwinding funclets about try blocks and catch blocks and, well,
07:40
a lot of pointers to the exception handlers that eventually handle exceptions. Right. There's a built‑in function called CXX frame handler which this func infrastructure is handed over to and then performs, well, the magic around exception handling to execute exception handlers. Of course. And still as I mentioned, the important thing there,
08:02
the exception handler can define your entry point. Now I pointed to a really nice diagram that's to be seen here. Interesting, right? On open RC it is painted by Igor Skuchinsky. I did a lot of research on structured exception handling. And I provided some scratch book painting here. It's really not that pretty.
08:23
But let's look through that. There's a pointer to the exception handler on stack, right? That's the compiler generated exception handler. There's the CXX frame function where the func infrastructure ends up at. This pointer points to a try block map. The try block map points to a handler array. The handler array points to a handler offset which points
08:42
finally to a handler. You got that all, right? Well, I provided some pretty good screen shots here for my other probe. Let's get back to the bot. In practice this would look like this. For example, there's a registration sequence. I hope people can read this. Well,
09:00
there's the zero flying by and a new exception handler is registered at the beginning of a function. Sometime later there's an exception happening. If you can read that call this will almost never work, right? Because this memory address put to ECX there is somewhat likely not to be valid. So there's the exception and the register ‑‑ sorry, the
09:23
registered exception handler which causes the system to execute the compiler generated handler. There the func infrastructure is handed over to the CXX frame handler which then performs the magic. Let's look into this func infrastructure. In this func infrastructure there's the values that Igor thankfully pointed out in his diagram. So there's a try block
09:45
map and the handler array and finally the pointer to the handler that the user registered. So there's the user generated handler and in there you can find the offset to the new entry point. If you have a look at the user generated handler, it is really obvious
10:04
that this handler is just registered for obfuscation because there's nothing else happening there than the setting of this offset for the new entry point. All right. So much about exceptions. The second point, the chunk code in the file. There was really quite a lot of chunk
10:22
code defined in the sample which is pretty scary for a young analyst if you see a lot of source and a lot of shifting operations and a lot of loops that actually don't perform any really useful information in there. So I was kind of overwhelmed on this chunk
10:41
code until I found the principle of the chunk code in my sample. There's a whole lot of research about chunk code in binary files and the principle of this chunk code was pretty simple. It was a pack predicate. Now a pack predicate is something that just ‑‑ well, a branch statement that always returns true or always returns false. So it's
11:02
always going to be just execute one branch of the branches that there are and the other branches gets chunk code. So, well, in the sample analyst it looked somewhat like this. On the right side you see the screenshot. On the left side there's
11:20
the simplified version. If you think through that, the compare statement in the end is never going to produce any zero flags so the jump not zero is always going to take the green branch. Right. You think now this is simple? It's true. It was like this all throughout the sample. It was just as simple. So what did the analyst do? I just
11:41
put the ignore mode on and green branch for precedent. If you can see these graphics, I'm not sure how the ‑‑ all right. The yellow boxes are the productive code and the white boxes are just chunk code. So this was really pretty simple to get by. Analytics. I spent a lot of time in the sample and had a lot of headache, especially
12:01
because of the threats in there. People have seen the movie Drag Me to Hell and know what I've been through with that application. The author of the sample actually has all my respect because he produced this in C++. This is a simplified version of the threats that I found in there. There's actually a lot more, but it boils down basically to one
12:21
threat that manages the whole instance, namely the ‑‑ well, the ‑‑ the bot instances that could start up in the system because eventually there's more than one file infected that could start up. Second threat was the file infector, always infecting processes that would start up. A threat machinery that would handle the
12:46
sending side of the bot, which could send messages and data to the CNC. And one side was the receiving side of the bot. And of course the CNC command switching. Now how did I get to that information? That was pretty tricky and I spent a lot of
13:01
try and error time in there. But actually what I did was in four steps, I realized that I have to spot the really interesting threats because there was a lot of timing overhead and synchronization going on. After doing this, I had to spot the interface communication and the synchronization methods, which actually told me a lot about what threats
13:23
were about, were triggered by specific events. I will talk a little bit more about this pretty soon. In the first step, of course, I had to analyze somewhat the function bodies of the threats to really find out what they do, what information they generated and where this information would eventually flow to. Knowing all of this, in the first
13:43
step, I could bring down this big picture of where this information generated, which threat, sorry, accepts this information, processes it and eventually takes any action. All right. So if you go back to that diagram, I found four different methods of synchronization
14:00
in there, which were events for triggering the file infector and for managing the different instances that were started. Threat messages, which were mainly used at the receiving side of the bot. IO completion port, which was used to manage the, so yeah, the receiving side of the bot, the threat messages for the sending side of the bot and the critical
14:23
sections for data exchange between the threats. When I had that, I could paint the threats around the synchronization methods. All right. Now here comes the last nastiness for today, C++. There's actually a lot about reversing of C++. There's a whole science for people
14:43
who are interested in that. I collected a lot of links on that research on the last slide of this party. By the way, I actually want to talk about our virtual function calls. Virtual function calls are really interesting to reverse because they're indirect calls and they're only fully determinable at run time. They stem from the multiple
15:02
inheritance feature of C++. So one of these virtual function calls can actually call into several different methods at run time. They're translated using virtual function tables, which also have a lot in reversing these sorts of binaries. I provided an example here.
15:21
In this example, there's a virtual function table actually loaded into the register EX and at offset 4 of this virtual function table, there's a method that's going to be called with this call statement. There was really sort of a catch me if you can. Actually, I collected another sample from OpenRC and Igor Skokinski because he did a lot of research
15:45
on this as well. Here's one class A where there's two virtual functions defined in there. Underneath this class definition, you can see the memory layout of class A where there's a virtual function pointer actually pointing to the virtual function table of
16:03
class A. Now, a virtual function table is something that just class have that have virtual functions defined in there. All right. And here's the second class B, which also has a really similar layout with two virtual functions defined in there. Another interesting thing is class C because class C inherits probably class A and class B and
16:24
implements one virtual function each. Now, the memory there of class C is somewhat bigger because as it inherits other classes, it has to include their class layout and also the virtual function pointers in there to the virtual function tables. Just that
16:41
these virtual function tables are now adapted to fit the needs of class C and point to the actual function offsets of the functions that class C implemented. All right. This is really dry to look at code. Now, back to business. Here's the CNC command switching function, which is a really good example for virtual function
17:00
calls. Under you see a lot of yellow boxes. This is all memory allocation for objects that are going to be instantiated in the green boxes. And then you see this one pink box, which is the virtual function call, which was actually used to call into the bot functions. The bot functions are implemented as derived classes from one
17:22
bot action super class. And all had one function overloaded, sorry, implemented that was the bot action. Now, probably another example with the move file object. Here in yellow you see the object instantiation, sorry, the memory allocation where there's
17:43
space reserved for the object that's going to be instantiated a little bit later in the green box. And what you see there is a call to a constructor. Now, this constructor actually has a call into the super class constructor as it works with derived objects. And there you see the first VF table flying by. I will talk about
18:04
this in a second. As I mentioned, this constructor has a call into the base class constructor. And there's another virtual function table where there's space reserved for two virtual functions. Now, another pro if you check the cross references of this base class constructor, there are 23 cross references. And now
18:22
guess surprise, there's like 23 bot actions that can be taken by the bot. All right. So the final step is the instance, sorry, the call into the function meet up of the move file object. And what you see there is that the function table of the move
18:41
file object is loaded into the register. And the function offset 4 is called. Now, if you have a look at the virtual function table of the move file object, the offset 4 there is the move file function. So theory approved. Using these virtual function tables, you can not easily but pretty fast determine which functions are going
19:02
to be called at these virtual function calls. All right. This was my presentation. Here are the promised to yourself links. The sample is to be found online under the first link. And, well, if there's any questions, you can contact me on Twitter or I'm going to be out in the hallway to answer your
19:23
questions or receive critics or anything you want to tell me now. Thank you.