In In a unbeli eliable e way, most th thes ese e dropped malware e sample les (tr (trojans) als lso con ontin inue e hoo ookin ing (SetWindowsHookEx( ) ) with ith WH_KEYBOARD filt filter or or WH_MOUSE, for or example) e) GUI I applic lications for or rec ecordin ing any sin ingle gle user er in inter eraction (WM_KEYUP, , WM_KEYDOWN messages and so o on on). ). Two known cla class of of hoo ooks are used ed are e even ent t hook ooks and mes essage hoo ooks. . ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Mes essage hoo ooks: in inter ercept t (m (monit itors/logs/passes/blocks) any win indow mes essage before it it rea eachin ing th the e win indows procedure. . It It is is als lso used to o in inject a DL DLL in into o anot other GUI I process. Even ent t hook ooks (SetWin inEventHook( )) ) ar are als also o in inter eres estin ing bec ecau ause th they y mak ake pos ossible an applic licati tion to o rec eceive notif otification when enever an even ent t occ occurs. . Rem emember th that t on one e of of th the e SetW tWin indowsHookEx( ) ) parameters is is a handle le to o DLL DLL th that t con ontains a handle le to o th the e DL DLL th that t hold old th the e hoo ook procedure. . 10 NO HAT 2019 (BERGAMO / ITALY)
Attackers are carel eless bec ecause th they eith either hoo ook all ll th threads (th (thread ID ID == == 0) ) with ithin the th e des esktop ob object or or in inter ercep ept all all even ents ts (EVENT_MIN/EVENT_MAX). To o analy lyze tr troja jans hoo ookin ing GUI I applic lications, probably ly Vol olatili lity is is th the best t shot ot. Non oneth thess, few advanced malw lware can make ou our liv lives es a bit it harder while ile tri tring g to o acq cquire memory. . ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER The e mem emory acq cquisition too ools ls usuall lly use e APIs Is such ch as MmMapMemoryDumpMdl( ), ), MmMapIoSpace( ), ), MmMapLockedPagesSpecify ifyCache( e( ) ) and ZwMapViewOfSection( ) ) for or mappin ing physical to o virt virtual l mem emory. Of course, malware’s authors have tried hoo ookin ing th these fu funct ctions to o hin inder th the mem emory acq cquis isit ition by usin ing kern ernel l driv rivers (r (rootkits). Additi itionally ly, th this is driv river cou ould ld be e hid idden en by manip ipulating th the e PsLoadedModule leList tructure. global glob l struc PsLo Loaded edModuleLis ist hold olds an array of of poin ointers to o loa loaded kern ernel l mod odules , , which ich e -show 109 are protected by KP KPP (K (Kernel l Patch ch Guard): kd> > !a !analy lyze 11 NO HAT 2019 (BERGAMO / ITALY)
kd> > !lis !list t "-t t nt!_ t!_EPROCESS.Acti tiveP eProcessLinks.Flin ink -e e -x x \"d "dt t nt!_ t!_EPROCESS Im ImageFile leName\"( "(poi( i(nt!PsActiv iveProcessHea ead) ) - @@c++ ++(#FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks)))" Usin ing g Vol olatili lity (v (vols lshell) l), you ou can fin find th that PsActiveProcessHea ead field field comes es fr from ALEXANDRE BORGES – MALWARE AND SECURITY RESEACHER. th the e _K _KDDEBUGGER_DATA64 stru tructure e (shown in in th the e next slid lide) e)). On Win indows, th the e KP KPCR stru tructure (dt t _KP KPCR) ) is is used ed to o fin find th the e KdVersionBlock field field. . From th this is field field, we e rea each th the e _D _DBGKD_GET_VERSION64 stru tructure th that t con ontains a lin linked lis list t of of _K _KDDEBUGGER_DATA64 stru trutu tures (w (we can use th the GetD tDebuggerData( ) ) fu funct ction to o get t th this is stru tructure). Thus, w we e are able le to o fin find th the e ker ernel l deb ebugger bloc lock (r (rep epresented by KdDebuggerDataBlock), whic ich its its ty type is is _KDDEBUGGER_DATA64. Fin inally ly, at t _K _KDDEBUGGER_DATA64 s stru tructure e (b (by th the e way, th that t is is en encry rypted ed on on mem emory) you ou are e able le to o fin find th the e PsAct ctiveP eProcessHead field field and ou our target field field PsLo Loaded edModuleLis ist , , whic ich are glob global l variables es. 12 NO HAT 2019 (BERGAMO / ITALY)
from wdbgexts.h header. Receives a value ALEXANDRE BORGES – MALWARE AND SECURITY RESEACHER. from the kernel variable PsLoaded ModuleList. _KDDEBUGGER_DATA64 struct (on volshell plugin, use dt(“ _ KDDEBUGGER_DATA64”) ), which can be found by using GetDebuggerData( ) function. 13 NO HAT 2019 (BERGAMO / ITALY)
0: kd> dt _KLDR_DATA_TABLE_ENTRY uxtheme!_KLDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x010 ExceptionTable : Ptr64 Void 0: kd> dt _DRIVER_OBJECT +0x018 ExceptionTableSize : Uint4B ntdll!_DRIVER_OBJECT +0x020 GpValue : Ptr64 Void +0x000 Type : Int2B +0x028 NonPagedDebugInfo : Ptr64 +0x002 Size : Int2B ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER _NON_PAGED_DEBUG_INFO +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x030 DllBase : Ptr64 Void +0x010 Flags : Uint4B +0x038 EntryPoint : Ptr64 Void +0x018 DriverStart : Ptr64 Void +0x040 SizeOfImage : Uint4B +0x020 DriverSize : Uint4B +0x048 FullDllName : _UNICODE_STRING +0x028 DriverSection : Ptr64 Void +0x058 BaseDllName : _UNICODE_STRING +0x030 DriverExtension : Ptr64 +0x068 Flags : Uint4B _DRIVER_EXTENSION +0x06c LoadCount : Uint2B +0x038 DriverName : _UNICODE_STRING +0x06e u1 : +0x048 HardwareDatabase : Ptr64 _KLDR_DATA_TABLE_ENTRY::<unnamed-type-u1> _UNICODE_STRING +0x070 SectionPointer : Ptr64 Void +0x050 FastIoDispatch : Ptr64 +0x078 CheckSum : Uint4B _FAST_IO_DISPATCH +0x07c CoverageSectionSize : Uint4B +0x058 DriverInit : Ptr64 long +0x080 CoverageSection : Ptr64 Void +0x060 DriverStartIo : Ptr64 void +0x088 LoadedImports : Ptr64 Void +0x068 DriverUnload : Ptr64 void +0x090 Spare : Ptr64 Void +0x070 MajorFunction : [28] Ptr64 long +0x098 SizeOfImageNotRounded : Uint4B +0x09c TimeDateStamp : Uint4B 14 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 15 ALEXANDRE BORGES – IT IS NOT ALLOWED TO COPY OR REPRODUCE THIS SLIDE.
Basically, the order to load a driver is NtLoadDriver( ) IopLoadDriverImage( ) IopLoadDriver( ) MmLoadSystemImageEx( ): The MmLoadSystemImageEx( ) creates a driver section referenced by DriverSection field from _DRIVER_OBJECT structure, which points to a _KLDR_DATA_TABLE_ENTRY entry. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Thus, after the driver section is created, so an entry in created and inserted into the doubly linked list (entries are of type _KLDR_DATA_TABLE_ENTRY), which is also pointed by the PsLoadedModuleList. PsLoadedModuleList is a global variable declared as PLIST_ENTRY, which points to a LIST_ENTRY structure represented the _LIST_ENTRY type In this case, Flink pointer takes us to the entries of type KLDR_DATA_TABLE_ENTRY struct. As we mentioned, PsLoadedModuleList is protected by KPP, but malware can use another path to remove an entry: MiProcessLoaderEntry( ). Microsoft recently fixed this “trick” on Windows 10... apparently... 16 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) ANTI-REVERSIN ING 17 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Worse, th there e are oth other many anti ti-forensic ic tech echniq iques used ed by advanced ed malware threa th eats. Obfu fuscation aim ims to o protect soft oftware of of bein ing g reversed, in intelle llectual property and, , in in oo. ou our case, malic icious cod ode too ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Usuall lly, ID IDA Pro SD SDK can help elp us bec ecause we e can extend ID IDA Pro fu functi tionalit itie ies by wri ritin ing plu lugin gins, whic ich is is appropria iate to: o: unpacking cod ode de de-obfuscate code ode gath ther IO IOCs. Mod odern pack ckers / / protectors: Vmprotec ect (v (ver ersion 3.4 .40 als lso o protec ects .N .NET ) Them emida Arxan Agile gile .NE .NET Mos ost t protec ectors have e used ed with ith 64 64-bit it cod ode (a (and malware). ). 18 NO HAT 2019 (BERGAMO / ITALY)
Do Download th the e ID IDA SDK fr from http tps://www.hex- rays.com/products ts/id ida/support/download.shtml (lik (likel ely, you ou will ill nee eed a professional acc ccount). Co Copy it it to o a fold older (id idasdk695/) with ithin in th the ID IDA Pro in installa lation dir irectory. Cr e Ne New Cr ject Vis Crea eate a project in in Vis isual l Stu tudio 2017 (Fil ile Create e Proje isual C+ C++ Win Desktop Dy indows De Dynamic-Link Lib Library (DL (DLL)). ). ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Ch Change e few proje ject properti ties as shown in in th this is slid lide e and next on ones es. 19 NO HAT 2019 (BERGAMO / ITALY)
In Incl clude th the e “__NT__;__IDP__” in in Processor De Defin init itions and ch change Runti time e Lib Library to o “Multi - threaded” (MT) (t (take care: it it is is NOT /M /MTd). ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 20 NO HAT 2019 (BERGAMO / ITALY)
Add id ida.l .lib (fr from C: C:\Program Files iles (x86 (x86)\IDA 6.9 .95\idasdk695\li lib\x86_win_vc_32) ) to o Additi itional De Dependencie ies and its its fold older to o Addit itional l Lib Library Di Directories. . Add “/EXPORT:PLUGIN” to o Addit itional l Optio tions. . ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 21 NO HAT 2019 (BERGAMO / ITALY)
Don’t forget necessary headers. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Ini nitia ializ izatio ion fun functio ion. Mak Make the the pl plugi gin avail ilable le to o thi this idb db and and kee eep the the pl plugi gin load oaded in n me memory ory. Cl Clean-up task asks. Fun Functio ion to o be be call alled wh when user user act activ ivates the the pl plug ugin in. egex. Sim Simple le (a (and nd inc ncomple lete) ) URL URL reg 22 NO HAT 2019 (BERGAMO / ITALY)
It t gets ts the the nu number of of strings from “Strings view” It t gets ts strin trings. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER The Th e cor ore log ogic is on only ly it. t. It t che hecks whether the whe the strin tring g ma matches to o the the URL URL reg egex. o.ea. If f che hecks, so o ea ea == == strin trinfo. Pl Plug ugin wi will be be act activated by y ALT-C. com ombin inatio ion AL Plug ugin in stru tructure. 23 NO HAT 2019 (BERGAMO / ITALY)
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER URLs RLs fou ound wi within th this driver. mali malicio ious dri AL ALT T + + C 24 NO HAT 2019 (BERGAMO / ITALY)
roo oot@ t@kali:/malwoverv rview# pyt ython malw alwoverv rview.py -r r d.r d.re71.cn -b b 1 1 | | mor ore ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 25 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 26 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Mod odern ob obfu fuscators / / protectors has sever eral fea eatu tures: They protect and ch chec eck th the e memory in integ egrit ity. Thus, , it it is is not ot pos ossib ible e to o dump a cle clean executable fr from th the memory because orig original in instructions are not ot dec ecod oded in in th the e mem emory. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Alm lmost all ll of of th them em provide stri tring en encry ryption. . IA IAT fr from pack ckers lik like Themida keeps on only ly on one fu function (Tls lsSetValu lue( )). ). In Instructions are e virt virtualized and tu turned in into o vir virtual machin ine in instr tructions (R (RIS ISC in instr tructions). ). Obfu fuscation is is stack based ed, so o it it is is hard to o handle le vir virtualized ed cod ode e static tically. In Instructions are e en encry crypted on on mem emory as addit itional memory la layer. .NE .NET protectors ren ename clas classes, meth thods, field fields an and external l references es. . Vir irtualized ed cod ode is is poly olymorphic, so o th ther ere are many rep epresen entations referrin ing th the e same CP CPU in instr tructi tion. 27 NO HAT 2019 (BERGAMO / ITALY)
Ther ere are als lso fake e push in instructions. Ther ere are many dea ead and usele eless cod odes es. . Ther ere is is som ome cod ode reordering usin ing g unconditional jumps. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER All ll ob obfu fuscators use e cod ode fla flatten enin ing. Pack ckers have few anti ti-debugger and anti ti-vm tric tricks. It It is is not ot so o ea easy to o id iden entify tify whether th the e program is is virt virtualized or or not. ot. Prologues and epilo ilogues fr from each ch fu funct ction cou ould be not ot vir irtualized. Take care. Ha Have you ou tri tried ed to o op open en an advanced pack cker in in ID IDA Pro? Fir irst sigh ight: on only ly red ed on-functions and data). and gr grey bloc locks (n (non And many oth other tric tricks... 28 NO HAT 2019 (BERGAMO / ITALY)
A RVA RVA A + + pr proc ocess base base add address an and oth other task asks. Op Opcodes fr from om a a cus ustom In Instr tructio ion ins nstruction set. t. Init Initialization Instr Ins tructio ion Fetch ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER de decoder Dec Decode DISPATCHER DISP Ins nstructio ions ar are stor ored in n an an encry en rypted form ormat. B C D E F A G H I 2 A, B, C, C, ... ar are han handle lers suc uch as as han handle ler_add, han handle ler_s _sub, 3 handle han ler_push... 29 NO HAT 2019 (BERGAMO / ITALY)
de decrypted vm vm_add vm vm_sub vm vm_xor vm vm_push vm vm_pop ... ... vm_n vm ins instructions en encrypted encr_1 en encr_2 en en encr_3 en encr_5 en encr_4 ... ... encr_n en ins instructions ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 1 2 3 4 5 n-1 n ind indexes rec ecovering an and de decry rypting fu funcions op opcode 1 ha handler 1 fun function poi pointer 1 op opcode 2 ha handler 2 fun function poi pointer 2 opcode 3 op handler 3 ha fun function poi pointer 3 op opcode 4 handler 4 ha fun function poi pointer 4 op opcode 5 handler 5 ha fun function poi pointer 5 opcode 6 op handler 6 ha function poi fun pointer 6 opcode 7 op ha handler 7 fun function poi pointer 7 fu functio ion po poin inter table le (likely en (lik encry rypted) 30 NO HAT 2019 (BERGAMO / ITALY)
#i #inclu lude <s <stdio.h> Loa Loadin ing lib ibs in int t main ain (v (void) ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER aborges abo s = = 0 { in int t ab aborges = = 0; 0; while ile (ab (aborges < 30 30) aborges abo s < < 30 30 { printf(“%d \ n”, aborges); pri printf( ) aborges++ ab ++; abo aborges++ } retu turn 0 return 0; 0; } 31 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) Or Orig iginal Program 32 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Dis Disavantages: Los Loss of of per erformance Easy to o id identi tify fy th the CF CFG fla flattening ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER loa oading lib ibs cc cc = = 1 cc != cc != 0 cc = 3 swit itch(cc) prin pr intf cc = 1 cc = 2 abo aborges s = = 0 abor aborges < < 30 aborges++ abo cc = cc = 0 cc = cc = 2 2 cc cc = = 3 cc = cc = 2 br break br break break br 33 NO HAT 2019 (BERGAMO / ITALY)
The e ob obfu fuscator-ll llvm is is an exce cell llent project to o be e used ed for cod ode ob obsfu fuscation. To o in install ll it, it, it it is is rec ecommended to o add a swap file file fir first t (b (bec ecause th the e lin linkage stage): fallo llocate -l l 8GB B /swapfil ile ch chmod 600 /swapfil ile mkswap /swapfile le ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER swapon /swapfil ile swapon -- --show apt-get in install l llvm llvm-4.0 apt-get in install l gcc cc-multil ilib ib (in (install l gcc cc lib lib support to o 32 bit) it) git git clo clone e -b llvm llvm-4.0 http tps://gi github.com/obfuscator-llvm/obfuscator.g .git mkdir build ild ; ; cd cd build ild/ cm cmake -DCMAKE_BUILD_TYPE=Rele lease -DL DLLVM_INCLUDE_TESTS=OFF ../ ../obfuscator/ make e -j7 j7 Pos ossib ible e usages: ./ ./build ld/bin/cla lang g ale lexborges.c -o o ale lexborges -mll llvm -fla fla ./b ./build ld/bin/cla lang g ale lexborges.c -m32 -o o ale lexborges -mll llvm -fla fla ./b ./build ld/bin/cla lang g ale lexborges.c -o o ale lexborges -mll llvm -fla fla -mllv lvm -sub 34 NO HAT 2019 (BERGAMO / ITALY)
Prologue and ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER initial assignment Main dispatcher 35 NO HAT 2019 (BERGAMO / ITALY)
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Main blocks from the program 36 NO HAT 2019 (BERGAMO / ITALY)
Simple op Si opaque predicate an and an anti ti-dis isassembly tec echniq ique .text xt:00401000 loc_401000: ; ; CODE XRE REF: _mai ain+Fp ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER .text xt:00401000 pus push eb ebp .text xt:00401001 mov v eb ebp, esp esp .text xt:00401003 xor or ea eax, ea eax .text: t:00401005 jz jz short sho rt ne near r ptr tr lo loc_40100D+1 .text xt:00401007 jnz jnz near ptr ne tr loc oc_40100D+4 .text xt:0040100D .text: t:0040100D loc loc_40100D: ; ; CODE XRE REF: .text: t:00401005j .text xt:0040100D ; ; .text xt:00401007j .text xt:0040100D jmp jm p ne near ptr tr 0D0A8837h 37 NO HAT 2019 (BERGAMO / ITALY)
00401040 call ll + $5 00401045 pop ecx 00401046 inc inc ecx ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 00401047 inc inc ecx 00401048 add ecx, x, 4 Call all stack man anip ipulation: 00401049 add ecx, x, 4 Do you know what’s 0040104A push ecx here? happening he hap 0040104B ret 0040104C su sub ecx, x, 6 0040104D dec ecx 0040104E dec ecx 0040104F jm jmp 0x4 x401320 38 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 39 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Double-click the result.... 40 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 41 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 42 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
There is is not ot support for acq cquiring tem emperature e data in in vir virtu tual machin ines es. Ther erefore, , malware is is able le to o know wheth ther th they are ru running on on virt irtual ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER . machin ines es or or not ot. Ph Physical l Hos Host: Vi Virtual l Machin ine: C: C:\> > VM VM_Test2 t2.exe C: C:\> > VM VM_Test2 t2.exe St Status: OK OK Th Thus, , the pr program is s ru running This pr program IS IS RUN RUNNING in a a vir virtual l mach achine! in a a ph physical hos host! 43 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) .N .NET MALWARE 44 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Mos ost t of of th the e tim time, .NE .NET malware dem emands same procedures while ile analy lyzing th them: unpacking / / decry ecrypti ting th the e em embedded res esources es. dumpin ing unpacked nativ tive cod ode fr from memory. fin findin ing th the bin inary ry dec ecry ryptin ing routi tine. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER dec ecompili ling it it usin ing g programs such ch as dnSpy, Ilsp Ilspy, .NE .NET refle lector, and so o on on. . som ometimes es, we e fin find en encry rypted stu tuff usin ing g known ob obsfu fuscators/p /packers such ch as as Do Dotf tfuscator, Agile gile, Eaxf xfuscator.NET, Skater and many oth others... Furt rther in inter eresting tool ools to o analy lyze and understand .NE .NET run runtime are e availa lable le: Mem emoScope.Net: http tps://gith thub.com/f /fremag/MemoScope.Net Shed ed -- -- a .N .NET run runti time in inspec ector: http tps://git ithub.com/enkomio/shed ed SuperDump, for or automated cr crash dump analy lysis: http tps:// //github.com/Dynatrace/superdump Du DumpMin iner: http tps://gith thub.com/d /dudikel eleti/DumpMin iner Mem emAnaly lyzer: http tps://gith thub.com/Alois is-xx/MemAnaly lyzer Sharpla lab: https://sharplab.io/ ObjectLayoutInspector to o analy lyze in inter ernal l stru tructu tures of of th the e CLR CLR ty types at t runti run time (http tps:// //github.com/SergeyTeplyakov/Obje jectLayoutInspector) 45 NO HAT 2019 (BERGAMO / ITALY)
Im Important t meth thods durin ring .N .NET th threat t analy lysis is: System.Reflection.A .Assembly.Load( ) System.Reflection.A .Assembly.LoadFile le() System.Reflection.MethodInfo.Invoke( ) ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER GetT ) GetM ) In tType ( ( ) tMethod( ) Invoke( ) ) (th this is is is a ty typic ical l Reflec flection approach) GetA tAssembly lyName( ) ) + + GetT tType( ) ) + + GetM tMethod( ) ) + + In Invoke( ) Fin indResource( ) ) + + Siz izeOfRes esource( ) ) + + Loa LoadRes esource( ) ) + + Lo LockResource( ) Res esources es.ResourceManager.GetObje ject( t( ) AssemblyLoader.A .Attach( ) ) + + AssemblyLoader.Resolv lveAssembly( ) ) (r (resolves external assemblie ies in in run runti time) GetE tExecutingAssembly ly( ) ) (u (usin ing g durin ring reflecti tion) Nati tive e fu funct ctions are usuall lly calle lled by usin ing g P/In /Invoke. 46 NO HAT 2019 (BERGAMO / ITALY)
Many .NE .NET malware samples es kee eep decry ecrypters, unpackers and and hoo ookin ing routi tines in in th the e .cc .cctor( ) ) cla class con onstructor. Oth ther meth thods such ch as .ct .ctor( ) ) and Fin inalize( ) ) are als lso used ed to o th the e same mali licious fu funct ctions. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Furthermore, I’ve have seen hijacking in key functions such as IC ICorJitCompile ler::compile leMethod( ) ) , , which ich belo elong to o JIT JIT is is res esponsible for cr creatin ing the th e nativ tive cod ode. Many malware e auth thors have e programmed dir irectl tly in in IL IL (In (Intermediate e La Language) and, in indeed, it it is is in interesting approach because: : IL IL is is stack based ed , so we don’t find any instruction related to register manipulation. Even entu tuall lly, malw lware e th threats have e attacked th the e .N .NET ET run runti time e to o subvert th the e JIT. system or or even en th the e JIT 47 NO HAT 2019 (BERGAMO / ITALY)
MANIFEST Native modules referred by the assembly. The module name is in the ModuleRef. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER External assemblies that referred by the assembly (AssemblyRef table). Assembly name Custom attribute used by the compiler (or tools) and defined in the CustomAttribute metadata table (0x0C). NO HAT 2019 (BERGAMO / ITALY) 48
constructors ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Managed resource Information about the code such as MVID (used in the Registry to point the native version of the code) and relevant flags such as WINDOWS_GUI and 32BITREQUIRED. 49 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 50 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Listing domains of the CLR process. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER NO HAT 2019 (BERGAMO / ITALY) 51
COM Threading Model: STA: Single Thread Apartment Get a list of managed threads. Of MTA: Multi Thread Apartment course, we could used the -special option to get additional information. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Threat state: (0x0) Newly initialized thread. / (0x020) It can enter a Join / (0x200) background thread. 52 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 53 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER PreJIT: pre-compiled code JIT: compiled Code NONE: the code hasn’t been compiled by the JIT. 54 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 55 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 56 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 57 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 58 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) ROOTKIT ITS 59 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Roo ootkit its are e leth thal. l. It It makes pos possib ible to to loa oad an any malic licious s code fr from an anywere (e (even en encry rypted an and fr from om a a hid hidden sto torage) an and compromis ise the ker ernel by y dis disablin ing the code integrity mod odule (K (KCS), so so mak akin ing pos possib ible to to loa oad mali alicio ious ker ernel dr driv ivers (r (roo ootkits). . Rem . emember that an any malicious driver can “bypass” intermediate driver layers . IoCallDriver() Upper-level class ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Malicious driver Driv Driver de development is s filter driver us usually ly do done in pa pair ir, , Upper-level filter whe here the cl class s dr driv iver Kernel Filter Driver driver handle gen ha eneral tasks, , while ile the min iniport- Security Application Function Driver dr driv iver implement Filter driver 3 spe specific rou outines to to the IRP indiv ivid idual l de device. Lower-level class Security Application filter driver Filter driver 2 Us Usin ing the ri right I/O I/O Low-level device Security Application control cod ode filter driver Filter driver 1 (IOCT (I CTL_SCSI_PASS_TRH OU OUGH_DIRECT CT) , , the Bus Filter driver mali alicious dr driv iver is s ab able le Disk filter driver to “ bypass ” protections pr provide by y pr programs. s. Bus Driver Bus Filter Driver 60 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 61 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 62 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Th Ther ere ar are tw two o handle han lers th that ar are lt. no not t de default 63 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 64 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 65 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 66 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
IR IRP_MJ_DIRECTORY_CONTROL req equest t is is rel elated to o Rea eadDirectoryChangesW( ) ) or or ZwQueryDirectoryFile( ). ). Thus, th the rootkit it cou ould ld be tr trying to o in intercept any attempt to o be e lis listed ed in insid ide an speci ecific dir irectory. Sop ophis istic icated malware e tr try to o cha change lo lower la layers at t devic vice stac ack. For example le, it it cou ould be more in interestin ing to o in infect ct th the SCS CSI min inip iport driv river in instead of of targeting File ile ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER System Dr Driver. Root ootkits in inter ercept rea ead/writ ite e req equests fr from hard dis isk by: manipulating th the e Majo jorFunction arr rray (IR (IRP_MJ_DEVICE_CONTROL and . IR IRP_INTERNAL_CONTROL) of of th the e DR DRIVER_OBJECT CT stru tructu ture. Du During g an in infec ection process, malw lware e th threads force th the e reb ebooting by callin lling ZwRaiseHardError( ) ) for loa loading th the e mali licious driv river. Root ootkits usually lly hoo ook or or im imple lement t a new version of of th the ZwCreate( ) ) fu function for or in inter ercepti ting g all ll op open en req eques ests sen ent t to o devic vices (s (same fu functi tions used ed by AV). 67 NO HAT 2019 (BERGAMO / ITALY)
Addit itionall lly, malw lware e th threads have: e: hoo ooked ed th the e Dr Driv iverUnload( ) ) rou outin ine to o prevent bein eing g unloa loaded. protected itse itself lf fr from bein eing removed by: : ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER mod odify fyin ing routi tines es such ch as IR IRP_MJ DE DEVICE_CONTROL. hoo ookin ing requests goin oing to o th the dis isk (IO IOCT CTL_ATA_* and IO IOCTL_SCSI_*). ). used ed IoR oReg egisterShutdownNotif ification( ) rou outin ine for reg egis isterin ing th the e driv river to o rec ecei eive an IR IRP_MJ_SHUTDOWN noti otific icati tion when en th the e system is is goin oing to o shutdown. This is way, it it is is able le to o restore th the malic icious driv river in in th the next boo oot just in in case e it it is is nece ecessary ry. Co Compromis isin ing IN INT 1 in inter errupti tion, whic ich is is res esponsible e for or han andli ling deb ebugging g even ents ts. Hid Hiding part rtit itions/fil ilesystems at t en end of of th the e dis isk. Addit itionally, en encry rypting th them em. 68 NO HAT 2019 (BERGAMO / ITALY)
Ker ernel l Ca Callb llback Funct ctions: in in few wor orlds, which ich are e mod odern hook ooks, ar are used ed by mon onitoring programs lik like anti ti-virus th that t ale lerts ts th the kern rnel l mod odules abou out a speci cific ic even ent t ocu ocurrence. Mos ost known callb llback meth thods are: ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER PsSetLoadImageNoti tify fyRouti tine: it it provides noti otific ication when en a process, lib library or kern or ernel l mem emory ry is is mapped in into o mem emory. IoR IoRegi gisterFsRegis istrationChange: it it provid ides notif otification when en a files filesystem bec ecomes es avail ilable. IoR IoRegi gisterShutdownNotif ification: th the e driv river han andle ler (IRP (IRP_MJ_SHUTDOWN) when en th the e system is is abou out t goin oing to o down. KeR eRegisterBugCheckCall llback: it it help elps th the e driv rivers to o help elp a noti otification (f (for cleaning task) before clea e a sustem cr crash. PsSetCreateThreadNotify fyRoutine: : in indic icates a routine th that t is is calle lled every ry tim time when en a th thread starts or or en ends. . 69 NO HAT 2019 (BERGAMO / ITALY)
PsS sSetCreateProcessNotify ifyRoutin ine: whe hen a a pr proc ocess star arts ts or or fi finis ishes, thi this call llback is s invoked (r (roo ootkit its an and AVs). ). Dbg bgSetD tDebugPri rintCall llback: it t is s use used for or capturin ing de debug mess essages. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER CmRegis isterCallb lback( ) / / CmRegis isterCallb lbackEx( ) ar are e call lled by driv drivers to o reg egis ister a Reg egis istry tryCallb lback rout outin ine, whi hich is s call lled every ery tim time a a thr thread perform pe rms an an ope operatio ion on on the the reg egis istry ry. Mal alware thr threats use use thi this call llback to o kee eep the the system pe persis istence: if f someone remove the Registry’s entry, so the entry is re -in inserted. 70 NO HAT 2019 (BERGAMO / ITALY)
https://github.com/swwwolf/wdbgark ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER NO HAT 2019 (BERGAMO / ITALY) 71
NO HAT 2019 (BERGAMO / ITALY) 72 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
NO HAT 2019 (BERGAMO / ITALY) 73 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
Every ery min inimum Troja jan uses es C2 C2 ch channel to o con ontrol l th the e target t an and exf xfil iltrate in information and daily ily attacks uses es Cob Cobal l Str trik ike, Sliv liver, Faction and so o on on. Ho However, malware’s authors need to write their own code or use Social Media (Twitter...) Co Common C2 C2 uses es ob obvi vious fu funct ctions: ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Win inInet: In Inter ernetOpen( ) ) + + In InternetConnect( ) ) / / In InternetOpenURL( ) URLM LMon: : URLDownloadToFile le( ) COM: : Co CoInitia ialize( e( ) ) + + CoC CoCreateInstance( ) Win inSock v2: : WSAStartup( ), ), sock ocket( ), ), bin ind( ), ), lis listen( ), ), acce ccept( ), ), con onnect( ), ), sen end( ( ), ), rec ecv( ), ), shutdown( ) Oth ther er C2 C2 samples es are still till based ed NDIS (Ne (Network Dr Driv iver In Interface e Speci ecification). Usin ing g NDIS makes pos ossible e to o make a furtive communication or even “hijacking” pack ckets in in a lo low le level. el. 74 NO HAT 2019 (BERGAMO / ITALY)
About NDIS, you ou shou ould ld remember few facts cts abou out it: it: Pack ived gen ts call llback Min ckets rec eceiv enerate in inter errupts iniportInterrupt( ) ) defin fined by usin ing g MIN INIPORT_ISR ty type (r (regis istered by calli lling Ndis isMReg egisterInterruptE tEx( ) ) ). ). ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Min inip iportInterrupt( ) ) makes es min inimum wor ork (s (sim imil ilar to o top op-half driv rivers in in Lin Linux) ) and hands over the “heavy” work (I/O (I/O processing, for example) to o th the e Min inip iportInterruptDPC( ). ). The e min inip iport driv river cou ould call ll th the e Ndis isMQueu eueDpcEx( ) ) or or Ndis isMQueueDpc( ) ) fu funct ctions to o req eques est addit itional deferred procedure calls lls (DP (DPCs) for oth other processors. De Dependin ing on on th the in interrupt generated by th the netw twork in interface, th the min iniport driv river cou ould ld dis isable new in inter errupts ts fr from th the e netw twork in inter erface e until til all ll pen endin ing DP DPCs are processed ed. . Fin inally ly, th the min inip iport driv river can call ll th the Ndis isMDeregis isterInterruptEx( ) ) to o rel elea ease e res esources. 75 NO HAT 2019 (BERGAMO / ITALY)
Thus, th the id idea is is to o tr try to o in intercept th the pack ckets arriv iving (NdisInterlockedInsertHeadLis ist( ) ) for or example le), before th the e DP DPC processin ing or or make all ll netw twork com ommunic icati tion usin ing g NDIS because tools are not able to “catch” it. Anoth ther approach wou ould be e use e Win indows Soc ocket Ker ernel el API I (W (WSK): ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER WSK Clie Client / / Soc ocket t Str tructure (Ba (Basic, Lis Listen enin ing, Da Datagram, Con Connection-Orie iented ed and Str trea eam) Win inSock Kernel l Events ts are used by WSK subsystem for or notify otifying g WSK applic licati tions when en sock ocket t even ents ts such ch as data bein eing g rec eceiv ived by a soc ocket and a sock ocket dis isconnection. Several fu functi tions such ch as WskAcceptEvent( ), ), WskInspectEvent( ), ), WskRecei eiveF eFromEvent( ) ) , , WskReceiveEvent( ), ), WskDis isconnectEvent( ), ), WskSendBacklogEvent( ) ) and WskAbortEven ent( ) ) used ed for or handlin ling even ents. Do Doubtl tless, th ther ere are multi ltiples WSK fu funct ctions such ch as Wsksocket( ), ), WskSocketConnect( ), ), WskControlSocket( ), ), WskBin ind( ), ), WskAccept( ), ), WskConnect( ), ), WskSendTo( ), ), WskReceiv iveFrom( ), ), WskSen end( ), ), WskRecei eive( e( ), ), WskDisconnect( t( ), ), and so o on on. 76 NO HAT 2019 (BERGAMO / ITALY)
Furt rthemore, any meth thod for or in inter ercepting th the e netw twork com ommunication shou ould ld be e IRP Filt Drivers Tcp alw lways con onsid idered: IR ilter Dr cpip.sys driv river Rem emember th that t when en com ommom exec ecution flo flow is is skip ipped, so o it it bypasses most mon onitoring too ools ls too oo, by sen endin ing IR IRP req equest dir irectly ly to o th the e devic vices ob objects such ch as as \De Device\TCP or or \De Device\UDP. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER The e gen eneral l procedure for or in inter erceptin ing th the e netw twork com ommunication is is ver ery sim imil ilar to o hoo ookin ing a files filesystem driv river: Get t a poin ointer to o th the e netw twork driv rivers ob obje ject (tcp cpip ip.sys) by usin ing g fu funct ctions such ch as ObReferenceObjectB tByName( ). ). Get t a a De Devi viceObje ject han andle le to o th the e lin linked ed lis list t of of devic vice ob obje jects. Fin ind th the e TCP CP and UDP DP devic vices. . Get t a a referen ence to o th thes ese e netw twork devic vices. Mon onit itor/in intercept th the e com ommunication. 77 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 78 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Ot Other Win inDbg com ommands: !v !volumes !po !portlis ist ffffe001b2c89070 !in !instance ffffe001b2c8b070 79 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) BIO IOS/U /UEFI I TH THREATS 80 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
The he bo boot otmgr uses uses the the INT NT 13h h disk disk servi ervice (fr (from om real Subvertin Su ing g INT NT 13h h wou ould ld be be lethal l be because mo mode) ) to o acc access the the di disk ser ervic ice in n pr prot otected mo mode de. wi winl nload.exe use use it t to o load oad its ts mo module les. BIOS MBR VBR IPL Bootmgr ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER EFI Bootmgfw.efi UEFI EFI is sup uppor orted since Wind ndows 7 SP1 SP1 x64 It t ho holds the the bo boot ot Code integrity is shared between con onfig iguratio ion kernel and ci.dll, but nt!CiEnable ntoskrnl.exe infor ormatio ion variable controls everything (Win 7 only). BCD ELAM Code Integrity kdcom.dll winload.exe Classifie ies mo module les as as goo ood, , ci.dll bad and bad and unk unknown. Bo Boot otkit its cou ould ld attack it t be befor ore load oadin ing the the ker ernel l HAL.dll Add Addit itio ionall lly, it t deci decides ELAM. and and ELA whe whether load oad a a mod module le or or no not acc accordin ing to o the the po polic icy. 81 NO HAT 2019 (BERGAMO / ITALY)
Mo Th Modi dify fyin ing g an an existin ing g DXE dri driver (or (or add add a a ne new w The e Wind ndows uses uses the the on one) e) cou ould ld al allow mali malicio ious execution at t DXE stag age. UEFI EFI to o load oad the the Hyp Hyperv rvis isor and and Sec Secure Ker ernel. l. BIOS BIO S Gu Guard TSL (Transient. System FLASH Bo Boot ot Gua uard Load) ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Hypervisor SEC Windows Boot Loader malware malw OS Sec OS Secure and and Bo Boot ot expl ploit its PEI Kernel drivers attack here Ac Acts s on on her IBB drivers dr ELAM UEFI EFI Sec Secure tha hat ar are e DXE Boot Bo ot executed before be 3rd party drivers Win indows being loa be loaded UEFI EFI Sec Secure BDS Windows and and Boot Bo ot initialized. ini Apps It t is po possib ible le to o mod modify ify a UE UEFI FI DXE dri driver by y com ompromising the the SPI SPI fl flash ash pr prot otection, , so o byp ypassin ing/d /dis isabli ling g the the UEFI EFI Sec Secure Bo Boot ot. . 82 NO HAT 2019 (BERGAMO / ITALY)
Of Of course, , it t is s pr pretty eas easy to to disa disassemble a a MBR BR in ID IDA Pro: dd dd.exe -v v if=\\.\PHYSICALDRIVE0 of= of=mbr.bin bs= s=512 count=1 Se Set t the of offse set to to 0x7 0x7c00 an and dis disassemble it t as as 16 16-bit code. . ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Clean MBR. NO HAT 2019 (BERGAMO / ITALY) 83
NO HAT 2019 (BERGAMO / ITALY) MBR. Infected 84 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
C:\> > "C: C:\Program File Files (x (x86 86)\VMware\VMware Wor orkstatio ion\vmware-vdiskmanager.exe" " -r r Win indows_7_x86-cl2 l2-000002.vmdk -t 0 0 infected.vmdk roo oot@ t@kali:~# qem qemu-img convert -f f vm vmdk -O raw infected.vmdk infected.raw roo oot@ t@kali:~# dd dd if=infected.r .raw of= of=mbr_infected.bin bs=512 count=1 roo oot@ t@kali:~# fi file le mbr br_in infected.bin br_infected.bin br in: DO DOS/MBR boo boot sec sector ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Ins Install ll Boc Bochs an and cr create a a boc bochsrc file file po poin inting to to the con onverted image abo above: rom omim image: fi file= = "C: C:\Prog ogram Fi Files es (x (x86)\Bochs-2.6.9\BIOS-bochs-la latest" vgar aromim image: : fi file= = "C: C:\Prog ogram Fi Files (x (x86)\Bochs-2.6.9\VGABIOS-lg lgpl-la latest" meg megs: : 32 ata0: en enable led=1 =1, ioad oaddr1=0x1f0, ioad oaddr2=0x3f0, irq=1 =14 ata0-master: : ty type=d =dis isk, pa path="C: C:\VMs\in infected.raw", mod mode=fla flat, cyli linders=1024, hea heads=16, spt=6 t=63 bo boot: ot: di disk vga: a: extension=vbe mo mous use: : en enable led=0 log og: : nul nul log ogpr prefix fix: : %t% %t%e%d pan panic: : act action on=fatal error: act er actio ion=repor ort info: o: act actio ion=report deb debug: : act actio ion=ig ignore # # di displa lay_li library: wi win3 n32, op optio tions="gu gui_ i_debug" g" 85 NO HAT 2019 (BERGAMO / ITALY)
NO HAT 2019 (BERGAMO / ITALY) 86 ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER
ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Infected MBR being debugged NO HAT 2019 (BERGAMO / ITALY) 87
Anot nother r way to o de debug and and an analy lyze a a MBR R usin using ID IDA Pro o is s also also si simple le: Dowlo load the the id ida.py fr from om http: tp://hexblo log.com/i /ida_pro/fil iles/m /mbr_bochs.z .zip ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Cop opy the the ida.py to your preferred folder (I’ve copied it to Bochs install ins llatio ion fol older) r), ed edit it the the fi first lin lines to o ad adapt it it to o you our case: # # Som ome con onstants ts SECT CTOR_SIZE = = 512 BOOT_START = = 0x7C00 BOOT_SIZE = = 0x7 x7C00 + + SECT CTOR_SIZE * * 2 BOOT_END = = BOOT_START + + BOOT_SIZE SECT CTOR2 = = BOOT_START + + SECT CTOR_SIZE MBRNAME = = "C:\VMs\mbr_infected.bin in" IM IMGNAME = = "C "C:\VMs\in infected.raw" 88 NO HAT 2019 (BERGAMO / ITALY)
A better approach is is to o use e a deb ebugger in instea ead of of usin ing g an em emulator. If If you ou are usin ing g VMware e Workstation, , ch change th the e .vm vmx con onfig iguration file file fr from th the e target machine to o in inclu clude th the e foll ollowing lin lines es: monitor.debugOnStartGuest32 = "TRUE“ / monitor.debugOnStartGuest64 = ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER "TRUE“ Br Brea eaks on on th the e fir first in instr truction sin ince ce th the e power on on. deb ebugS gStub.li listen.gues est32 = = " TRUE“ / debugStub.listen.guest64 = “TRUE” Enable les gu gues est t deb ebugging. debugS gStub.hideBreakpoints = = " TRUE“ Use e hardware brea eakpoint in instea ead of of usin ing soft oftware e brea eakpoin ints. Power on on th the vir irtu tual l machine. La Debugger Attach Rem Launch th the e ID IDA Pro, go o to o De emote GDB deb ebugger 89 NO HAT 2019 (BERGAMO / ITALY)
We’ve set Ho Hostname as “localhost” bec ecause we e starts the th e deb ebugger in in th the e same hos ost of of ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER th the e VM. The e deb ebugging g por ort must be e 8832 8832. . Aft fter con onfig igurin ing th the e De Debug applic licati tion setu tup, click click on on OK K button and ch choose “attach to the process started on target” as shown belo elow. 90 NO HAT 2019 (BERGAMO / ITALY)
Aft iews Open views Seg fter deb ebugger starting, go o to o Vie en subvie egmen ents (o (or hit it SHI HIFT+F7), righ right clic click and go o to o “Edit Segments”. Ch Change e th the e “Segment bitness” option to 16 -bit (r (remember: MBR BR run run in in rea eal mod ode, which ich is is 16-bit it): ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 91 NO HAT 2019 (BERGAMO / ITALY)
Go gger Br eakpoints Add br Go to to Deb Debugg Brea breakpoint Se Set t the br breakpoint at t 0x7 0x7c00 (s (start of of the MBR code). . ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 92 NO HAT 2019 (BERGAMO / ITALY)
Con . Continue the pr process ss (F9 (F9) an and dis discard eventual exceptio ions. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 93 NO HAT 2019 (BERGAMO / ITALY)
Ex Exis ists ot othe her SPI fl flash pr prot otectio ions tha that t ar are e se set t up up at t DXE E stag age: : SMM_BWP (S (SMM BIO IOS Wri rite Prot otectio ion): pr prot otects SPI I fl flash ag again inst writ ritin ing fr from om mal alware runn running out outside of of the the SMM. . ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER BLE (B (BIOS Loc ock En Enable le bit): bit): pr prot otects the the SPI I fl flash ag again inst una unauthoriz ized writ rites. Unfort rtunately ly, it it can be be mod odif ified by mal alware wit ith SMM priv privil ileges. BIO IOSWE (B (BIOS Wri rite En Enable le Bit) t): it is a kind of “control bit”, which is use used to o allo allow a a BIO IOS upd update. . Prot otected Ra Ranges: it t is s des designed to o pr prot otect spe specif ific reg egio ions as as SPI I fl flash, for or example. Add ddit itio ionall lly, the there ar are e si six x Prot otected Ra Ranges reg egis isters: PR0 R0 to o PR5 R5. No o dou doubts, it t is s a a goo ood pr prot otectio ion ag again inst ch changes fr from om SMM because its policies can’t be changed from SMM. 94 NO HAT 2019 (BERGAMO / ITALY)
ch chip ipsec_util il.py spi spi dum dump spi spihit itb.bin in ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 95 NO HAT 2019 (BERGAMO / ITALY)
https: s://github.com/LongSoft/UEFITool ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER 96 NO HAT 2019 (BERGAMO / ITALY)
Capsule update is used update the UEFI components. ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Poss ossib ible le pl place to o com ompromis ise the the UEFI EFI image. NO HAT 2019 (BERGAMO / ITALY) 97
ch chip ipsec_util il.py de decode spi spi.bin ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Rem emember th that t a BIO BIOS update cou ould be e com omposed ed by dif ifferent parts ts such ch as CPU mic CP icrocode e (in (internal firm firmware), Gbe (h (hardware netw twork stack), BM BMC (Baseboard Management (Ba t Co Controll ller, which ich provid ides monitorin ing and management), AMT (A (Act ctive e Management Pla latf tform, whic ich provides es remote acce ccess to o devic vices), ME ME (M (Man anagemen ent t en engin gine), EC C (E (Embed edded ed Con Controlle ler) and so o on on. . ME ME: an x86 x86 con ontrolle ler th that t provid ides root-of of-trust. EC EC: : defin fines which ich component has rea ead/write acce ccess to o oth other reg egions. It It als lso wor orks as secu ecurit ity root of of trus trust. 98 NO HAT 2019 (BERGAMO / ITALY)
ch chip ipsec_main in -- --module le com ommon.bios_wp ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER Unfortunatel ely, th the e SM SMM BIO BIOS writ ite e protection (SM (SMM_BWP), , whic ich protects ts th the e led. en enti tire e BIO BIOS area, is is not ot en enable 99 NO HAT 2019 (BERGAMO / ITALY)
ch chip ipsec_main in.py -m com ommon.spi_lo lock ALEXANDRE BORGES – MALWARE AND SECURITY RESEARCHER The e HS HSFSS.FLOCKDN bit it, whic ich com omes fr from HS HSFSTS SPI MMIO Reg egis ister, prevents changes to ch o Writ rite e Protection Enable e bit it. At t end, a malw lware couldn’t disable the SPI protected ranges to o enable le acce ccess to o . SPI I flas flash mem emory. 100 NO HAT 2019 (BERGAMO / ITALY)
Recommend
More recommend