dirtbox a x86 windows dirtbox a x86 windows emulator
play

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg - PowerPoint PPT Presentation

Apr 23, 2023 •252 likes •548 views

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team BlackHat USA, 2010-07-29 Motivation & System Overview Motivation & System Overview Why not just use CWSandbox,

  1. dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team BlackHat USA, 2010-07-29

  2. Motivation & System Overview Motivation & System Overview Why not just use CWSandbox, Anubis, Norman‘s, JoeBox, …

  3. Malware Analysis Sandbox Solutions � VMWare „Rootkits“ � CWSandbox � CWSandbox � JoeBox � ThreatExpert ThreatExpert � zBox � … � Norman Sandbox � Anubis 2010-07-29 BlackHat USA 2010, Las Vegas

  4. Malware Detection Emulators (A/V) � Most serious A/V solutions have one solutions have one � API level emulation � Often pure Often pure software emulators � Detection by � Unimplented APIs � Heap Layout, SEH handling, … � … 2010-07-29 BlackHat USA 2010, Las Vegas

  5. Detection by API Side-Effects � Functions containing try { in VS C++ share code � Epilogue is always the same � Epilogue is always the same � Uses sequence push ecx / ret to return to caller � The ecx register belongs to the called function by definition, so it is undefinde upon API return d fi d API t � The ecx value can be predicted because it will point to the API‘s ret � This breaks a lot of A/V emulators right away � There are some funny but trivially detected workarounds � Could be used for generic anti-emulation detection (use of Could be used for generic anti emulation detection (use of undefined registers after SEH protected API calls) � Relies on the fact that the API‘s bytecode is not emulated l d 2010-07-29 BlackHat USA 2010, Las Vegas

  6. System Overview or „A cat pooped into my sandbox and now I have a dirtbox!“ � System Call Layer Emulation of Windows � ntdll‘s native code is run inside virtual CPU i id i t l CPU Ring 0 � Other libraries wrap around kernel32 which malware.exe ntdll wraps around ntdll � Malware issuing system calls directly system calls directly supported 2010-07-29 BlackHat USA 2010, Las Vegas

  7. libcpu libcpu Custom x86 Basic Block Level Virtualization

  8. libcpu Overview � Software emulation of x86 bytecode is too slow � A lot of additional code, such as ntdll & kernel32 A l t f dditi l d h tdll & k l32 � Existing Virtualization solutions are too powerful f l � Implementing their own MMU, support for privileged instructions instructions � We want instruction level introspection � Homebrew x86 virtualization based on LDT 2010-07-29 BlackHat USA 2010, Las Vegas

  9. x86 Memory Views Physical Logical Virtual 2010-07-29 BlackHat USA 2010, Las Vegas

  10. x86 Memory View on Current OS Physical Logical Virtual 2010-07-29 BlackHat USA 2010, Las Vegas

  11. x86 Segmentation � Global Descriptor Table � Allocated by Operating System � Allocated by Operating System � Shared among processes � Local Descriptor Table Local Descriptor Table � Has to be allocated by the OS, too • SYS modify ldt _ y_ • NtSetLdtEntries � Process specific, usually not present � Define 2 GB guest „userland“ LDT segment g „ g 2010-07-29 BlackHat USA 2010, Las Vegas

  12. Rogue Code Execution � Basic block level execution on host CPU � No instruction rewriting required (thanks to host MMU) � No instruction rewriting required (thanks to host MMU) � Basic block is terminated by � Control flow modifying instruction � Control flow modifying instruction � Privileged instructions � Exception: Backward pointing jumps � Exception: Backward pointing jumps � Directly copy if points into same basic block � Enhanced loop execution speeds Enhanced loop execution speeds � Currently no code cache, could cache disassembly results (length of basic block) disassembly results (length of basic block) 2010-07-29 BlackHat USA 2010, Las Vegas

  13. Self-Modifying Code 2010-07-29 BlackHat USA 2010, Las Vegas

  14. libcpu Demo 2010-07-29 BlackHat USA 2010, Las Vegas

  15. libscizzle libscizzle Or „libx86shellcodedetection“ if you prefer…

  16. Shellcode Detection � Simple Approach: Brute-Force over byte buffer � If n valid instructions can be executed from there � If n valid instructions can be executed from there, assume we found valid shellcode � Pre-filter buffers: Scan for „GetPC“ sequences 1. Find GetPC opcode candiates: 89, a3, d9, e8 • mov r/m32, r32 or mov rm/32, eax → SEH based GetPC • fstenv • call rel32 2. Check for valid memory operands or FS prefix • • Require fstenv operand to be esp relative Require fstenv operand to be esp relative 2010-07-29 BlackHat USA 2010, Las Vegas

  17. Free Shellcode Detector : http://code mwcollect org/libscizzle http://code.mwcollect.org/libscizzle Free Shellcode Emulator : Free Shellcode Emulator : http://libemu.carnivore.it/

  18. libscizzle Demo 2010-07-29 BlackHat USA 2010, Las Vegas

  19. dirtbox dirtbox Or „The System Call Implementor‘s Sysiphus Tale“

  20. Why System Call Layer Emulation � System Calls mostly undocumented y y � Wine, ReactOS, … � We get a lot of genuine environment for free! � There is a fixed number of system calls but an unbound number of APIs (think third party DLLs) � Some malware uses system calls directly anyway � Less detectability by API side effects (because we run original bytecode) i i l b t d ) 2010-07-29 BlackHat USA 2010, Las Vegas

  21. Things for Free: PE Parsing & Loading (!) � Process startup handled mostly by new process � Creating process allocates new process: C ti ll t NtCreateProcess � Creates „Section“ of new image & ntdll and maps into „ g & p process, this requires kernel to parse section headers � Creates new Thread on Entry Point with APC in ntdll � ntdll!LdrInitializeThunk will relocate images if necessary, resolve imports recursively, invoke TLS and DLL startup routines and do magic (see demo). routines and do magic (see demo). � All we have to implement is NtCreateSection & NtMapViewOfSection for SEC IMAGE → we NtMapViewOfSection for SEC_IMAGE we only need to parse PE‘s section headers! 2010-07-29 BlackHat USA 2010, Las Vegas

  22. Things for free: Accurate Heap Implementation � A lot of A/V emulators naturally come with their o n g est heap allocator implementations own guest heap allocator implementations � Some even do not put heap headers before blocks � Let alone arena structures � Let alone arena structures, … � The Windows heap is implemented in ntdll � Interfacing the kernel with NtVirtualAlloc & NtVirtualFree � Interfacing the kernel with NtVirtualAlloc & NtVirtualFree � All protections like heap cookies are present � Fingerprinting other emulators: � Fingerprinting other emulators: � Look at malloc(0)-8 , look for proper block header � Or overflow until the heap cookie and free Or overflow until the heap cookie and free 2010-07-29 BlackHat USA 2010, Las Vegas

  23. Things for free: Proper SEH Handling � Generate CONTEXT record from current CPU state � Jump to ntdll!KiUserExceptionDispatcher � Jump to ntdll!KiUserExceptionDispatcher � ntdll will do proper SEH handling for us � Lookup current top of SEH chain in TEB � Lookup current top of SEH chain in TEB � Walk list, invoke exception handlers with correct flags � Checking for SafeSEH structures etc. Checking for SafeSEH structures etc. � Trivial detection for other emulators: � Link with SafeSEH header Link with SafeSEH header � Trigger exception with invalid handler registered � Check in UnhandledExceptionHandler Check in UnhandledExceptionHandler 2010-07-29 BlackHat USA 2010, Las Vegas

  24. dirtbox Demo 2010-07-29 BlackHat USA 2010, Las Vegas

  25. Conclusion & Future Work Conclusion & Future Work Let‘s use this for exploit development!

  26. Detecting dirtbox / Anti-Emulation � No leaked registers in Ring 0 transition except for eax � Need to provide proper return codes, esp. error codes N d t id t d d � ntdll just cares about ≥ 0xc0000000 ; malware might look for specific error codes p � Side effects on buffers etc., especially in error cases cases � Fill out IN OUT PDWORD Length in case of error? � Roll back system calls performing multiple things? � Tradeoff between detectability and performance 2010-07-29 BlackHat USA 2010, Las Vegas

  27. Future Work: Adding Tainting & SAT Checking � Already did Proof-of-Concept based on STP � Interleave static analysis into dynamic emulation � Interleave static analysis into dynamic emulation � Look for interesting values (e.g. reads from network, date) � Do static forward data-flow analysis on usage � If used in conditional jumps, identify interesting values with a SAT Checker (there are better domain specific with a SAT Checker (there are better domain specific ways, but I‘m lazy) � Automatic reconstruction of network protocols (e.g. commands in IRC bots) C ) � Identify specific trigger based behaviour � Id � Identify Anti-Emulation behaviour tif A ti E l ti b h i 2010-07-29 BlackHat USA 2010, Las Vegas

  28. Questions? Thank You! Questions? Thank You! georg wicherski@kaspersky com georg.wicherski@kaspersky.com blog.oxff.net & securelist.com

Recommend

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team Motivation & System Overview Why not just use CWSandbox, Anubis, Normans , JoeBox , Malware are Analys lysis is Sandbox Solutions

604 views • 24 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Emulator for OpenVMS on Windows Platform Introduction of Charon-VAX, possibilities,

Emulator for OpenVMS on Windows Platform Introduction of Charon-VAX, possibilities,

Emulator for OpenVMS on Windows Platform Introduction of Charon-VAX, possibilities, configuration and use. Why a VAX Emulator? Hardware is end-of-life and failing Service costs have increased significantly Application rewriting

485 views • 27 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System Requirements A PC running MS Windows 2000, or Windows XP Matlab (6.5, 2007a/b or 2008a/b) Python 2.5 Download the Windows installer from

288 views • 10 slides
Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Unit OS A: Windows Networking A.1. Networking Components in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.1 General Concepts - Windows Networking Domains &

443 views • 28 slides
Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass partitions | Stainless steel handrails Windows Windows , that reflect your style Window systems AWS 65 AWS 70.HI

215 views • 19 slides
Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Unit OS2: Operating System Principles 2.3. Windows on Windows - OS Personalities Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.3. Environment Subsystems System

678 views • 20 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows

Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows

Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows Written Hat-make Library-fied some Hat tools Written Hat-Gui Hat Windows Port Works reasonably well Windows dislikes:

280 views • 14 slides
Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why

Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why

Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why upgrade to Windows 10 rather than staying with Windows 7 or 8.1? a. Windows 7 is over 5 years old. There will be no new features . b. Windows 8.1 is

432 views • 6 slides
SUMMARY History End of life CLI Services Security Considerations Powershell

SUMMARY History End of life CLI Services Security Considerations Powershell

SUMMARY History End of life CLI Services Security Considerations Powershell Server Setup BRIEF HISTORY (WINDOWS CLIENT) MSDOS (1980) WINDOWS (1985) WINDOWS 3.1 (1992) Windows 95 (1995) Windows ME

725 views • 43 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Support for Multilingual Windows Web Apps (WWA) and HTML 5 in Windows 8 Jan Anders Nelson Senior

Support for Multilingual Windows Web Apps (WWA) and HTML 5 in Windows 8 Jan Anders Nelson Senior

Support for Multilingual Windows Web Apps (WWA) and HTML 5 in Windows 8 Jan Anders Nelson Senior Program Manager Lead Microsoft Corporation Windows 8: Using the language you want More languages than ever before Microsoft will continue to

338 views • 10 slides
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and interoperable Secure and scalable DNSSEC in Windows DNS

266 views • 14 slides
Module 1 Overview of Windows 10 Module Overview Introduction to Windows 10 Implementing

Module 1 Overview of Windows 10 Module Overview Introduction to Windows 10 Implementing

Module 1 Overview of Windows 10 Module Overview Introduction to Windows 10 Implementing Windows 10 Lesson 1: Introduction to Windows 10 Overview of New Windows 10 Features that Increase Business Productivity New Features of

376 views • 24 slides
[(Programming Wpf : Building Windows Ui with Windows Presentation Foundation)] [By (author) Tyler

[(Programming Wpf : Building Windows Ui with Windows Presentation Foundation)] [By (author) Tyler

[(Programming Wpf : Building Windows Ui with Windows Presentation Foundation)] [By (author) Tyler a Moss] published on (August, 2015) Tyler a Moss Click here if your download doesn"t start automatically [(Programming Wpf : Building Windows

157 views • 5 slides

More recommend