Tuesday, December 6, 2011

Malware Analysis Tutorial 6: Analyzing Self-Extraction and Decoding Functions

Learning Goals:

  1. Use Immunity Debugger to Analyze and Annotate Binary Code.
  2. Understand the Techniques for Self-Extraction in Code Segment.
Applicable to:
  1. Computer Architecture
  2. Operating Systems Security
1. Introduction


In this tutorial, we discuss several interesting techniques to analyze decoding/self-extraction functions, which are frequently used by malware to avoid static analysis. The basic approach we use here is to execute the malware step by step, and annotating the code.

1.1 Goals
We will examine the following functions in Max++ (simply set a breakpoint at each of the following addresses):
  • 0x00413BC2
  • 0x00413BDD
  • 0x00413A2B
  • 0x00410000
  • 0x00413BF2

1.2 General Techniques
 We recommend that you try your best to analyze the aforementioned functions first, before proceeding to section 2. In the following please find several useful IMM tricks:
  • Annotating code: this is the most frequently used approach during a reverse engineering effort. Simply right click in the IMM code pane and select "Edit Comment", or press the ";" key.
  • Labeling code: you could set a label at an address (applicable to both code and data segments). When this address is used in JUMP and memory loading instructions, its label will show up in the disassembly. You can use this to assign mnemonics to functions and variables. To label an address, right click in IMM code pane and select "Label".
  • Breakpoints: to set up software breakpoints press F2. To set up hardware breakpoints, right click in code pane, and select Breakpoints->Hardware Breakpoint on Execution. At this moment, set soft breakpoints only.
  • Jump in Code Pane: you can easily to any address in the code segment by right clicking in code pane and enter the destination address.


2. Analysis of Code Beginning at 0x00413BC2

As shown in Figure 1, there are four related instructions, POP ESI (located at 0x00413BC1), SUB ESI, 9 (located at 0x00413BC2), and the POP ESP and RETN instructions.

Figure 1. Code Starting at 0x00413BC2

 As discussed in Tutorial 5, the RETN instruction (at 0x00413BC0) is skipped by the system when returning from INT 2D (at 0x00413BBE). Although it looks like the POP ESI (at 0x413BC1) is skipped, it is actually executed by the system. This results in that ESI now contains value 0x00413BB9 (which is pushed by the instruction CALL 0x00413BB9 at 0x00413BB4). Then the SUB ESI, 9 instruction at 0x00413BC2 updates the value of ESI to 0x00413BB0. Then the next LODS instruction load the memory word located at 0x00413BB0 into EAX (you can verify that the value of EAX is now 0). Then it pops the top element in the stack into EBP, and returns. The purpose of the POP is to simply enforce the execution to return (2 layers) back to 0x413BDD.

Note that if the INT 2D has not caused any byte scission, i.e., the RETN instruction at 0x00413BD7 will lead the execution to 0x413A40 (the IRETD instruction). IRETD is the interrupt return instruction and cannot be run in ring3 mode (thus causing trouble in user level debuggers such as IMM). From this you can see the purpose of the POP EBP instruction at 0x413BC6.

Conclusion: the 4 instructions at 0x00413BC2 is responsible for directing the execution back to 0x00413BDD. This completes the int 2d anti-debugging trick.

3. Analysis of Function 0x00413BDD


Figure 2: Function 0x00413BDD


As shown in Figure 2, this function clears registers and calls three functions: 0x413A2B (decoding function), 0x00401000 (another INT 2D trick), and call EBP (where EBP is set up by the function 0x00401000 properly). We will go through the analysis of these functions one by one.


4. Analysis of Function 0x00413A2B.

Figure 3: Function 0x00413A2B


 Function 0x00413A2B has six instructions and the first five forms a loop (from 0x00413A2B to 0x00413A33), as shown in Figure 3.  Consult the Intel instruction manual first, and read about the LODS and STORS instruction before proceeding to the analysis in the following.

  Essentially the LODS instruction at 0x00413A2B loads a double word (4 bytes) from the memory word pointed by ESI to EAX, and STOS does the inverse. When the string copy finishes, the LODS (STOS) instruction advances the ESI (EDI) instruction by 4. The next two instructions following the LODS instruction perform a very simple decoding operation, it uses EDX as the decoding key and applies XOR and SUB operations to decode the data.

  The loop ends when the EDI register is equal to the value of EBP. If you observe the values of EBP and EDI registers in the register pane, you will find that this decoding function is essentially decoding the region from 0x00413A40 to 0x00413BAC.

  Set a breakpoint at 0x00413A35 (or F4 to it), you can complete and step out of the loop. To view the effects of this decoding function, compare Figure 4 and Figure 5. You can see that before decoding, the instruction at 0x00413A40 is an IRET (interrupt return) instruction and after the decoding, it becomes the INT 2D instruction!

 Figure 4: Region 0x00413A40 to 0x00413BAC (before decoding)



 Figure 5: Region 0x00413A40 to 0x00413BAC (after decoding)



 Now let's right click on 0x00413A2B and select "Label" and we can mark the function as "basicEncoding". (This is essentially to declare 0x00413A2B as the entry address of function "BasicEncoding"). Later, whenever this address shows in the code pane, we will see this mnemonic for this address. This will facilitate our analysis work greatly.

5. Analysis of Code Beginning at 0x00410000

Function 0x00410000 first clears the ESI/EDI growing direction and immediately calls function 0x00413A18. At 0x00413A18, it again plays the trick of INT 2D. If the malware analyzer or binary debugger does not handle by the byte scission properly, the stack contents will not be right and the control flow will not be right (see Tutorials 3,4,5 for more details of INT 2D).

In summary,  when the function returns to 0x00413BED, the EBP should have been set up property. Its value should be 0x00413A40.

6. Analysis of Code Beginning at 0x00413A40

 We now delve into the instruction CALL EBP (0x00413A40). Figure 6 shows the function body of 0x00413A40. It begins with an INT 2D instruction (which is continued with a RET instruction). Clearly, in regular/non-debugged setting, when EAX=1 (see Tutorial 4), the byte instruction RET should be skipped and the execution should continue.

Figure 6: Another Decoding Function

Challenge of the Day

 The major bulk of the function is a multiple level nested loop which decodes and overwrites (a part) of the code segment. Now here comes our challenge of the day.

(1) How do you get out of the loop? [hint: the IMM debugger has generously plotted the loop structure (each loop is denoted using the solid lines on the left). Place a breakpoint at the first instruction out of the loop - look at 0x00413B1C]

(2) Which part of the code/stack has been modified? What are the starting and ending addresses? [Hint: look at the instructions that modify RAM, e.g., the instruction at 0x00413A6F, 0x00413A8D, 0x00413B0E.

47 comments:

  1. For challenge question #1 we can get out of the loop by placing a break point at 00413B1C or if we are using immunity debugger we simply click on the address and press f4 which would execute the instructions until the highlighted address is reached.

    ReplyDelete
  2. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.






    Function Point Estimation Training

    ReplyDelete
  3. I agree with your post, the Introduction of automation testing product shortens the development life cycle. It helps the software developers and programmers to validate software application performance and behavior before deployment. You can choose testing product based on your testing requirements and functionality. QTP Training Chennai

    ReplyDelete
  4. Hi, I wish to be a regular contributor of your blog. I have read your blog. Your information is really useful for beginner. I did QTP Training in Chennai at Fita training and placement academy which offer best Selenium Training in Chennai with years of experienced professionals. This is really useful for me to make a bright career.

    ReplyDelete
  5. Thanks for giving great information about the malware analysis.I would known lot of information about the malaware analysis with the help of this article.This gives a detailed infomation.
    SEO Training in chennai|SEO Training chennai


    ReplyDelete
  6. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.

    Cloud Computing Training in chennai | Cloud Computing Training chennai

    ReplyDelete
  7. Nice article i was really impressed by seeing this article, it was very interesting and it is very useful for Learners.
    VMWare Training in chennai | VMWare Training chennai



    ReplyDelete
  8. Very fun. Sometimes 401000 is mistyped as 410000. Also, having breakpoints enabled in code that is being modified by Max can mess up the execution, which IMM warns you about. I'm not sure exactly what's going on here though my guess is that IMM is inserting some hidden byte code which gets processed by the decryption. Anyway, the only solution I can find is to have only the `call ebp` breakpoint enabled, then once you reach it you can enable the other breakpoints since the code will have decrypted. I imagine this would get annoying and I wonder if there is a fix?

    ReplyDelete
    Replies
    1. Yep, just read the beginning on tutorial 7. Software breakpoints will not work for self modifying code

      Delete
  9. Oracle DBA Training in Chennai
    Thanks for sharing this informative blog. I did Oracle DBA Certification in Greens Technology at Adyar. This is really useful for me to make a bright career..

    ReplyDelete
  10. Whatever we gathered information from the blogs, we should implement that in practically then only we can understand that exact thing clearly, but it’s no need to do it, because you have explained the concepts very well. It was crystal clear, keep sharing..
    Websphere Training in Chennai

    ReplyDelete
  11. Data warehousing Training in Chennai
    I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly..

    ReplyDelete
  12. Selenium Training in Chennai
    Wonderful blog.. Thanks for sharing informative blog.. its very useful to me..

    ReplyDelete
  13. Oracle Training in chennai
    Thanks for sharing such a great information..Its really nice and informative..

    ReplyDelete
  14. SAP Training in Chennai
    This post is really nice and informative. The explanation given is really comprehensive and informative..

    ReplyDelete
  15. This information is impressive..I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic..
    Android Training In Chennai In Chennai

    ReplyDelete
  16. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing..
    Unix Training In Chennai

    ReplyDelete
  17. I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing..
    SalesForce Training in Chennai

    ReplyDelete
  18. There are lots of information about latest technology and how to get trained in them, like Best Hadoop Training In Chennai in Chennai have spread around the web, but this is a unique one according to me. The strategy you have updated here will make me to get trained in future technologies Hadoop Training in Chennai By the way you are running a great blog. Thanks for sharing this blogs..

    ReplyDelete
  19. This is really an awesome article. Thank you for sharing this.It is worth reading for everyone. Visit us:
    Oracle Training in Chennai

    ReplyDelete
  20. very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.Oracle DBA Training in Chennai

    ReplyDelete
  21. Wonderful tips, very helpful well explained. Your post is definitely incredible. I will refer this to my friend.SalesForce Training in Chennai

    ReplyDelete
  22. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.Nice article i was really impressed by seeing this article, it was very interesting and it is very useful for me.. Android Training in Chennai

    ReplyDelete
  23. Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.
    SAP Training in Chennai

    ReplyDelete
  24. I found some useful information in your blog,it was awesome to read, thanks for sharing this great content to my vision, keep sharing..selenium Training in Chennai

    ReplyDelete
  25. Excellent information with unique content and it is very useful to know about the information based on blogs. Hadoop Training in Chennai

    ReplyDelete
  26. At Music School Sydney, Learning Music is FUN! Learn Piano, Guitar, Singing, Saxophone, Flute, Violin, Drums and More. Book a Free Lesson Online Today!

    ReplyDelete
  27. Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.
    Oracle Training In Chennai

    ReplyDelete
  28. Best Java Training Institute In ChennaiThis information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic..

    ReplyDelete
  29. Best SQL Query Tuning Training Center In Chennai This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic..

    ReplyDelete
  30. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing.
    Regards,
    seo course in chennai

    ReplyDelete

  31. hi,this is excellent information..we provide by very easy learning good information.

    Function Point Estimation Training

    ReplyDelete
  32. Great article. Glad to find your blog. Thanks for sharing.
    dotnet training in chennai

    ReplyDelete
  33. Very useful information in this article! its really useful for Java development company, but we request new updated article as ASP.NET reached one notch up

    ReplyDelete
  34. Thanks for your informative article. As the demand quality apps and games increases in the mobile market, there is huge demand for the android developers in the job market
    Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best java web service and our talented java application development team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of Java web application development, we are the best among the
    Java development company
    .

    We have quite an extensive experience working with java development services. we are the only Java application development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team.Our pro team will provide you the best java appliaction development services. We are best among the java development companies in Chennai, please review our customer feedbacks so that you may find a clue about us. If you want one stop solution for java development outsourcing, Colan infotech is the only stop you need to step in. Colan Infotech is the unique java web development company were our team of unique java application developer were ranked top in java enterprise application development.

    ReplyDelete


  35. Java application development

    Thanks for the awesome share
    Hi we at Colan Infotech Private Limited , a company which is Situated in US and India,
    will provide you best java web service and our talented java application development team will assure you best result
    and we are familiar with international markets,
    We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of Java web application development,
    we are the best among the
    Java development company
    .

    We have quite an extensive experience working with java development services .
    we are the only Java application development company which offer custom services to a wide range of industries by
    exceeding our client’s expectations.
    You can even interact directly with the team regarding your project, just as you would with your in-house team.
    Our pro team will provide you the best java appliaction development services .
    We are best among the java development companies in Chennai ,
    please review our customer feedbacks so that you may find a clue about us. If you want one stop solution for java development outsourcing,
    Colan infotech is the only stop you need to step in.
    Colan Infotech is the unique java web development company were our team of unique
    java application developer were ranked top in java enterprise application development.

    ReplyDelete
  36. Thanks for your informative article. As the demand quality apps and games increases in the mobile market, there is huge demand for the android developers in the job market
    Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best java web service and our talented java application development team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of Java web application development, we are the best among the
    Java development company
    .

    We have quite an extensive experience working with java development services. we are the only Java application development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team.Our pro team will provide you the best java appliaction development services. We are best among the java development companies in Chennai, please review our customer feedbacks so that you may find a clue about us. If you want one stop solution for java development outsourcing, Colan infotech is the only stop you need to step in. Colan Infotech is the unique java web development company were our team of unique java application developer were ranked top in java enterprise application development.

    ReplyDelete
  37. Very Nice Blog I like the way you explained these things.
    Indias Fastest Local Search Engine
    CALL360
    Indias Leading Local Business Directory

    ReplyDelete
  38. GREEN WOMEN HOSTELGreen Women hostel is one of the leading Ladies hostel in Adyar and we serving an excellent service to Staying people, We create a home atmosphere, it is the best place for Working WomenOur hostel Surrounded around bus depot, hospital, atm, bank, medical Shop & 24 hours Security Facility



    ReplyDelete
  39. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

    ReplyDelete
  40. Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, Trojan horse, rootkit, or backdoor.It's helps to us all determine developed of analytics Our tutorial helpless to be all beginner members.
    Hadoop Training in Chennai | Hadoop Training Institute in Chennai

    ReplyDelete
  41. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    mcdonaldsgutscheine.net/ | startlr.com/ | saludlimpia.com/

    ReplyDelete