Back in the days when I first got into malware analysis I was completely overwhelmed about all the tools and technique that one had to know about and how to apply. Being a fast-tracker, I just wanted to dive into the deep end of the pool and learn everything as I go, little did I now how much of a showstopper this would be when it came to analyzing packed malware.
This post will give an example of how unpacking many of todays samples which are spread through both spam and drive-bys such as exploit kits. A post that at least I wished I've had come across while getting into malware analysis.
RunPE and other injection based packers
RunPE is a well documented technique for running code inside another process, I will thereby not go into depth how it works.
Long story short is that the packer will deobfuscate/decrypt/unpack (take a pick) the malicious payload, start a new suspended process, inject the unpacked code and run it.
There are some variations on how the packers run the unpacked code, for example creating a remote thread, changing the thread context (SetThreadContext) and calling ResumeThread or by hooking ZwClose. These are just some example I've come across.
The variations also goes for when writing the unpacked code to the newly created process. The most common way is by calling WriteProcessMemory, but other ways are ZwWriteVirtualMemory or using NtMapViewOfSection.
Now, what step remain to be given an example from? Creating a new suspended process. This is done by calling CreateProcess with the flag CREATE_SUSPENDED.
What is happening behind the scenes when calling any API that launch new processes, for example WinExec, CreateProcess, ShellExecute, etc. is that CreateProcessInternalW will be called, this is simply the lowest API for creating processes.
So how can this be used to unpack malware that utilize these techniques?
Unpacking using a debugger
Immunity/Olly have all the functions for making unpacking easy:
- Breakpoints
- Plugins (OllyDumpEx)
- Binary Search
As the malicious code is now unpacked and present in memory, it's possible to search for it using Binary Search. Binary Search allows for search for ASCII-, UNICODE- and Hex-strings, this is helpful as a PE-header recognized by for example "This program cannot be run in DOS mode". There will be quite a few hits as the malware itself is loaded plus all the DLLs as seen in the sample below:
When there is a hit on a region which aren't associated with any module, chances are that this is the unpacked code. In the screenshot below, a breakpoint has been set on CreateProcessInternalW which triggered the debugger to break. The memory is then searched for the existence of a PE-header (Ctrl+B in the Memory Pane):
Also note that there are other modules such as wininet loaded which wasn't there before. At this stage the PE can be extracted using the plugin OllyDumpEx that have the ability of searching a region for PE-headers and automatically parse it to identify sections but also dump the PE to disk:
That's basically all there is to it, by taking these very few steps, CryptoWall 3.0 have been unpacked and functions identified which is related to communication/domain generation:
As the the dumped sample is clean, which means no reconstruction of the IAT is required, it's also possible to run it in a debugger to investigate in more depth how it behaves without having to step through the packers code and handle injections into other processes.
I hope someone will find this post useful, again, it's nothing new, just a tip on how malware could be unpacked and how to handle packers utilizing the RunPE technique.
Thanks @malware_traffic for providing the sample used in the post, it can be found here.
Inga kommentarer:
Skicka en kommentar