Japan Computer Emergency Response Team Coordination Center 電子署名者 : Japan Computer Emergency Response Team Coordination Center DN : c=JP, st=Tokyo, l=Chiyoda-ku, [email protected], o=Japan Computer Emergency Response Team Coordination Center, cn=Japan Computer Emergency Response Team Coordination Center 日付 : 2014.05.08 10:50:09 +09'00' Recommendation of Perfect Unpacking 2014/04/24 JPCERT/CC Analysis Center NAKATSURU You Windows Malware Analysis Surface Header Code • Properties • The Internet Analysis Runtime • Execution & monitoring Data Static • Reading code 1 Copyright©2014 JPCERT/CC All rights reserved. What Packing/Unpacking is "Pack" original code for compression/obfuscation Header Header Pack Code Data 2 Copyright©2014 JPCERT/CC All rights reserved. Exec (Unpack) Compressed data Unpack code Unpacking Tools Unpacker UPX, etc. Debugger OllyDbg Immunity Debugger IDA 3 Copyright©2014 JPCERT/CC All rights reserved. IAT reconstructor ImpREC Hex editor FileInsight HxD CLASSIC UNPACKING 4 Copyright©2014 JPCERT/CC All rights reserved. What "Classic Unpacking" is Empty section .header UPX0 Memory .header UPX0 UPX1 .rsrc (Compressed data) 5 Copyright©2014 JPCERT/CC All rights reserved. UPX1 .rsrc .rsrc (Compressed data) What "Classic Unpacking" is Memory Execute until Original Entry Point (OEP) .header UPX0 UPX1 .header (Original code) .rsrc (Compressed data) 6 UPX0 UPX0 Copyright©2014 JPCERT/CC All rights reserved. UPX1 .rsrc .rsrc (Compressed data) What "Classic Unpacking" is Memory dump & Memory PE file reconstruct .header .header UPX0 UPX1 UPX0 (Original code) .rsrc (Compressed data) 7 UPX0 UPX0 .header Copyright©2014 JPCERT/CC All rights reserved. UPX1 .rsrc .rsrc (Compressed data) UPX1 .rsrc (Compressed data) .mackt Classic Unpacking Flow 1. Execute unpack code • Find OEP 2. Dump as a PE file • reconstruct PE header, etc. 3. Reconstruct Import Address Table (IAT) 8 Copyright©2014 JPCERT/CC All rights reserved. Reconstructing IAT PE File kernel32.dll GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess IAT on Memory Import Directory extrn GetProcAddress:dword IAT 9 Copyright©2014 JPCERT/CC All rights reserved. extrn extrn extrn extrn VirtualProtect:dword VirtualAlloc:dword VirtualFree:dword ExitProcess:dword Reconstructing IAT PE File kernel32.dll GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess IAT IAT 10 Copyright©2014 JPCERT/CC All rights reserved. IAT on Memory extrn GetProcAddress:dword extrn VirtualProtect:dword Created by extrn VirtualAlloc:dword unpack code extrn VirtualFree:dword extrn ExitProcess:dword extrn RegQueryValueExA:dword extrn RegSetValueExA:dword extrn RegEnumKeyA:dword extrn RegEnumValueA:dword extrn RegOpenKeyExA:dword extrn RegDeleteKeyA:dword extrn RegDeleteValueA:dword extrn RegCloseKey:dword extrn RegCreateKeyExA:dword Reconstructing IAT PE File kernel32.dll GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess Can not import required APIs IAT 11 Copyright©2014 JPCERT/CC All rights reserved. IAT on Memory extrn GetProcAddress:dword extrn VirtualProtect:dword extrn VirtualAlloc:dword extrn VirtualFree:dword extrn ExitProcess:dword extrn RegQueryValueExA:dword extrn RegSetValueExA:dword extrn RegEnumKeyA:dword extrn RegEnumValueA:dword extrn RegOpenKeyExA:dword extrn RegDeleteKeyA:dword extrn RegDeleteValueA:dword extrn RegCloseKey:dword extrn RegCreateKeyExA:dword Reconstructing IAT PE File kernel32.dll GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA IAT IAT 12 Copyright©2014 JPCERT/CC All rights reserved. IAT on Memory extrn GetProcAddress:dword extrn VirtualProtect:dword extrn VirtualAlloc:dword extrn VirtualFree:dword extrn ExitProcess:dword extrn RegQueryValueExA:dword extrn RegSetValueExA:dword extrn RegEnumKeyA:dword extrn RegEnumValueA:dword extrn RegOpenKeyExA:dword extrn RegDeleteKeyA:dword extrn RegDeleteValueA:dword extrn RegCloseKey:dword extrn RegCreateKeyExA:dword Classic Unpacking Reconstruct PE file 13 Copyright©2014 JPCERT/CC All rights reserved. Classic Unpacking Reconstruct PE file 14 Copyright©2014 JPCERT/CC All rights reserved. Classic Unpacking Reconstruct IAT Input OEP 15 Copyright©2014 JPCERT/CC All rights reserved. Classic Unpacking Reconstruct IAT 16 Copyright©2014 JPCERT/CC All rights reserved. Classic Unpacking Issue .header .header .text .data .reloc .header .text .text .data .data .rsrc .rsrc .mackt hash("Original") != hash("Unpacked") 17 Copyright©2014 JPCERT/CC All rights reserved. Classic Unpacking Issue .header .header .text .text .header .data .header .header .text .data .rsrc .data .header .text .reloc 18 .text Copyright©2014 JPCERT/CC All rights reserved. .rsrc .data.text .rsrc .data .mackt .header .rsrc .text .mackt .data .data .rsrc .rsrc PERFECT UNPACKING 19 Copyright©2014 JPCERT/CC All rights reserved. Concept .header .text .header .text .header .text .data .data .reloc .rsrc .data .reloc hash("Original") == hash("Unpacked") 20 Copyright©2014 JPCERT/CC All rights reserved. Recent Packer Memory .header .text .data .header .text .data .rsrc .rsrc .rsrc 21 Copyright©2014 JPCERT/CC All rights reserved. Recent Packer Memory .header .text .header .text .data .data .rsrc .rsrc .rsrc Unpack code 22 Copyright©2014 JPCERT/CC All rights reserved. Recent Packer Memory .header .text .header .text .data .data .rsrc .rsrc .rsrc Unpack code Original PE file 23 Copyright©2014 JPCERT/CC All rights reserved. Recent Packer Overwrite own process / Memory Inject into other process .header .text .text .header .text .data .data .rsrc .rsrc .reloc .data .rsrc Unpack code Original PE file 24 Copyright©2014 JPCERT/CC All rights reserved. Recent Packer Memory .header .text .text .header .text .text .data .data .rsrc .rsrc .reloc .data Unpack code .reloc .data .rsrc Original PE file 25 .header Copyright©2014 JPCERT/CC All rights reserved. Perfect Unpacking Flow 1. Execute unpack code • Let unpack code unpack original PE file 2. Dump memory section contains original PE file 3. Trim PE file 26 Copyright©2014 JPCERT/CC All rights reserved. 1. Unpack Code Execution Set breakpoints on Windows APIs • WriteProcessMemory • ZwWriteVirtualMemory • CreateProcessW • VirtualFree / RtlFreeHeap • etc. PE header • Hardware breakpoint on "M" 27 Copyright©2014 JPCERT/CC All rights reserved. 2. Dumping Memory Section Search "MZ" string Ctrl + B 28 Copyright©2014 JPCERT/CC All rights reserved. 2. Dumping Memory Section Search "MZ" string Ctrl + B Search next (Ctrl+L) until you can see PE header 29 Copyright©2014 JPCERT/CC All rights reserved. 2. Dumping Memory Section Search "MZ" string Ctrl + B Search next (Ctrl+L) until you can see PE header 30 Copyright©2014 JPCERT/CC All rights reserved. 2. Dumping Memory Section Search "MZ" string Ctrl + B Search next (Ctrl+L) until you can see PE header Raw address 31 Copyright©2014 JPCERT/CC All rights reserved. 2. Dumping Memory Section Dump 32 Copyright©2014 JPCERT/CC All rights reserved. 3. Trimming PE file Parse PE file using FileInsight 33 Copyright©2014 JPCERT/CC All rights reserved. Consideration 0. Limited availability • Depends on packer's implementation 1. Unpacking code execution • Debugger & VM detection • Breakpoint detection 3. Trimming PE file • Overlay data • Data used by malware • e.g. ZeuS variants • Digital signature 34 Copyright©2014 JPCERT/CC All rights reserved. Demo Movie Get same original file from different binaries using "Perfect Unpacking" 35 Copyright©2014 JPCERT/CC All rights reserved. CONCLUSION 36 Copyright©2014 JPCERT/CC All rights reserved. Summary Classic unpacking issue • Unpacked file's hash value depends on analyst/tools Resent packer implementation • Packed malware contains original PE file We have to perform "Perfect Unpacking" • Dump original PE file from virtual memory 37 Copyright©2014 JPCERT/CC All rights reserved. Recommended Unpacking Flow .header Unpacker .text .data Perfect Unpacking .reloc .header Classic Unpacking .text .data .rsrc 38 Copyright©2014 JPCERT/CC All rights reserved. Thank you! Contact [email protected] https://www.jpcert.or.jp Incident report [email protected] https://www.jpcert.or.jp/form/
© Copyright 2024 ExpyDoc
