Configuration Analysis, Run Time Analysis & Editing
by Coleman Kane
During week 2 we put together a malware sample by authoring a custom configuration. In week 3 we analyzed the VM that we ran it within for forensic evidence of the malware. In week 4, we took another backdoor that was compiled in C and decided to analyze aspects of its control flow to learn more about how it worked and also introduce you all to the Ghidra decompiler.
This week we will introduce new topics that build on these others:
- Static configuration extraction
- Some analysis evasion techniques
- Run-time analysis w/ a debugger
- Run-time patching
Static configuration extraction
The following is a snippet of the macros that you can modify in the source code from revolution_backdoor_windows.cpp in order to change the behavior of the backdoor:
#define BUFFER_SIZE 4096 #define REMOTE_HOST "192.168.1.71" #define REMOTE_PORT 444 #define FTP_SERVER "192.168.1.71" #define FTP_USER "unamed" #define FTP_PASS "test123"
The above is relatively simplistic, and in class we will explore a slightly modified version of this backdoor to extract the configuration from. There are a lot of existing projects out there that can do this work on a range of malware families. In class we will experiment with doing this work from scratch.
Some open source projects:
Here is a good write-up of how someone used analysis utilities to analyze and extract the configuration from an REvil ransomware malware:
There are a lot of evasion techniques out there - often these may come in the form of VM detection, debugger detection, or both. I will work off of some VM detection routines I have collected that are implemented in C and posted here:
Review the above to familiarize yourself with the available techniques I will be working from. This is definitely not and all-encompassing list, and you are likely to find malware in the wild that uses more than just these techniques to accomplish this goal.
Some further reading on the topic:
- Cyberbit: Anti-VM and Anti-Sandbox Explained
- Joanna Rutkowska: Red Pill… or how to detect the VMM using (almost) one CPU instruction
As well, a tool to keep in your defensive pocket:
Run-time Debugger Analysis
We will be using the ImmunityDebugger to perform the run-time analysis of malware in this week’s class. You’ll likely notice some similarity between the view you get with Immunity and that which you got with Ghidra in last week’s class. The big difference will be that Immunity Debugger is analyzing a program that has already been loaded into memory by the OS, while Ghidra is (as of 2020) relegated to simply analyzing files at rest on your hard drive.
I found a really good write-up that gives 3 examples of analyzing different programs, distributed by SANS, and authored by Roberto Nardella:
The above PDF has 3 C programs embedded within it. Since extracting these and compiling them could take a bit of work, I have taken the trouble to do so for you all:
Please take some time to go through one or more of these examples to familiarize yourself with the Immunity Debugger.