Index
%PDF-1.X magic string, 148 anti-assembling techniques, 142–144 220 error response code, 32 anti-attaching techniques, for debugger, 360AntiHacker driver, disabling, 22–23 147 anti-emulation techniques, 137–142 anti-exploiting features of operating A systems, 12–13 Abstract Syntax Tree (AST), 20 antivirus evasion techniques, 105–115 access control lists (ACLs) basics, 106–107 danger of errors, 195 writing tool for automatic, 160–162 fi nding invalid, 274–279 antivirus kernels incorrect, 187–194 disabling, 154–156 ActiveX, 201 porting to Unix, 243–244 ActonScript support for emulators, 10 emulators, 304 antivirus killers, 207 for remote exploitation, 303–304 antivirus scanners, 5–6 add-ons. See plug-ins antivirus software AddressOfEntryPoint, in portable analysis with command-line tools, 27–28 executable fi les, 125 auditing, 338 Address Space Layout Randomization automatic fuzzing of, 239–248 (ASLR), 176, 190–191 auto-updating feature for, 87 exploiting at fi xed addresses, 298–299, basics, 3–4 318 bugs in, 333 administration COPYRIGHTEDpanels, remote attack consumerMATERIAL target audience for, 323 surfaces and, 199–200 core. See kernel Albertini, Ange, 125 determining what is supported, 304–306 Allebrahim, Arish, 188 diversity, 324–325 Alternate Data Streams (ADS) scanner, 63 exploiting, 339–340 AMD x86_64 CPU features, 7–13 fi nding weaknesses in emulator, 303 history, 4–5 instruction set support, 142–143 limitations, 332 American Fuzzy Lop (AFL), 253 linker in, 58–59 Android DEX fi les, 8 malware use of, 332–335 anti-analysis, code analyzer disruption, misconceptions about, 6–7 144–146 number of potential bugs in, 65
347 348 Index ■ B–B
privileges for, 341 Avira, 27 recommendations for users, 331–338 adware applications, 202 recommendations for vendors, 338–344 encryption of strings in plug-in DLLs, 58 and SSL/TLS, 100–101 kernel, 20 trends, 323–329 scancl tool, 21 vulnerabilities in, 343–344 antivirus vendors, improving update B services safety, 342–343 backdoors, 196 API emulations, implementing, 137–140 and confi guration settings, 21–28 API hooks in local exploitation, 270–274 bugs, 188 Bahrain government, 5 undoing, 175 banking details, monitoring home AppInit_Dll registry key, 174 computers for, 325 applications, memory management basic_avast_client1.py, 33–34 functions, 224 Bayesian networks, and variables, 66–67 archive fi les, exploiting, 302–303 BCCF (Blind Code Coverage Fuzzer), archives, for AV kernel, 9 253–254 ARM emulator, fi nding weaknesses in, using, 254–259 303 bcdedit tool, for kernel debugging, 24 ARP (Address Resolution Protocol) bcf.py tool, 257 spoofi ng, 307, 312 Beanstalkd, for Nightmare, 259 Ettercap tool for, 313 Berkeley Software Distribution (BSD), 143 ARP poisoning, 307 beta signatures, 97 ASLR. See Address Space Layout big companies, targeting, 326–328 Randomization (ASLR) binary audit, 338 Assar, Walied, 147 manual, 219–233 AST (Abstract Syntax Tree), 20 third-party, 340 attack surface of software, 183–194 binary diffi ng products, porting symbols local, 185–187 from, 18 remote, 197–203 binary instrumentation, 113–114 attack vector, emulator as, 301 BinDiff (Zynamics), 59–60 auditing /bin/ls executable, 82 importance for antivirus vendors, 340 Bitdefender Antivirus for Linux, 17, 55–56, security products, 338 100–101 authentication checks, for AVG Admin fuzzer for, 237 Console, 199–200 fuzzer output when used with, 242–243 authentication of updates, 308 maximizing code covered by, 257–258 automatic antivirus evasion, writing tool Bitdefender Security Service, 191–192 for, 160–162 blackbox audit, 338 auto-updating feature, for antivirus Blind Code Coverage Fuzzer (BCCF), software, 87 253–254 av_close function, disassembly of call, using, 254–259 32–33 blind trust, 332–336 Avast Core Security for Linux, installing, bloom fi lters, 67–68 150–151 blue screen of death (BSOD), 213 Avast for Linux, 16, 32 Böck, Hanno, 100 minimal class to communicate with, BOPS (Sophos Buffer Overfl ow Protection 33–34 System), 13 security vulnerabilities, 100–101 breakpoints, change in, 62 writing Python bindings for, 29–37 broker, for sandbox processes, 298 .avc extension, 58–59, 119 browser AvcUnpacker.EXE, 119 automatic scanning of fi les retrieved by, AVG 198 installing, 151–152 plug-ins, 201 vulnerabilities in, 199 vulnerabilities in, 335 Index ■ C–C 349
BSOD (blue screen of death), 213 removing old, 343–344 bugs security implications of duplication, 64 in antivirus software, 333 code analyzer, disrupting through anti- API hooking, 188 analysis, 144–146 in disinfection routines, 64 code coverage, maximizing, 252–259 exotic, 188 code injection technique, 174–175 in fi le format parsers, 212 COFF. See Common Object File Format fuzzing to fi nd, 235 (COFF) patched, 325 command injections, fi ltering based on business logic, 196 shell escape characters, 231–232 bytecode format, 8 command-line tools byte-stream, signatures as, 78 for AV software analysis, 27–28 creating for exporting internal C information, 45–46 CAEEngineDispatch_ for fuzzer automation, 240–243 GetBaseComponent, 41 reverse engineering tools, vs. GUI, 16 CAEHeurScanner class (C++), 167 scanners, 4 callbacks, setting, 42 Common Object File Format (COFF), call graph, 83 62, 121 Capstone Python bindings, for Nightmare, for Kaspersky updates, 58 259 Common Vulnerabilities and Exposures cast-to-function pointer, 282 (CVEs), 65 catalog fi les Comodo Antivirus for antivirus update, 88 ActiveX control, 202 Dr.Web request for LZMA-compressed, C/C++ to interface, 45–55 310–312 check for updates, 97 CBasicFuzzer class, 238 compiling command-line scanner, 51 C/C++ languages creating instance, 40–41 for antivirus kernels, 70–72 GUI, 93 vs. managed languages, 342 heuristic engine of, 166–173 certifi cate, need to verify, 90 installing, 153 CFrameWork_CreateEngine, 41 libMACH32.so library, 134–135 CFrameWork_LoadScanners, 41 library disassembly, 20 Charlie Miller multiple engine, 261 support for JavaScript and VBScript, check_user function, 232 306 checksums (CRCs), 52, 78–79 update protocol used by, 92–100 for update fi le, 311–312 writing C/C++ tools for, 37–55 child processes, broker and, 298 Comodo database, C/C++ interface fi nal ClamAV, 6, 65, 73 version, 55 installing, 150 companies PE parser module, 136 targeting big, 326–328 signatures in, 80 targeting small to medium-sized, 326 starting daemon, 150 complex payloads, 300–307 test fi les from, 250–251 using JavaScript, VBScript, or clamscan tool, 6, 108, 112 ActionScript, 303–304 ClientLibraryName parameter, 200 compressed fi les for plug-ins, 61 client-side exploitation, 297–317 compression bombs, 208–212 sandboxing weaknesses, 297–298 remote, 214 vs. server-side, 317–318 compressors, for AV kernel, 9 cloning GIT Repository, 254 computers, isolating to improve cmdscan (Comodo), 153 protection, 337 main function disassembly, 37–39 confi guration settings, and backdoors, CmRegisterCallback function, 179 21–28 code connection 350 Index ■ D–D
intercepting, 307 VirtualBox setup for, 24–25 to socket from Python prompt, 32–36 debugging symbols, 17–20 to TCP listening services inside VM, 149 importing debugging symbols from consoles, remote attack surfaces and, Linux to, 19 199–200 decoder plug-ins, complexity, 65 container fi le, for plug-ins, 59, 60 decompression, 64 copying compiled fi le to different DeepToad, 81, 83 directory, 51 DefCon conference, “Race to Zero” core of antivirus software contest, 106 porting, 28–29 denial of service attacks, 207–216 . See also kernel local, 208–213 Corkami project, wiki page, 125 remote, 214–215 Corkami wiki, 148 DEP. See Data Execution Prevention (DEP) corpus distillation, 248 Detours hooking engine, 174 CPU emulator, 10 device_handler function, 280–281 CPU instructions, emulating, 140–142 DeviceIoControl function (Windows API), CR0 register, 141–142 273 crashes, in Unix, information about, 240 device names, taking advantage of old CRCs. See checksums (CRCs) features, 140 CRCs (checksums), 52, 78–79 DGBMS2 function, 122–123 for update fi le, 311–312 Diaphora (Open Source IDA plug-in), CreateFilaA function, hooking, 175 20, 59 CreateFilaW function, hooking, 175 directory privileges, fi nding weaknesses CreateInstance function, 40 in, 185–186 CreateProcessInternal function, 174 disinfection routines, bugs in, 64 CreateRemoteThread API call, 277 distorm disassembler, 143 cryptographic hashes, 80 dlclose_framework function, 49 custom checksums (CRCs), 79 DLLs. See Dynamic Link Libraries (DLLs) CVEs (Common Vulnerabilities and DNS record, attacker change of, 89 Exposures), 65 DNS spoofi ng, 312 cyber-attacks, 323 Ettercap tool for, 313 matching attack technique with target, downloaded update fi les, verifi cation 324–326 process, 88 Cyclic Redundancy Check (CRC) DR0 Intel x86 register, eforts to change, 141 algorithm, 78–79, 105 DrCov, 254, 255 drweb32.fl g fi le, 309 D Dr.Web antivirus products, 91, 129 Dabah, Gil, 143 launching attack against update services, database 312 C/C++ interface fi nal version, 55 Python exploit, 314–316 for F-Secure, 221 request for LZMA-compressed catalog, of MD5 hashes, fi lter for, 67–68 310–312 signatures for virus database fi les, 343 update system exploitation, 308 Data Execution Prevention (DEP), 190–191 drweb-escan.real binary, 189 exploiting at fi xed addresses, 298–300, dual extensions, 173 318 dynamic analysis, 235–267 dd command, 209 fuzzing, 235–265 DEB packages, installing in Debian-based of reverse engineering, 20 Linux, 228 dynamic evasion techniques, 105 debugging dynamic heuristic engine, 66, 165, 173–180 anti-attaching techniques for, 147 Dynamic Link Libraries (DLLs) kernel, 23–25 injecting, 276 tricks for, 20–28 plug-ins as, 58 user-mode processes with kernel-mode dynamic loading, for antivirus plug-ins, debugger, 25–27 59–60 Index ■ E–F 351
DynamoRIO (binary instrumentation for fuzzy hashing signature, 81 toolkit), 113, 254, 255 “Fast Library Identifi cation and for Nightmare, 260 Recognition Technology” (IDA), 220 Ferguson, Paul, 106–107 E fi le format parsers, 198 EasyHook hooking engine, 174 for binary audit, 220–228 egas tool, 253 bugs in, 212, 215 EICAR (European Institute for Computer fi le formats, 64–65 Anti-Virus Research), 78 antivirus software support of, 118 eicar.com.txt testing fi le, 151 confusion from, 148 Electronic Code Book (ECB) mode, 200 evasion tips for specifi c, 124–131 ELF (Executable and Linkable Format), 301 miscellaneous, and AV kernel, 11 email client, compression bombs and, 214 taking advantages for evasion, 136–137 email credentials, theft of, 4 fi le infector, 336 EMET. See Microsoft Enhanced Mitigation fi le length, of portable executable fi les, 126 Experience Toolkit (EMET) fi le privileges, fi nding weaknesses in, Emu_ConnectNamedPipe function, 135 185–186 emulators, 10–11, 73–74, 301–302 fi les limitations, 302 disinfection routines, 199 encrypted fi les for plug-ins, 61 splitting for determining malware encryption keys, static, 200 detection, 107–112 engineering, vs. security, 339 fi le size limits, and scanner evasion, err local variable, code checks on, 44 133–134 eScan Antivirus for Linux, 228 FinFisher, 5 installing DEB packages, 228 fi ngerprints, 215 eScan Malware Admin software, 189 emulators for evading scanners, 134–136 escape function, 127 fi rewalls, 4, 11–12, 200–201 Ettercap tool, 312, 313 Flame malware, 92 European Institute for Computer Anti- FLIRT (“Fast Library Identifi cation and Virus Research (EICAR), antivirus Recognition Technology”), 220 testing fi le, 78 fl ow graph, 83 eval function, emulator triggered by, FlyStudio malware 306–307 disassembly from, 145 EVP_VerifyFinal function, 308 fl ow graph, 146 Executable and Linkable Format (ELF), FMAlloc function 301 analysis, 225 executables determining unsanitized input, 227 graph-based hashes for, 83–85 fm library (fm4av.dll), 17, 18 malware as packed, 10 F-Prot for Linux, installing, 152–153 signing, 92 frame-based functions, prologue of, 175 exotic bugs, 188 FreeLibrary function, 177 expert system, 166 F-Secure Anti-Virus, 6, 17, 19, 26, 202, expired certifi cates, 91 220–228 exploitation. See local exploitation; remote InnoSetup installer fi les analyzer code, exploitation 227 exploit-db.com website, 213 functions Exploit.HTML.IFrame-6 malware, 108, 117 forward declarations of, 50–51 Exploit.MSWord.CVE-2010- 3333.cp fi le, human-readable names for, 196 121–122 fuzzer (fuzz-testing tool), 28 extensions lists, checking, 172–173 based on protocol format, 36 fi nding template fi les, 250–252 output, 242–243 F problems, 247–248 false positive, 9, 66 template fi les for, 248–249 check of known, 169 fuzzers/bcf.cfg fi le, 255 for CRC32hash, 79 fuzzing, 235–265 352 Index ■ G–I
automatic of antivirus products, 239–248 home users, targeting, Gika basics, 236 hooks command-line tools for, 238–243 for dynamic heuristic engine, 173 by developers, 340–341 kernel-land, 178–179 Ikarus command-line scanner, 246–247 undoing, 175 results, 264 userland, 173–175 simple, 237–239 Host Intrusion Prevention Systems (HIPS), statistics, 264–265 165–166, 173 with Wine, 244–247 bypassing userland, 176–178 fuzz method, 238 HPKP (HTTP Public Key Pinning), 100 fuzzy hashing signatures, 81–83 HTTP (Hypertext Transfer Protocol) fuzzy logic-based signatures, 9 for downloading signatures, 88 for downloading updates, 89–90 G HTTP Public Key Pinning (HPKP), 100 g_Func_0056 function, 273 HTTPS (Hypertext Transfer Protocol GCC, 20 Secure) GCluster, 84–85 check for malware inside, 100 GDB, 15 for downloading signatures, 88 generic routines, as plug-ins, 64 for downloading updates, 89–90 getopt function, 38 human-readable names, for functions, 196 GIT Repository, cloning, 254 Global Object Table (GOT), 224–225 I Google Chrome, 90 i386.DEB package fi le, 151 government networks icacls command-line tool, 185 spying on, 5 IDA targeting, 326–328 “Fast Library Identifi cation and governments, targets of, 327–328 Recognition Technology,” 220 graphical user interface (GUI) scanners, 4 Functions window, 224 grep tool, for searching for patterns, 304 and program jumps, 144–146 Guest Additions, 149 IDA database, scanner name enumerated Guest Virtual Machines (GVMs), 61, 71 to, 54–55 GUI tools, vs. command-line for reverse IDA dissassembler, 15, 196 engineering, 16 fi le analysis with, 30–32
fi nding weaknesses in, 303 DoS attacks against, 213 NOP (no operation) instruction, 143 kernel-land internal audits, 340 exploit for vulnerability, 283–285 Intrusion Protection Systems (IPS), hooks, 178–179 200–201 malware in, 333 IOCTLs (I/O Control Codes) memory-based scanners, 69 input arguments for code, 281–283 searching for hidden features, 279–285 in kernel drivers, 213 kernel-mode debugger, debugging user- and Panda Global Protection, 270 mode processes with, 25–27 IPS (Intrusion Protection Systems), Kingsoft (browser), 202–203 200–201 Kingsoft antivirus kernel driver, 188 IRQLs list, 180 Kingsoft Internet Security (KIS), 191 ISFPs function, 169–170 KisKrnl.sys driver, 188 KLICK.SYS driver, 279 J KLIN.SYS driver, 279 Java, 8 Koret, Joxean, 81, 91, 253 vs. C/C++ code, 342 Kornblum, Jesse, 81 JavaScript Kylix, 28 advantages, 304 Comodo support for, 306 L evasion tips for, 126–128 LAN (Local Area Network), remote attack executing on the fl y, 128 surfaces on, 184 for PDF exploit, 129 LdrUnloadD11 function, removing hook, for remote exploitation, 303–304 177 string encoding in, 127 libclamscan/pe.c fi le, 136 jump, opaque predicates with, 146 libclam.so library, 6 junk code, 144 lib directory, 221–222 to hide logic, 128 libdw_notify.so binary, 189 libfm-lnx32.so, 17 K libfm.so library, for F-Secure, 222 Kaspersky Anti-Virus, 16, 58, 212 libfmx-linux32.so, 19 advantages and disadvantages for libFRAMEWORK.so library, closing, 45 antivirus kernels, 61 libHEUR.so library, 166–167 attack against, 328 libMACH32.so library (Comodo), 134–135 AxKLSysInfodll ActiveX component, 202 library, loading with pseudo handle, disabling, 211 138–139 generic detection signature used by, libSCRIPTENGINE.so library, 305, 306 118–124 libSCRIPT.so component, tracing plug-in loading by, 56 download of, 99 reports on The Mask, 327 license.avastlic fi le, 151 Kaspersky Internet Security 6.0, “Liebao” browser, 203 vulnerabilities in, 279 linker, in antivirus software, 58–59 kernel, 6, 15 Linux, virtual machine for fuzzer, 243 components loaded by, 55–56 Linux version, of antivirus kernels, 18 debugging, 23–25 lm command, 26–27 logical vulnerabilities, 285–294 load_framework function, 49–50 removing callbacks, 179 for Comodo kernel, 39–40 vulnerabilities in antivirus products, loaded modules analysis, vs. memory 187–188 analysis, 70 kernel32!ConnectNamedPipe function, loading plug-ins, 58–62 135 local attack surface, 183–184, 185–187 kernel Bug Check, 213 local denial of service attacks, 208–213 kernel drivers local exploitation, 269–296 disabling, 22 backdoors and hidden features, 270–274 354 Index ■ M–N
kernel-land search for hidden features, MB_ 279–294 HandleIoctlReadWritePhysicalSector1/2, privileges, permissions, and ACLs, 290 274–279 mbamswissarmy.sys driver, 286 Local Types window, Export to Headeer MD5 hashes, 8–9, 89 File option, 45 fi lter for database of, 67–68 logging in, client-side checks for, 199–200 memory analysis, vs. loaded modules logic, junk code to hide, 128 analysis, 70 logical fl aws, 196 memory corruption, local exploits and, 269 logical vulnerabilities, 270 memory pages login.php PHP script, 230–231 preventing execution, 190 ls -lga command, 185–186 skipping, 147–148 Lua memory scanners, 63, 69–70 for antivirus software, 71 Metasploit, 325 vs. C/C++ code, 342 meterpreter stage, 336 Meterpreter, creating payload, 312–313 M Micosoft Offi ce binary fi le formats, 118 MachO fi le, 301 Microsoft Enhanced Mitigation madCodeHook hooking engine, 174 Experience Toolkit (EMET), 12 main.cpp fi le, 291–294 certifi cate pinning with, 90 main function Microsoft Notepad, 147 calls to initialize, scan and clean up core Microsoft SAGE, 252 in, 46 Microsoft Security Essentials, 28–29, 55 code for cleaning up, 45 Microsoft Windows Update service, MajorLinkerVersion/MinorLinkerVersion, 342–343 in portable executable fi les, 125 mini-fi lter, 179 malloc function (LIBC), 225–227 MITM attack in LAN, 100 malware, 3, 333 mpengine.dll library, 28–29, 55 detection, 107–114 MS-DOS, taking advantage of old evasion techniques, 105–115 features, 140 evolution of, 4 MultiAV, 160–162 heuristic engine non-detection, 67 antivirus results, 157 not dependent on zero-day processes, client confi guration, 154–158 336 home page, 157 QA in development, 334 multiav-client.py script, 160–161 MalwareBytes anti-exploiting toolkit, 12 multi-virus product creation, initial steps, exposing functionality by, 290 149–154 IOCTL handling, 288–291 mutate method, 238 zero-day kernel vulnerabilities in, 285 mutation engines, assigning to fuzzing “MalwareBytes’ Swiss Army Knife,” 286 project, 261 managed languages, vs. C/C++ code, 342 mutators, in fuzzer, 236 man-in-middle (MITM) attack, 89, 312 MyNav (IDA plug-in), 60 manual binary audit, 219–233 MySQL server, for Nightmare, 259 fi le format parsers, 220–228 The Mask (Careto), 5, 327 N MaxAvailVersion value, 95 names, human-readable, for functions, 196 maybe_IFramework_CreateInstance National Security Agency (NSA), 5 function, 48–49 native languages, AV engine use of, 7–8 reverse-engineering, 40 .NET code, 8, 71 MB_HalRebootRoutine, 290 vs. C/C++ code, 342 MB_HandleIoCreateFile_FileDeleteChild, network analysis tools 290 drivers for, 12 MB_HandleIoctlOverwriteFile, 290 remote attack surface of, 337 MB_HandleIoctlReadFile, 290 network packet fi lter driver, 198 Index ■ O–P 355 network services, remote attack surfaces pavshld.dll library, 196, 270–274 and, 199–200 payloads new malware, 333 complex, 300–307 nfp_engine.py script, 264 launching fi nal, 306–307 Nightmare fuzzing suite, 253, 259–265 Meterpreter, 312–313 confi guring, 260–261 modifi ed versions of, 158 confi guring and running, 262–265 %PDF-1.X magic string, 148 fi nding samples, 262 PDF fi le format installing, 254–255 evasion tips for, 129–131 starting new fuzzing project, 261 vulnerabilities in, 64–65 non-native code, for plug-ins, 70–72 PE (portable executable) fi les, 117, 301 Norman Sandbox, 137, 140–142 to bypass signatures, 136 notivation callback, 42 changing to bypass antivirus detections, NtCreateFile function, 302 158 NtCreateThread native API, 278 evasion tips for, 124–131 NT kernel, emulator failure to load, 138 PeachMinset, 248–249 ntkrnlpa.exe, loading, 139 peCloak.py script, 149, 158–160 NULL value, passing as parameter, 137 automatic antivirus evasion tool using, 160–162 O penetration testing, 106 obfuscation, 303 performance, SSL or TLS and, 90 object confusion in PDF fi le, 129–130 Perl, vs. C/C++ code, 342 object fi les, 62 permissions OLE2 containers, fuzzing, 248 fi nding invalid, 274–279 opaque predicates, 128, 144 vulnerabilities in, 269 with jump, 146 Permissions dialog box, 275 open_dev_avfl t function, 39 pfunc50 function, 43 OpenMutexW function, 135 PHP source code, static analysis of, Open Source IDA plug-in, 20 228 OpenSSL, bug CVE-2008-5077, 308 Picasa, 28 operating systems, anti-exploiting Pistelli, Daniel, 179 features, 12–13 plain-text communications, and writing original entry point (OEP), 199 exploits, 308 Ormandy, Tavis, 13 plug-ins, 57–75 os.system function (Python), 245 browser, 201 dynamic loading, 59–60 P kernel loading of, 55 packaging, for plug-ins, 60–62 loading process, 58–62 packet fi lters, 11–12 non-native code for, 70–72 Palestine Liberation Army (PLA), 5 packaging approaches, 60–62 Panda Global Protection, 185, 186–187, 194, plug-in types, 62–68 196–197 emulators, 73–74 ability to kill processes, 272 fi le format and protocol support, 64–65 disabling antivirus shield, 274 heuristics, 65–68 I/O Control Codes (IOCTLs), 270 memory scanners, 69–70 pavshld.dll library, 21 scanners and generic routines, 63–64 parser scripting languages, 72–73 command-line arguments, 38 polyglot fi le formats, 148 complexity, 65 Portable Document Format (PDF) fi le format, bugs, 215 evasion tips for, 129–131 reducing dangerous code in, 342 vulnerabilities in, 64–65 patched bugs, 325 portable executable (PE) fi les, 117, 301 PAVSHLD_001 function, 273 to bypass signatures, 136 356 Index ■ Q–S
changing to bypass antivirus detections, exploiting at fi xed addresses, 298–300, 158 318 evasion tips for, 124–131 for plug-ins, 58 porting realpath function, 35 antivirus kernels to Unix, 243–244 real-time scanner, 8 kernel core, 28–29 rebasing code, in debugging segments, 62 privileges regedit.exe (registry editor tool), 22 escalation of, 186–187 registry, hooking activity, 179 fi nding invalid, 274–279 RegistryCallback function, 179 fi nding weaknesses in fi les and remote attack surfaces, 184, 197–203 directories, 185–186 browser plug-ins, 201 incorrect, on Windows objects, 193–194 generic detection and fi le disinfection using safely, 341 code, 199 Process Explorer, 190, 194 of network analysis tools, 337 ProcProt!Func_0056, call graph, 273 network services, administration panels, protocols, plug-ins to understand, 64–65 and consoles, 199–200 PROTOS Genome Test Suite c10-archive, security enhanced software, 202–203 for test fi les, 251–252 update services, 201 PsSetCreateProcessNotifyRoutineEx remote code execution, 200 callback, 175 remote denial of service attacks, 214–215 PsSetCreateProcessNotifyRoutine RemoteDLL tool, 276–278 function, 178 remote exploitation, 297–319 PsSetCreateThreadNotifyRoutine ASLR, DEP, and RWX pages at fi xed function, 178 addresses, 298–300 PsSetLoadImageNotifyRoutine function, complex payloads, 300–307 178 sandbox weaknesses, 297–298 PyClamd, 6 server-side, 317–318 Pyew hexadecimal editor, 84–85, 119 of update services, 307–317 Python remote services, static analysis, 228–233 vs. C/C++ code, 342 residents, 8 connecting to socket from prompt, responsible disclosure, 294 32–36 reverse-engineering tools, 15–20 for Nightmare, 259 backdoors and confi guration settings, scripts for fuzzing, 237–239 21–28 Python bindings command-line vs. GUI, 16 fi nal version, 37 debugging symbols, 17–20 writing for Avast for Linux, 29–37 importing from Linux to Windows, 19 Python macholib, for Nightmare, 260 Rising (browser), 202–203 ritain, Government Communications Headquarters (GCHQ), 5 Q RPM fi les, fi nding vulnerabililty parsing, Qihoo 360, 22 36 QuickHeal AntiVirus 7.0.0.1 - Stack RTF fi les, 124 Overfl ow Vulnerability, 188 Ruby, vs. C/C++ code, 342 runasroot program (eScan DEB), 229 R running processes, monitoring execution Radamsa, 255–256 of, 173–175 multiple engine, 261 RWX pages. See Read/Write/eXecute for Nightmare, 259 (RWX) memory pages ransom, for infected computer contents, RX memory pages, antivirus focus on, 148 325 RAR VM (virtual machine), 305 S readelf -Ws command, 222–223 sabotage, 5 Read/Write/eXecute (RWX) memory Sality virus, 143, 336 pages, 59 sample, for emulator trigger, 302 antivirus focus on, 148 sandbox, 176 Index ■ S–S 357
exploiting weaknesses, 297–298 -s fl ag, in cmdscan disassembly, 38 malware gaining privileges outside, 335 SGID, 185 processes in, 342 exploiting binaries on Unix-based sandbox escape, 184 platforms, 189–190 Santamarta, Ruben, 279 SHA1 hash, 98, 129 Saudi Aramco, 5 shell escape characters, fi ltering command Scan__result object instance, 172 injections based on, 231–232 scan_path function, 34–35 shell scripts, signing, 92 scan_stream function, 43, 46 signature-based detection, evading with code for, 47–48 divide and conquer trick, 108–112 scan code, code to send to daemon, 35–36 signature evasion, 117–132 ScanCorruptPE function, 169 fi le formats, 118 scan directories, function for, 42–43 Kaspersky Anti-Virus and, 118–124 ScanDualExtension method, 169 signature identifi er, obtaining, 52 scanned pages, reducing number of, 148 signatures, 8–9, 77–86 scanner evasion, 133–163 as byte-stream, 78 automating, 148–162 checksums (CRCs), 78–79 scanners, 4, 5–6, 8 downloading for Comodo, 153 loading routines, 41 fuzzy hashing, 81–83 as plug-ins, 63–64 for updates, 308 resolving identifi ers to scanner names, for virus database fi les, 343 52–54 signatures update, for antivirus software, scanning for hosts, with Ettercap, 313 92 SCANOPTION object, 44 signing algorithms, for verifying antivirus SCANRESULT object, 44, 51–52 products, 91–92 ScanSingleTarget method, 167–168 signing scheme, for antivirus plug-ins, 61 ScanUnknownPacker method, 168 SIGSEGV segmentation fault, 245 scripting languages, 72–73 sigtool, 112 vs. C/C++ code, 342 Simple replacer multiple engine, 261 section names, in portable executable fi les, SMT solvers, 252 125 social engineering, 332, 333 section object, 195 sockets Secure Sockets Layer (SSL), 342–343 connecting to, from Python prompt, antivirus software and, 100–101 32–36 support for, 89–91 pointer to path, 31 security software update, for antivirus software, 92 auditing products, 338 Sophos Buffer Overfl ow Protection System vs. engineering, 339 (BOPS), 13 from isolating computer, 337 source code review audits, 340 mitigation, 12 SpamSum, 81 risk from no process owner, 275–276 SrvLoad.EXE process, NULL ACL value security bugs assigned to, 187 in generic routines, 64 ssdeep, 81, 82 reverse-engineering to fi nd, 63 SSL. See Secure Sockets Layer (SSL) security cookie, calculating, 286 stack overfl ow, 188 security enhanced software, 202–203 and code execution, 190 security industry, strategies and Stamm- File Virri/Stamms.txt fi le, 120–121 recommendations, 331 static analysis, 219–233 self-protection remote services, 228–233 by AV software, 12 static encryption keys, 200 disabling, 22–23 static evasion techniques, 105 disabling mechanisms, 21 static heuristic engine, 66, 165, 166 self-signed certifi cates, 90 bypassing, 166–173 server-side exploitation, 317–318 streamed data, compressed and encoded, SetErrorMode API, 137 129–130 SetSecurityDescriptorDAL function, 195 string encoding, in JavaScript, 127 358 Index ■ T–V
Stuxnet computer worm, 5 virtual machine for fuzzer, 243 sub_1172A function, 281–282 unpackers, 10 SUID, 185 for .avc fi les, 119–120 exploiting binaries on Unix-based plug-ins as, 64 platforms, 189–190 update fi les Symantec, 211 CRC for, 311–312 Guest Virtual Machines (GVMs), 61 verifying, 91–92 symbolic execution, 252 update protocols symbolic links, in F-Secure directory, of antivirus company, 88–92 220–221 dissecting, 92–100 SysInternal Process Explorer, 275, 278 vulnerabilities in, 99 system services in Windows, disabling, 22 update services, 87–101 improving safety, 342–343 T as remote attack entry point, 201 t3scan.exe program, 244 UPX (Universal Unpacker), 10 T3Scan Windows command-line scanner, User Account Control (UAC) prompt, 333 244 userland, 12 running test for, 245 bypassing HIPS, 176–178 t3sigs.vdb (Virtual Database) fi le, 244 malware in, 333 taint analysis, 113–114 memory-based scanners, 69 TAR fi le, analysis, 302–303 userland hooks, 173–175 targeted malware, 334 bypassing, 175 tarkus, 186–187 user-mode processes, debugging with Task Manager, Panda process in, 271 kernel-mode debugger, 25–27 template fi les for fuzzer, 248–249 UUID (universally unique identifi er), 270 fi nding, 250–252 Themida, 72 V third-party binary audits, 340 variables, and Bayesian networks, 66–67 Thompson, Roger, 106 VBScript Thread Local Storage (TLS) callback, 147 Comodo support for, 306 thunk function, 224–225 emulators, 304 TimeDateStamp, in portable executable for remote exploitation, 303–304 fi les, 125 Veil Framework, 148, 312 traffi c capture log, from Wireshark, 94 verifi cation, of downloaded update fi les, Transport Layer Security (TLS), 342–343 88 antivirus software and, 100–101 version information, resources directory support for, 89–91 for storing, 170 trends in antivirus protection, 323–329 VirtualBox, 24 Tridgell, Andrew, 81 debugging setup in, 24–25 true negatives, 9 Virtual Function Table (VTable), 299 virtualization software, 16 U virtual machines, 71–72 ulimit -c unlimited command, 240 connecting to TCP listening services undoing hooks, 175 inside, 149 unescape function, 127 creating, 24 unhook function, 177 emulators for, 10 universally unique identifi er (UUID), 270 for Windows, fuzzers in, 243 Universal Unpacker (UPX), 10 viruses, function to increase count, 44 Unix VirusTotal, 114, 129, 148–149 for fuzz automation, 28 report, 124 porting antivirus kernels to, 243–244 report on compression bomb attack, 210 timestamp, 309 sample fi le format from, 250 Index ■ W–Z 359
Virut virus, 336 X VMProtect, 72 X.509 certifi cates, 89 VTable (Virtual Function Table), 299 XAR fi le, compressing, 211 vulnerabilities XML fi les, for Comodo software for Linux in antivirus software, 338 updates, 97–98 initial steps to discover, 224 XOR-ADD algorithm, 59 in permissions, 269 xterm command, 232 vxers, 4 XZ fi le format, compressing, 211
Z W z0mbie, unpackers, 119 watch icon, in VirusTotal, 210 Zalewski, Michal, 253 wc tool, 210 zero-day approach in malware, 335 webapi.py python script, 156–157 zero-day bugs, 324 WebProxy.EXE process zero-day kernel vulnerabilities, in NULL ACL value assigned to, 187 MalwareBytes, 285 security properties, 275 zero-fi lled fi le, creating, 209–212 weights-based heuristics, 68 Zillya, 211 WinDbg, 15, 23, 25–26 zip bomb, 208 Windows ZIP -compressed fi les evasion tips for executable fi les, 124–131 analysis, 302–303 excessive focus as failure, 62 heuristic engine and, 65 Windows objects, incorrect privileges on, “zip of death,” 208 193–194 zlib, 59 Wine (Wine Is Not an Emulator), 28, 244 Zmist virus, 343 fuzzing with, 244–247 zombie network, 325 Winelib, 244 Zoner Antivirus for GNU/Linux, 304 WinObj (winobj.exe) tool, 193 installing, 154 Wireshark, launching, 94 Zynamics BinDiff, 18, 59–60 worms, 11 Zzuf, for Nightmare, 260