INDEX

Symbols and Numbers administrator privileges, for malware launchers, 254 ! (bang symbol), 305 Adobe Reader -- operation, 112 CVE-2010-0188 critical % operation, 112 vulnerability, 424 % symbol, 423 overflow in, 705 | (pipe symbol), in Snort, 304 ADS (Alternate Data Streams) ++ operation, 112 010 Editor, 468 feature, 139 32-bit applications, WOW64 and, 448 Advanced Encryption Standard 32-bit rotate-right-additive hash, 418 (AES), 618 64-bit malware, 441–449 decrypting, 625–626 clues to functionality, 448 advapi32.dll, 17 labs, 450–451 imports from, 20, 480, 481 solutions, 723–732 obtaining handle to, 237 advertisements, pop-up, 560–561 A AES (Advanced Encryption Standard), 618 A, at end of Windows function decrypting, 625–626 name, 17 Agobot, 376 absolute addresses, 443 air-gapped networks, 29 vs. relative addresses, in OllyDbg, _alloca_probe function, 522 184–185 alphabetic encoding, shellcode abstraction levels, in x86 disassembly, decoder with, 697 66–67 Alternate Data Streams (ADS) accept function, 143, 144, 454 feature, 139 access token, 246 ALU (arithmetic logic unit), 68 accuracy, vs. expediency, 304 AMD64 architecture, 441 active , logging, 239 “Analysis of the Intel Pentium’s ADD encoding algorithm, 276 Ability to Support a Secure add instruction, 74, 349 Virtual Machine Monitor” AddCodeXref function (IDC), 342 (Robin and Irvine), 373 address space, loading executable AND logical operator, in x86 into another ’s, 595 architecture, 75 address space layout randomization anti-, 351–366 (ASLR), 184 checks, 656 AddressOfNameOrdinals array, 416 defeating techniques, 660 AddressOfNames array, 416 labs, 367–368 AdjustTokenPrivileges function, 246, solutions, 655–669 247, 454, 730

Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig anti-debugging, continued labs, 381–382 NTGlobalFlag flag, 659–660 solutions, 670–684 PhantOm protection from checks, process replacement, 683–684 658, 659 tweaking settings, 379–380 ProcessHeap flag, 658–659 VMware artifacts, 370–373 timing checks, 665–669 vulnerable instructions, 373–379, GetTickCount function, 668–669 678–679 with QueryPerformanceCounter, No Pill technique, 375 667–668 querying I/O communication rdtsc function, 669 port, 375–377 anti-disassembly, 327–349 Red Pill anti-VM technique, basics, 328–329 374–375 defeating disassembly algorithms, antivirus programs, and kernel 329–334 patching, 227 flow-oriented disassembly, antivirus scanning, 10 331–334 antivirus signatures, scan against, 478 linear disassembly, 329–331 Anubis, 40 false conditional branch, 336, 645, ApateDNS, 51–52, 57, 465, 483, 485 647, 653 malware DNS requests and, 489 labs, 350 APC (asynchronous procedure solutions, 645–655 call), 263 malware awareness of APC injection, 262–265 , 351 AppInit_DLLs, 241–242, 572 manually repaired code, 648–649 for persistence, 575 obscuring flow control, 340–346 applications, access to device adding missing code cross- objects, 206 references in IDA Pro, 342 arguments in malware, OllyDbg to function pointer problem, debug, 532 340–341 arithmetic instruction, 74–76 misusing structured exception arithmetic logic unit (ALU), 68 handlers, 344–346 arithmetic operations return pointer abuse, 342–343 disassembly, 112–113 signs of, 645–646 in WinDbg, 211 techniques, 334–340 arrays, disassembling, 127–128 impossible disassembly, 337–340 arrows window, in IDA Pro, 90 jump instruction with constant The Art of Assembly Language condition, 336 (Hyde), 68 jump instructions with same ASCII strings, 11 target, 334–335 loading on stack, 724–725 NOP-ing out instructions with ASLR (address space layout IDA Pro, 340 randomization), 184 thwarting stack-frame analysis, ASPack, 398 347–349 assembly code, for process anti-virtual machine (anti-VM) tech- replacement, 258 niques, 369–380, 500, 678 assembly language, 67. See also code finding using strings, 679–683 constructs in assembly highlighting anti-VM in IDA Pro, if statement, 113–114 377–378 for loop, 117 impact on malware analysis, switch statement, 124 673–677 while loop, 118

734 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig assembly-level , vs. packet structure, 643 source-level, 168 request from initial malware run, asynchronous procedure call 627–628 (APC), 263 sending by malware, 633–634, AT_INFO structure, 547–548 639–640 AttachThreadInput function, 454 string decoding, 636 attackers beep driver, 214 identifying investigative activity, 299 behavior of malware. See malware safely investigating online, 300–302 behavior Autoruns tool, 140, 241, 465–466 BeingDebugged flag, 354, 657–658 checking, 353–354 B Berkeley compatible sockets, 143–144 BFK DNS logger, 302 backdoor, 3, 121, 232–234, 479, BHOs (Browser Helper Objects), 157 519, 538 big-endian, 70 analysis, 537–538 binary data CreateProcess and Sleep functions Base64-encoding conversion, 277 for, 479 static analysis, 503–507 evading detection, 308–311 option, in IDA Pro, 88 HTTP reverse, 539 binary translation by VMware, in implementing, 524 kernel mode, 373 indications of, 493 bind function, 143, 144, 454 reading configuration file, 723 BinDiff, 466 sandbox and, 41 BinNavi, 466 backup images, of operating BitBlaze, 40 systems, 30 BitBlt function, 454 “Bad or Unknown 32-bit Executable blacklists, of IP addresses, 301 File” error, 363 Blink pointers, 414 bang symbol (!), 305 block cryptography algorithms, 626 base addresses blue screen, in Windows, 158 finding with PEview, 545 Bochs (debugger), 467 of kernel32.dll, finding with Bookmarks plug-in, in OllyDbg, assembly code, 415 199–200 for PE files in Windows, 184 boot.ini file, 207–208, 226 Base64 cipher, 277–280, 622 botnet controller, 234 custom substitution cipher, 280 botnets, 3, 234, 376 identifying and decoding, 278–280 bp command, in WinDbg, 211 Base64 encoding branching, in x86 architecture, 80–81 decoding, 624–625 breakpoints identifying in URL, 611 in debuggers, 171–175 padding, 610, 630 conditional, 175 Python program to decode hardware execution, 174–175 string, 289 execution, 173–174 static pattern within, 631 deferred, 212–213, 554 base64_encode function, 610 hardware vs. software, 687 basename, 535 for kernel activity, 548 BCDEdit, 227 in OllyDbg, 188–191, 391 beaconing, 309, 611 command-line to set, 199 client-initiated, 311 scanning code for, 357 determining generation, 628–629 and self-decoding, 289

Practical Malware Analysis INDEX 735 © 2012 Michael Sikorski and Andrew Honig breakpoints, continued object-oriented programming, setting, 357 427–432 setting on stack, 690 inheritance and function in WinDbg, 211–212 overriding, 432 bridged network adapter, 34 overloading and mangling, Browser Helper Objects (BHOs), 157 430–431 brute-force XOR encoding, 271–273 this pointer, 428–430 bu command, in WinDbg, 212 objects creation and bu $iment command, in WinDbg, destruction, 437 213, 554 virtual vs. nonvirtual functions, buffer, malware placement of 432–436 value in, 538 Caesar cipher, 270 buffer-overflow attack, 421 call instruction, 119, 333, 386, 409 Burp Suite, 467 and finding OEP, 391–392 Buster Sandbox Analyzer, 473 position dependence, 408 array initialization, 680–681 for quick analysis, 521–522 bytecode, 67 with target based on DWORD pointer, 396 C call memory_location, 77 call stack trace, in OllyDbg, 193 C code constructs in assembly, callback type, 136 109–132 calling conventions, x64 architecture arithmetic operations disassembly, 112–113 differences, 443–447 array disassembly, 127–128 CallNextHookEx function, 260, 261, 454 function call conventions, 119–121 Canvas penetration-testing tool, 380 global vs. local variables, 110–112 Capture BAT, 467 capturing events if statements, 113–116 labs, 133–134 network traffic, 580 solutions, 501–513 stopping procmon from, 44 linked list traversal, 130–132 capturing screen, function for, 615 loops, 116–118 CBC (Cipher Block Chaining), 626 for loops, 116–118 cdecl calling convention, 119–120 while loops, 118 cell phone malware, 88 structures, identifying, 128–130 (CPU) switch statements, 121–126 threads and, 149 if style for, 122–123, 124 in x86 architecture, 68 jump table, 123–126 CertOpenSystemStore function, 454 C programming language, 110 CF (carry) flag, 72 function pointers in, 340 CFB (Cipher Feedback), 626 main method and offsets, in x86 CFF Explorer, 467 architecture, 83–84 cfile.read command, 293 pseudocode for process chained encoding algorithm, 277 replacement, 258 CheckRemoteDebuggerPresent function, standard , IDA Pro catalog 352, 454 of named constants, 102 child classes in C++, 432 The C Programming Language functions from parent class, 436 (Kernighan and Ritchie), 110 chunk size, dependency with entropy C++ analysis, 427–438 score, 284 labs, 439–440 Cipher Block Chaining (CBC), 626 solutions, 712–723 Cipher Feedback (CFB), 626

736 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig ciphers, 270–280 check for arguments, 525–529 Base 64, 277–280 encoded, 636 Caesar cipher, 270 option analysis, 535–537 other encoding schemes, 276–277 running malware from, 493 XOR cipher, 271–276 Command Line plug-in, for OllyDbg, cisvc.exe 198–199, 657–658 PEview of original and trojanized launching, 660 versions, 584–585 command processing, and malware writing shellcode into, 583–584 signature, 644 class identifiers (CLSIDs), 155 command , input to, 636 and COM functionality, 518 comments classes, in object-oriented code, 428 in HTML, 506 classtype keyword, in Snort, 304 command character parsed client side of network, 144–145 from, 509 client-initiated beaconing, 311 to send commands to client/server framework, Component malware, 507 Object Model as, 154 in IDA Pro, 100 CloseHandle function, 526 Common Object File Format (COFF), CloseServiceHandle function, 554 IDA Pro support for, 87 cloud services, 300 Comodo Instant Malware Analysis, 40 Cloudburst, 380 comparing strings, in Process CLSIDs (class identifiers), 155 Explorer, 49 and COM functionality, 518 compilation, 67 cmd.exe, 544 Component Object Model (COM), cmp instruction, 80, 348, 502 154–157, 313, 626 CoCreateInstance function, 155–156, related functions, 518 313, 454, 518 server malware, 157 code compression algorithm, packers in memory, 69 and, 384 performing checksums, 357 compsb instruction, 82 redefining in IDA Pro, 103 ComSpec environmental variable, 636 understanding surrounding, conditional branches, 348 312–313 false, 645, 647 code construct, 109 flow-oriented disassembly and, 333 code cross-references, 95–96 conditional breakpoints, 175 code entry point, unpacking stub in OllyDbg, 188, 189–190 and, 384 conditional jump, 80–81, 113, code libraries, linking, 15 116, 354 COFF (Common Object File Format), conditionals, in x86 architecture, 80 IDA Pro support for, 87 configuration information, Windows CoInitialize function, 313 Registry for, 139 CoInitializeEx function, 154 connect function, 143, 144, 313, colors in IDA Pro navigation band, 93 454, 727 COM (Component Object Model), connect mode, in Netcat, 52 154–157, 313, 626 ConnectNamedPipe function, 455 related functions, 518 console programs, server malware, 157 IMAGE_SUBSYSTEM_WINDOWS_CUI command-line value for, 23 analysis of binary, 94 constructor, 437 arguments in malware, 526 content keyword, in Snort, 304

Practical Malware Analysis INDEX 737 © 2012 Michael Sikorski and Andrew Honig content-based countermeasures, 298, hash dumping, 236–238 302–307 keystroke logging, 238–241 control unit, 68 cross-references (xref), 124 ControlService function, 455, 549 checking for gethostbyname, 495 convention, 72 for global variables, 547 CopyFile function, 526 graphs of, 98, 99 countermeasures for function, 498 content-based, 302–307 for installer export, 572–573 network-based, 297 in IDA Pro, 95–97 covert launching techniques, 253–265 adding missing code, 342 APC injection, 262–265 navigating, 92–93 Detours, 262 and virtual functions, 436 hook injection, 259–261 CryptAcquireContext function, 455 labs, 266–267 cryptographic algorithms, 280–285 solutions, 586–607 recognizing strings and imports, launchers, 253–254 281–282 process injection, 254–257 search for cryptographic constants, process replacement, 257–259 282–283 CPU (central processing unit) search for high-entropy content, threads and, 149 283–285 in x86 architecture, 68 cryptography, drawbacks, 281 cpuid instruction, virtual machine CWSandbox, 40 and, 374 crashing virtual machine, from procmon, 44 da command, in WinDbg, 210 CreateFile function, 137, 215, 219, data 455, 520, 527, 583, 640 hard-coded vs. ephemeral, 314–315 debugger and, 171 overlaying onto structure, 214 CreateFileMapping function, 137–138, Python script for converting to 455, 520, 527, 583 string, 500–501 CreateMutex function, 152, 455, 522 redefining in IDA Pro, 103 CreatePipe function, 233 data buffers, instructions for CreateProcess function, 147–149, manipulating, 81 233, 455, 479, 524, 544, 590, data cross-references, 96–97 642, 727 data encoding, 269–294 parameters, 728 cryptographic algorithms, 280–285 CreateRemoteThread function, 256, 262, recognizing strings and imports, 423, 455, 586, 600, 730 281–282 arguments for, 603–604 search for cryptographic and direct injection, 257 constants, 282–283 for DLL injection, 255 search for high-entropy content, CreateService function, 153, 243, 455, 283–285 514–516, 549, 550, 554 custom, 285–288 CreateThread function, 150–151 decoding, 288–294 CreateToolhelp32Snapshot function, 255, instrumentation for generic 263, 455, 498 decryption, 291–294 CreateWindowEx function, 137 manual programming of credential stealers, 234–241 functions, 289–290 GINA interception, 235–236, self-decoding, 288–289 570–571

738 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig goal of analyzing algorithms, 270 Windows debugger detection, identifying and leveraging steps, 352–356 315–317 manually checking structures, labs, 295–296 353–356 solutions, 607–626 with Windows API, 352–353 simple ciphers, 270–280 decoding, 288–294 Base64, 277–280 anti-debugging routine in, 663 Caesar cipher, 270 instrumentation for generic other encoding schemes, decryption, 291–294 276–277 manual programming of functions, XOR cipher, 271–276 289–290 Data Execution Prevention self-decoding, 288–289 (DEP), 578 stack-formed strings, 540–541 data section in main memory, 69 XOR-encoded strings, 542–543 .data section in PE file, 22 decryption size of, 24 of AES, 625–626 DataDirectory array, 364 instrumentation for generic, db command, in WinDbg, 558 291–294 dd command, in WinDbg, 210, requirements for, 622 218, 564 Deep Freeze, 467 DDoS (distributed denial-of-service) default view for IDA Pro, returning attack, 234 to, 92 malware to launch, 517 default web browser, malware deter- debuggers, 167–178. See also anti- mination of, 699–703 deferred breakpoint, 212–213, 554 debugging; Ollydbg; WinDbg delete operator, 437 exceptions, 175–177 DeleteFile function, PyCommand to first- and second-chance, 176 prevent execution, 201 identifying behavior, 356–359 Delphi programs, compile time, 23 INT scanning, 357 DEP (Data Execution Prevention), 578 performing code checksums, 357 Dependency Walker (depends.exe), timing checks, 357–359 16–17, 49, 468, 480 interference with functionality, destructor, 437 359–363 Detail filter, in procmon, 45 exceptions, 361–362 Detours, 262 inserting , 362–363 device drivers, 206 TLS callbacks, 359–361 analysis, 562 just-in-time, 411 finding in kernel, 217 kernel vs. user mode, 168–169 finding in memory, with symbols, 212–215 WinDbg, 563 modifying program execution IDA Pro to open, 551 with, 177 loading, 226 source-level vs. assembly-level, 168 tool for loading, 470–471 using, 169–175 WinDbg for viewing, 551–553 breakpoints, 171–175 device object single-stepping, 169–170 obtaining handle to, 216 stepping-over vs. stepping-into, viewing in kernel, 218 170–171 \Device\PhysicalDisk1, 138 vulnerabilities, 363–365 \Device\PhysicalMemory, 139 DeviceIoControl function, 206, 216, 219, 455, 561–562, 565–566

Practical Malware Analysis INDEX 739 © 2012 Michael Sikorski and Andrew Honig !devobj command, in WinDbg, 220 DomainTools, 301 digital logic, 66 double-packed malware, 397 digital signatures, 48 downloaders, 3, 231–232 direct injection, 254–257 malware as, 481–482 disassembler, 3, 67. See also anti- downloading malware, opening URL disassembly; IDA Pro (Interac- for, 651–652, 654 tive Disassembler Professional) driver objects Disassembler window, in OllyDbg, 182 finding, 220–221 disassembly, 65. See also x86 getting list, 552 disassembly structure in Windows, 206 enhancing in IDA Pro, 100–103 driver signature, 64-bit versions of of Hello World program, 412 Windows and, 227 distance Snort rule keyword, 305 DriverEntry function, 206, 551 distributed denial-of-service (DDoS) DriverInit function, 214, 563 attack, 234 DriverUnload command, 563 malware to launch, 517 !drvobj command, in WinDbg, 217 div instruction, 75 dt command, in WinDbg, 217, 552, divide-by-zero exception, 653, 668 563, 565 DLL display window, in Process du command, in WinDbg, 210 Explorer, 48 dummy names, 100 DLL injection, 286-289, 621, 676, 730 changing, 111 DLL load-order hijacking, Dummy service, in INetSim, 56 244–245 dump command, in OllyDbg, 658 DllCanUnloadNow function, 157, 456 dumping executable from DllEntryPoint function, 495 memory, 469 DllGetClassObject function, 157, 456 OllyDump for, 390 DllInstall function, 157, 456 dwo command, in WinDbg, 211 DllMain function, 43, 146, 254, 401, 495 DWORD determining number of functions call instruction with target based called by, 499 on, 396 DLL_PROCESS_ATTACH, 573 in Windows API, 136 DllRegisterServer function, 157, 456 dynamic analysis, 39–60, 65. See also DLLs. See dynamic link libraries (DLLs) debuggers DllUnregisterServer function, 157, 456 advanced, 3 DNS (Domain Name System) basic, 2–3 attackers tunneling information, 309 basic tools in practice, 56–59 attackers’ use of, 309 benefits of, 39 server, malware access to, 34 Capture BAT for, 467 tools for controlling responses, 465 combining with static analysis, DNS requests 307–321 ApateDNS response to, 51–52 comparing Registry snapshots with checking for, 57 Regshot, 50–51 documentation manuals, for x86 faking network, 51–53 architecture, 85 INetSim, 55–56 domain labs, 61–62 blacklists, 301 solutions, 482–493 getting information, 300–302 packet sniffing with Wireshark, and malicious activity, 299 53–55 Domain Name System. See DNS for viewing (Domain Name System) processes, 47–50

740 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig (procmon), 43–46 Electronic Code Book (ECB), 626 running malware, 42–43 ELF (Executable and Linking For- sandboxes, 40–42 mat), IDA Pro support for, 87 drawbacks, 41–42 EM64T architecture, 441 dynamic link libraries (DLLs), 12, 17, email-stealing malware, 572 145–147 Emerging Threats list of signatures, 304 analyzing in IDA Pro, 521–525 EnableExecuteProtectionSupport base address different from function, 456 preferred, 88 encoding. See data encoding basic structure, 146–147 encoding functions, 614, 725 Detours to add new to existing encrypted files binaries, 262 first of, 286 injection, 254–257 writing, 614 debugger view, 256 encrypted write, function graph of, 287 launching, 42 encryption loading in OllyDbg, 191–192 decoding algorithm with load-order hijacking, for OllyDbg, 616 persistence, 244–245 indications of, 618 malware as, 42 relationship of functions, 621–622 memory addresses for, 184–185 endianness, in x86 architecture, 70 memory map to locate, 546–547 enter instruction, 77 packed, 401 entropy calculation, for packed Process Explorer for finding executables, 387–388 injection, 589 entropy score, dependency with dynamic linking, 16 chunk size, 284 dynamic unpacking programs, EnumProcesses function, 456, 730 automated, 389 EnumProcessModules function, 456 dynamically linked functions, explor- epilogue ing with Dependency Walker, 64-bit code, 446–447 16–17 in functions, 77 EPROCESS structure E changing, 566 examining in WinDbg, 565 EA (effective address), in IDAPython error message strings scripts, 105 finding in binary, 503–504 Eagle, Chris, The IDA Pro Book, 88 indicators of malware’s likely EAT (export address table), hooking functions, 718 method and, 248 ESI register, 81 EAX register, 75, 646 ESP register, 77, 348 EBP register, 77 event capture, toggling on and off in ECB (Electronic Code Book), 626 procmon, 749 Eckel, Bruce, Thinking in C++, 428 event flow, in Windows with and with- ECX register, this parameter and, 429 out hook injection, 259 .edata section, in PE file, 22 Ex suffix, for Windows functions, 17 EDI register, 81 exception handlers EDX register, 75 in 64-bit systems, 445, 447 effective address (EA), in IDAPython building, 653 scripts, 105 misusing structured, 344–346 EFLAGS register, 72 in OllyDbg, 194–195 EIP (instruction pointer), 73 properly disassembled code, 654

Practical Malware Analysis INDEX 741 © 2012 Michael Sikorski and Andrew Honig ExceptionHandler function, 345 fastcall calling convention, 120 EXCEPTION_REGISTRATION data fibers, in Microsoft systems, 151 structure, 344 “File contains too much data” error, exceptions, 344, 361–362 in OllyDbg, 364 in debuggers, 175–177 file mappings, 137–138 first- and second-chance, 176 file signatures, 10 in Windows, 157–158 filters, in procmon, 46 exclusive OR cipher. See XOR cipher file system functions, in Windows API, .exe files, program infecting, 519 137–138 Executable and Linking Format (ELF), FILE_BOTH_DIR_INFORMATION structure, IDA Pro support for, 87 558–559 executables. See also packed FileInformation structure, 558–559 executables FileInsight, 468 dumping from memory, 469 FileMon tool, 43 function import by ordinal, files 16–17, 43 brute-forcing many, 273 loading, 384–385 checking names, 541 into address space of another hidden, 558–559 process, 595 recovering, 559–560 in IDA Pro, 88–89 malware creation of, 612 opening in OllyDbg, 180–181 malware modification of, 527–529 PEiD plug-ins running of, 14 malware opening of, 714–716 searching for strings in, 11 malware uploading of, 716 shellcode as, 407 transferring from virtual termination, 656–657 machine, 36 exit, analysis of immediate, 724 writing from kernel space, 215 expediency, vs. accuracy, 304 Filter dialog in Process Monitor, 484 exploits, 245 filters explorer.exe in procmon, 44–46 code search for, 732 in Wireshark, 53 writing path into process, 588 Find OEP plug-in (Section Hop), 391 export address table (EAT), hooking FindCrypt2, 283 method and, 248 output, 619 export data, in IMAGE_EXPORT_DIRECTORY FindFirstFile function, 20, 456, array, 416 478–479, 520, 527, 715 exported functions, 18 finding absence of, 521 networking code, 313 Exports window, in IDA Pro, 91 original entry point (OEP), $EXTERNAL_NET variable, in Snort, 303 391–395 with automated tools, 391–392 F manually, 392–395 fake services, 55 strings, 11–13 FakeDNS, 469 findKernel32Base function, 419, faking networks, 51–53 697, 707 Netcat (nc) for monitoring, 52–53 FindNextFile function, 20, 478–479, false positives, in Snort, 306 520, 715 Fast Library Identification and FindResource function, 254, 456, 596, Recognition Technology 600, 609 (FLIRT), 88 findSymbolByHash function, 418, 419, signature detection, 541 697, 707

742 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig FindWindow function, 456, 662–663 disassembly and memory to search for debugger, 356 dump, 174 firewall executable import by ordinal, and kernel patching, 227 16–17, 43 for virtual machine, 33 executable use of, 15–18 firmware, 66 exported, 18 flags, 72–73 finding connection between, 622 fldz instruction, 412 finding that installs hook, 223 FlexHEX, 468 graphing cross-references, 498 Flink pointers, 414 graphs of calls, 98 FLIRT (Fast Library Identification and hard-coded locations for calls, 410 Recognition Technology), 88 identifying at stored memory signature detection, 541 location, 695 floating-point instruction, 130 imported, 18, 19 flow chart, of current function, 98 naming conventions, 17 flow control, obscuring, 340–346 overloading in object-oriented adding missing code cross- programming, 430–431 references in IDA Pro, 342 program termination by, 656–657 function pointer problem, 340–341 recursive, 527 misusing structured exception search for information on, 19 handlers, 344–346 stepping-over vs. stepping-into, return pointer abuse, 342–343 394–395 flow-oriented disassembly, 329, virtual vs. nonvirtual, 432–436 331–334 vtables, 434–435 flow Snort rule keyword, 305 Functions window, in IDA Pro, 91 fnstenv instruction, structure for, 411–412 G for loops, 116–118 g (go) command, in WinDbg, 211 ForceFlags field, in heap header, 355 GCC (GNU Compiler Convention), format string, identifying, 505 calling conventions, 121 formatting operands, in IDA Pro, 100 GDI32.dll, 17 FPU (x87 floating-point unit), 411–413 importing from, 20 FpuSaveState structure, 411 GDT (global descriptor table), 374 frame functions, 446 GDT register (GDTR), 374 FS segment register, and SEH chain, general registers, 71–72 344, 354 in x64 architecture, 443 fsgina.dll, 235 GET request, 309 fstenv instruction, structure for, and malicious activity, 299 411–412 malware construction of, 539 FtpPutFile function, 456, 714 GetAdaptersInfo function, 456 FtpSetCurrentDirectory function, 714 dynamic resolution, 680 function pointers, 435 getaddrinfo function, 313 problem, 340–341 GetAsyncKeyState function, 239, 457, functions 581, 585 analysis to determine stack frame GetCommandLineA function, 395 construction, 347 breakpoint on, 400 analyzing in IDA Pro, 97–98 getContent function, 615 graphically, 114 GetCurrentProcessId function, 547 call conventions, 119–121 GetCurrentThreadId function, 575 decision to skip analysis, 526

Practical Malware Analysis INDEX 743 © 2012 Michael Sikorski and Andrew Honig GetDC function, 457 graph mode, in IDA Pro, 89–90, GetFileSize function, 708 98–99 GetForegroundWindow function, 239–240, Graphical Identification and Authen- 457, 581, 585, 598–599 tication (GINA) interception, GetHash function, 236 235–236 gethostbyname function, 313, 314, 457, indications of, 567–571 495–496, 727 Gray Hat Python (Seitz), 201 gethostname function, 457, 611, 650 GUI manipulation functions, 20 GetKeyState function, 240, 457 GUI programs, GetModuleBaseNameA function, 587 IMAGE_SUBSYSTEM_WINDOWS_GUI GetModuleFileName function, 457, 515, value for, 23 531, 541, 575 GUIDs (globally unique identifiers), GetModuleHandle function, 395, 457, 609 155 breakpoint on, 400 GetProcAddress function, 13, 15, 224, H 237, 256, 387, 413, 457, 520 setting breakpoints on, 395 hal.dll, malicious drivers and, 207 unpacking stub import of, 385 handles GetStartupInfo function, 457 for device objects, 220 GetSystemDefaultLangId function, obtaining, 216 457, 498 for injecting malicious DLL, 255 GetSystemDefaultLCID function, 178 locating for PDF document, 708 GetTempPath function, 457, 604 obtaining to samsrv.dll and GetThreadContext function, 458, advapi32.dll, 237 590, 591 for service, OpenService function GetTickCount function, 313, 314, 315, for, 550 358–359, 458, 668–669 in Windows API, 137 GetVersion function, 395 to Winlogon, opening, 603 GetVersionEx function, 458 handles type (H) type, in Windows GetWindowsDirectory function, 458 API, 136 GFI Sandbox, 40–41 Handles window, in Process GINA (Graphical Identification and Explorer, 48 Authentication) interception, hard-coded headers, 637 235–236 hard-coded locations, for function indications of, 567–571 calls, 410 global descriptor table (GDT), 374 hardware breakpoints, 357 global values in memory, 69 in OllyDbg, 188, 190 global variables, 587 vs. software, 687 cross-references for, 547 hardware level, in x86 architecture, 66 vs. local, 110–112 hash dumping, 236–238 GlobalAlloc function, 609 identifying method, 238 globally unique identifiers hash function, 418 (GUIDs), 155 hashed exported names, for symbol GNU Compiler Collection (GCC), resolution, 417–418 calling conventions, 121 hashing, 10 gnuunx (GNU C++ UNIX) libraries, 102 headers GrabHash function, 237 hard-coded, 637 graph in PE file format, 21–26 of encrypted write, 287 Heads function, 105 from IDA Pro Entropy Plugin, 284–285

744 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig heap, 69 inline, 248–250 heap space, creating, 437 keylogger and, 239 heap spray, 705 local and remote, 260 heap structures, information for looking for code, 223 creating, 355 low-level operation, 579 Hello World program, 418–421 malware, installing code for, 577 disassembly, 412 System Service Descriptor Table help, in OllyDbg, 197 (SSDT), 221–222 heuristics, 10 checking for, 222 Hex Editor Neo, 468 host-based signatures, 2 hex editors, 468 hostname hex window, in Wireshark, 53 Base64 string for encoding, 611 Hex Workshop, 468 function to obtain, 722 HexEdit, 468 of local machine, loading Hex-Rays Decompiler plug-in, 106, buffer, 650 347, 468–469 host-only networking, 32–33 hidden files, 558–559 hotkeys, registering, 20 recovering, 559–560 HTML (HyperText Markup Lan- hidden process, 566 guage) comments, 506 Hide Debugger plug-in, 354 command character parsed for OllyDbg, 198 from, 509 Hidedebug plug-in, 354 to send commands to malware, 507 high-entropy content, search for, 283 htons function, 727 high-level language, 66, 67 HTTP (HyperText Transfer Protocol) high-level remote hooks, 260 attackers’ use of, 309 HKEY, 139 port 80 and, 232 HKEY_CLASSES_ROOT, 140 reverse backdoor, 539 \http\shell\open\command, 699 HTTP server HKEY_CURRENT_CONFIG, 140 backdoor indicators, 493 HKEY_CURRENT_USER (HKCU), 140 malware access to, 34 HKEY_LOCAL_MACHINE (HKLM), 140 simulating, 56 HKEY_LOCAL_MACHINE\Software registry HTTPOpenRequest function, 313 key, 448 $HTTP_PORTS variable, in Snort, 303 \Microsoft\Cryptography\RNG\Seed, 549 HTTPQueryInfo function, 313 RegSetValue, 484 HTTPS, attackers’ use of, 309 \Microsoft\Windows\CurrentVersion\ HTTPS server, simulating, 56 Run, 485 HTTPSendRequest function, 313 \Microsoft\Windows NT\CurrentVersion\ Hungarian notation, 136 SvcHost, 488 Hyde, Randall, The Art of Assembly HKEY_USERS, 140 Language, 68 HlpGetPrimaryCredential function, 238 HyperText Markup Language $HOME_NET variable, in Snort, 303 (HTML) comments, 506 honeypots, 369 command character parsed hook function, NtQueryDirectoryFile from, 509 function as, 556–558 to send commands to malware, 507 hook injection, 259–261 HyperText Transfer Protocol (HTTP) assembly code, 261 attackers’ use of, 309 hooking port 80 and, 232 examining in OllyDbg, 579–580 reverse backdoor, 539 function, 598

Practical Malware Analysis INDEX 745 © 2012 Michael Sikorski and Andrew Honig I searching, 94–95 IAT (import address table), hooking searching packed executable for method and, 248 tail jump, 392 ICE (In-Circuit Emulator) for TLS callback function breakpoint, 363 analysis, 360 IDA Pro ( toggling between graph and Professional), 87–106, 469 traditional view, 495 adding IP_ADAPTER_INFO structure, vs. WinDbg, 553 680–681 WinMain function in, 561 analyzing functions, 97–98 The IDA Pro Book (Eagle), 88 analyzing functions graphically, 114 IDA Pro Entropy Plugin, 283–284, applying structure in, 547–548 619–620, 622 comparison plug-in for, 466 graph from, 284–285 consecutive jump instructions in, 335 IDA Pro database (idb), 88 cross-references, 95–97 IDA Pro Free, 87 enhancing disassembly, 100–103 idaapi module in IDAPython, 105 FindCrypt2, 283 IDAPython, 105–106 graphing options, 98–99 .idata section, in PE file, 22 for loop, 117 idautils module in IDAPython, 105 of parsing routines, 318–319 idb (IDA Pro database), 88 view for tail jump, 392–394 idc module in IDAPython, 105 highlighting anti-VM in, 377–378 IDC scripts, 104–105 identifying XOR loops in, 274–276 IDEA (International Data Encryption interface, 89–95 Algorithm), 283 disassembly window modes, identifying malware, hashing for, 10 89–90 IDSs (intrusion detection systems), 298 returning to default view, 92 signature-based, 302 windows for analysis, 91–92 with Snort, 303–304 labs, 107–108 IDT ( Descriptor Table), solutions, 494–501 225, 374 listing imported with crypto- IDT register (IDTR), 374 graphic functions, 282 if statements loading executable, 88–89 for active Internet connection, 510 looking at user-space code in, recognizing, 113–116 215–216 IIDs (interface identifiers), 155 manually switching bytes between and COM functionality, 518 data and instructions, 334 image base, 184 navigating, 92–94 IMAGE_DATA_DIRECTORY structure, 364 colors in navigation band, 93 IMAGE_DOS_HEADER structure, 22, 594 exploring history, 93 IMAGE_EXPORT_DIRECTORY array, export jumping to location, 93–94 data in, 416 links and cross-references, 92–93 IMAGE_FILE_DLL, to modify PE to open driver, 551 header, 43 packed program and, 387 IMAGE_FILE_HEADER, in PE file, 22 plug-ins for extending, 103–106 IMAGE_NT_HEADERS structure, 22, 594 commercial plug-ins, 106 IMAGE_OPTIONAL_HEADER, in PE file, 23 IDAPython, 105–106 IMAGE_OPTIONAL_HEADER structure, IDC scripts, 104–105 363–364 search for x86 instructions vulnera- IMAGE_SECTION_HEADER structure, 23, 594 ble to VM detection, 670–672

746 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig IMAGE_SUBSYSTEM_WINDOWS_CUI value, for initialization function, 214 console programs, 23 injected code, 64-bit version, 442 IMAGE_SUBSYSTEM_WINDOWS_GUI value, for inline hooking, 248–250 GUI programs, 23 function installing, 574–575 $iment command, in WinDbg, 213 input function, and decoding, 286 ImmDbg (Immunity Debugger), 179, input/output system (I/O), in x86 292–294, 469, 616–617 architecture, 68 Python scripts for, 200 inserting interrupts, 362–363 immediate operands, 69 installer export, graph of cross- imm.getRegs function, 293 references, 572–573 imm.remoteVirtualAlloc command, 293 installing imm.setBreakpoint function, 293 inline hook, 574–575 Immunity Debugger (ImmDbg), 179, VMware Tools, 31 292–294, 469, 616–617 InstallService, 43 Python scripts for, 200 instance of class, 428 Immunity security company, 179 instruction pointer, 68, 71 imm.writeLong function, 293 debugger to change, 177 imm.writeMemory command, 293 instruction pointer–relative import address table (IAT), hooking data addressing, in x64 method and, 248 architecture, 443–444 Import Reconstructor (ImpRec), instruction set, 67 390–391, 469 instructions import table bytes as part of multiple, 338 absence of, 480 in x86 architecture, 69–70 modification, 262 anti-VM, 377 rebuilding with Import INT 0x2E instruction, 158 Reconstructor, 390–391 INT 2D anti-debugging technique, 363 repairing manually, 395–397 INT 3 instruction imported functions, 15, 18, 19 exception and, 176 examining list, 513–517 inserting, 362 packer resolving of, 385 INT scanning, 357 Imports window, in IDA Pro, 91 Interactive Disassembly Professional. ImpRec (Import Reconstructor), See IDA Pro (Interactive Dis- 390–391, 469 assembly Professional) In-Circuit Emulator (ICE) interface identifiers (IIDs), 155 breakpoint, 363 and COM functionality, 518 in instruction (x86), 376 International Data Encryption Algo- indexing service, malware starting, 582 rithm (IDEA), 283 indirection tactics, 300 Internet connection inet_addr function, 458, 522 if construct for active, 510 INetSim, 55–56, 57, 469, 634 malware and, 29, 34 logs for requests, 58 malware check for active, 501 information-stealing malware, 4 Internet Explorer, third-party plug-ins infrastructure, attackers’ use of for, 157 existing, 311 Internet functions, graph for func- inheritance, in object-oriented tions connected with, programming, 432 634–635 .ini files, 139 Internet Relay Chat (IRC), 309 InInitializationOrderLinks list of Internet services, simulating, 55 structures, 414

Practical Malware Analysis INDEX 747 © 2012 Michael Sikorski and Andrew Honig InternetCloseHandle function, 504, 634 IsWow64Process function, 448, 459 InternetConnect function, 313 effort to dynamically resolve, InternetGetConnectedState function, 729–730 501, 502 Itanium, 441 InternetOpen function, 145, 313, IWebBrowser2 interface, Navigate 458, 504, 505, 514, 634, function, 155 639–640, 650 InternetOpenUrl function, 145, 313, J 458, 504, 505, 514, 634 JavaScript InternetReadFile function, 145, 313, in PDF files, 704–705 458, 504, 505, 634 to profile user’s system, 423 InternetWriteFile function, 313, 458 jmp instruction, 80, 329, 517 interpreted languages, 67 consecutive in IDA Pro, 335 interprocess coordination, with with constant condition, 336 mutexes, 151–152 with same target, 334–335 Interrupt Descriptor Table (IDT), jnz instruction, 408–409 225, 374 Joe Sandbox, 40 interrupts jump instructions, 386 anti-debugging with, 362–363 jump table, for switch structure, rootkits and, 225 641–642 intrusion detection systems jumping to location, in IDA Pro, (IDSs), 298 93–94 signature-based, 302 just-in-time debugger, 411 with Snort, 303–304 OllyDbg as, 696 intrusion prevention systems jz instruction, 653 (IPSs), 298 false conditional for, 647–648 I/O communication port, query of, target of, 646 375–377 IoConnectInterrupt function, 225 IoCreateDevice function, 562 K IoCreateSymbolicLink function, 562 KANAL (Krypto ANALyzer), 283, IoGetCurrentProcess function, 565 610, 619 import for, 560 KeInitializeApc function, 264–265 IopInvalidDeviceRequest function, 564 KeInsertQueueApc function, 264–265 IP addresses kernel-based keyloggers, 238 blacklists of, 301 kernel code, 206 getting, 300–302 64-bit malware and, 442 and malicious activity, 299 breakpoints, 548 IP_ADAPTER_INFO structure, adding to malware creation of file, 554 IDA Pro, 680–681 kernel debugging IPRIP service, malware installed as, 488 looking at user-space code, IRC (Internet Relay Chat), 309 215–216 IRP_MJ_DEVICE_CONTROL function, 218 setting up for VMware, 207–210 code listing, 219 WinDbg and, 205 locating function for, 218 kernel driver, creating service to IRP_MJ_READ function, 219 load, 216 Irvine, Cynthia, 373 kernel mode isdataat Snort rule keyword, 305 binary translation by VMware, 373 IsDebuggerPresent function, 352, 458 for debuggers, vs. user mode, IsNTAdmin function, 458 168–169 in Windows, 158–159

748 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig kernel patch protection, 227 C code constructs in assembly, kernel space, APC injection from, 133–134 264–265 solutions, 501–513 kernel32.dll, 17, 20, 159 covert launching techniques, assembly code to find base 266–267 address, 415 solutions, 586–607 finding in memory, 413–415 data encoding, 295–296 imported functions, 16 solutions, 607–626 imports from, 480, 481 dynamic analysis, 61–62 name change by malware, 520, 529 solutions, 482–493 shellcode and, 413 IDA Pro, 107–108 viewing imports from, 478 solutions, 494–501 KERNEL_DRIVER service type, 153 malware behavior, 251–252 kernel-mode APC, 263 solutions, 566–586 kernel-mode code, looking at, network signatures, 323–324 217–220 solutions, 626–645 Kernighan, Brian, The C Programming OllyDbg, 202–203 Language, 110 solutions, 530–548 KeServiceDescriptorTable function, 559 packers, 403 KeTickCount function, 549 solutions, 684–695 key shellcode analysis, 425–426 for cryptographic algorithms, 281 solutions, 696–712 in registry, 139 static analysis, 27–28 key initialization code, identifying, 622 solutions, 477–481 keyboard inputs, 20 WinDbg, 228 keyloggers, 4, 238–241 solutions, 548–566 analysis, 585, 597–599 Windows malware, 162–163 hooks for, 260 solutions, 513–529 indications of, 491, 581 last in, first out (LIFO) structure, 77 KMixer.sys, 217 launchers, 4, 231–232. See also covert KnownDLLs registry key, 245 launching techniques Krypto ANALyzer (KANAL), 283, LdrGetProcAddress function, 15 610, 619 LdrLoadDll function, 15, 459 LDT (local descriptor table), 374 L LDT register (LDTR), 374 lab environments, malware and, 298 lea instruction (load effective labeling, in OllyDbg, 197 address), 73–74 labs leaf functions, 446 64-bit malware, 450–451 leave instruction, 77 solutions, 723–732 left rotation (rol), 76 anti-debugging, 367–368 legacy graphs, in IDA Pro, 98 solutions, 655–669 libdisasm disassembly library, 330 anti-disassembly, 350 LIFO (last in, first out) structure, 77 solutions, 645–655 linear disassembly, 329–331 anti-virtual machine (anti-VM) vs. flow-oriented, 331–332 techniques, 381–382 linked libraries, executable use of, solutions, 670–684 15–18 C++ analysis, 439–440 linked list traversal, 130–132 solutions, 712–723 links, navigating in IDA Pro, 92–93 virtual machine, 57

Practical Malware Analysis INDEX 749 © 2012 Michael Sikorski and Andrew Honig listen function, 143, 144 loops listen mode, in Netcat, 52 in C code, 116–118 LIST_ENTRY structure, 414, 565 setting breakpoints after, 394 little-endian data, 69 LordPE, 469 lm command, in WinDbg, 212, 223, LowLevelKeyboardProc export, 20 553, 555 low-level language level, 66, 67 ln command, in WinDbg, 213 LowLevelMouseProc export, 20 loaddll.exe, 401 low-level remote hooks, 260 OllyDbg use of, 191 LsaEnumerateLogonSessions function, 459 loader, 232. See also launchers lsaext.dll, 236 loading LSASS (Local Security Authority Sub- device drivers, 226 system Service) process, 236 executable, 384–385 lsass.exe, 236 in IDA Pro, 88–89 LUIDs (locally unique identifiers), 238 LoadLibrary function, 13, 15, 261, 387, 413, 417, 459, 520, 521, 545, M 546, 547, 585 MAC address, for virtual machine, 371 finding last call, 692 , 67 unpacking stub import of, 385 magic constant, 283 LoadResource function, 254, 459, 596, magic number, 376 600, 609 main function loc links, in IDA Pro, 93 determining start, 530 local administrator, user starting analysis at, 501–502 running as, 245 main memory, in x86 architecture, local descriptor table (LDT), 374 68, 69 local hooks, 260 major function table, 218 local machine, loading buffer with analyzing functions of, 564–566 hostname, 650 finding, 220 Local Security Authority Subsystem Malcode Analyst Pack, 469–470 Service (LSASS) process, 236 malicious documents, Process local user accounts, password Explorer to analyze, 50 hashes of, 236 malloc function, 578 local variables, vs. global, 110–112 malware. See also Windows malware locally unique identifiers (LUIDs), 64-bit, 441–449 238, 247 analyzing without unpacking, locations, name changes in 400–401 IDA Pro, 100 attempts to delete itself, 531 LockResource function, 596, 609 double-packed, 397 logging hashing for identifying, 10 active window, 239 observing in natural habitat, 298 of credentials, 570–571 packed and obfuscated, 13–14 errors in malware, 674 running, 42–43 in OllyDbg, 197 safe environment for running, 14 logical operators, 75 searching for evidence of logon, credential stealers, 234–241 encoding, 608 long pointer (LP) type, in Windows self-deletion scripting code, 674 API, 136 types, 3–4 LookupPrivilegeValueA function, malware analysis 247, 730 creating machine for, 31–33 loopback encoding algorithm, 277 danger of overanalysis, 308

750 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig general rules, 4–5 dumping executable from, 390, goals, 1–2 400, 469 risks of using VMware for, 36–37 finding in, with techniques, 2–3. See also dynamic WinDbg, 563 analysis; static analysis finding kernel32.dll in, 413–415 tools, 465–475 function dump, 174 malware behavior, 231–250 processes and, 147 backdoor, 232–234 memory-access violations, 177 botnets, 234 memory address operands, 69 credential stealers, 234–241 memory breakpoint, in OllyDbg, 188, GINA interception, 235–236 190–191 hash dumping, 236–238 Memory dump window, in OllyDbg, keystroke logging, 238–241 183 downloaders and launchers, memory map, to locate DLLs, 231–232 546–547 indications of, 298–299 Memory Map window, in OllyDbg, labs, 251–252 183–185 solutions, 566–586 memory window, WinDbg reading persistence, 241–245 from, 210–211 DLL load-order hijacking, Memoryze, 470 244–245 message box, malware creation of, 586 trojanized system binaries, Message-Digest Algorithm 5 (MD5), 10 243–244 message flow, in Windows with and Windows Registry for, 241–243 without hook injection, 259 privilege escalation, 245–247 Metasploit, 245, 418 SeDebugPrivilege, 246–247 methods remote administration tool (RAT), in C++ class, 427 233–234 overloading, 430–431 user-mode rootkits, 247–250 microcode, in x86 architecture, 66 IAT hooking, 248 Microsoft. See also Windows inline hooking, 248–250 Component Object Model (COM), Mandiant 154–157 ApateDNS, 51–52 documentation, 453 Red Curtain, 388 firewall, 33 mangling, 430–431 Hyper-V, 31 manual unpacking, 389–397 Software Data Execution Prevention MapViewOfFile function, 137–138, 459, (DEP), 345 520, 527, 583 symbols, 212–215 MapVirtualKey function, 459 Virtual PC, 31 mass malware, 4 Visual Studio, 16 MD5 (Message-Digest Algorithm 5), 10 calling conventions, 121 media files, shellcode stored within, 423 wide character string, 11 memcmp function, 497 Microsoft Developer Network memcpy function, 596 (MSDN), 414 memory Microsoft signed binary, verifying, 48 addresses for global variables, 111 MIME (Multipurpose Internet allocation for objects, 437 Mail Extensions) standard, checking for VMware artifacts, 373 Base64 and, 277 copying PE sections into, 593–594 MmGetSystemRoutineAddress function, 224, 459

Practical Malware Analysis INDEX 751 © 2012 Michael Sikorski and Andrew Honig mneumonics, in instructions, 69 of modules, getting, 602 Module32First function, 459 for mutexes, 151 Module32Next function, 459 Names window, in IDA Pro, 91 modules namespaces, files accessible via, getting name of, 602 138–139 listing in WinDbg, 212 NAT (Network Address Translation), modulo operation, 75, 112, 113 311 mov instruction, 73, 76, 79, 338, 500 for VMware, 34 position dependence, 409 Native API, in Windows, 159–161 movsb instruction, 82 native applications, 161 movsd instruction, 528 Navigate function, 155, 313 movsx instruction, 81 nc. See Netcat (nc) MS-DOS Stub Program, 22 Nebbett, Gary, Windows NT/2000 MSDN (Microsoft Developer Native API Reference, 160 Network), 414 nested if statements, 113, 114–116 MSDN online, 19 net start cisvc command, 582 msg keyword, in Snort, 304 net start command, 43, 152, 581 msgina.dll, and GINA, 235 Netcat (nc), 52–53, 470, 483, 634 msvcrt.dll, imports from, 480 examining results, 485 mul instruction, 75 output when listening on multibyte encoding algorithm, 276 port 80, 504 Multipurpose Internet Mail Exten- reverse shells, 232–233 sions (MIME) standard, NetScheduleJobAdd function, 459, 547 Base64 and, 277 NetShareEnum function, 459 multithreaded version, of Windows network adapter, bridged, 34 reverse shell, 233 Network Address Translation mutants, 151 (NAT), 311 mutexes, 58, 482, 513 for VMware, 34 creating, 483, 515 network countermeasures, 297 interprocess coordination with, Network filter, in procmon, 46 151–152 network interface cards (NICs), malware creation of, 585 virtual, 371 malware use of, 517 network signatures, 2, 297–322 MZ header, in PE executable, 594 analysis, 631–632 attacker’s perspective and, 321–322 N creating, 490 creating for Snort, 317 named constants, 102–103 creating XOR brute-force, 273 named pipes, watching for Emerging Threats list of, 304 input on, 634 generating, 643 names labs, 323–324 conventions for functions, 17 solutions, 626–645 hashed exported, for symbol for malware infection detection, 2 resolution, 417–418 User-Agent field for, 637 for lab files, 27 networking , 143–145 of locations, changing in networks IDA Pro, 100 analysis, 538–539 for malicious DLL, 257 capturing traffic, 580 of malware, string comparison, 666 faking, 51–53 mangling in C++, 431 finding code, 313

752 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig host-only, 32–33 NULL terminator, 11 indications of functioning, 572 Number of Opcode Bytes option, 335 knowing sources of content, 314 NXDOMAIN option, 52 server and client sides, 144–145 virtual, 32 O new operator, 435, 437, 712 !object command, in WinDbg, 552 nibble, 278 object-oriented programming, NICs (network interface cards), 427–432 virtual, 371 overloading and mangling, No Pill technique, 375. See also sldt 430–431 instruction (No Pill) this pointer, 428–430 NopBytes function, 339 objects, creating and destroying nonleaf functions, 446 in C++, 437 nonprivileged mode, 177 OEP. See original entry point (OEP) nonvirtual functions, vs. virtual, OfficeMalScanner, 470 432–436 offset links, in IDA Pro, 93 NOP instruction, in x86 OleInitialize function, 154, 460, 518 architecture, 76 OllyDbg, 168, 179–201, 364, 470 NOP sequence, 337 analysis, 691 NOP sled, shellcode and, 422–423 assistance features, 197 NOP-ing out instructions with breakpoints, 188–191 IDA Pro, 340 choosing to debug arguments, 532 Norman SandBox, 40 debug window from, 173 Norton Ghost, 30 default settings for exceptions, 362 noscript tags, malware commands disassembly view, 533 from, 638 examining hook in, 579–580 NSPack, 388 , 194–195 NT namespace, 138 executing code, 186–187 NtContinue function, 161, 386 finding function addresses NtCreateFile function, 215, 224 with, 410 ntdll.dll, 17, 159, 352, 414 forcing code disassembly, 689 NTGlobalFlag flag, 355, 659–660 interface, 181–183 ntohl function, 191 as just-in-time debugger, 411, 696 ntoskrnl.exe, 159 labs, 202–203 malicious drivers and, 207 solutions, 530–548 NtQueryDirectoryFile function, 459, 559 loading DLLs, 191–192, 401 as hook function, 556–558 loading malware, 180–181, 656 NtQueryInformationFile function, 160 loading packed executable in, 389 NtQueryInformationKey function, 160 memory map to examine DLL load NtQueryInformationProcess function, locations, 546 352, 460 Memory Map window, 183–185 NtQueryInformationThread function, 160 opening malware with, 538 NtQuerySystemInformation function, 160 OutputDebugString format string NtReadFile function, 160 vulnerability, 365 NtSetInformationProcess function, 460 packed program and, 387 NtWriteFile function, 160, 215 patching, 195–196 NULL bytes, avoiding in pausing before TLS callback, 361 shellcode, 421 plug-ins, 197–200, 354 NULL-preserving single-byte XOR encoding, 273–274

Practical Malware Analysis INDEX 753 © 2012 Michael Sikorski and Andrew Honig OllyDbg, continued transferring execution to, 386 premature termination of unpacking stub and, 384 program in, 662 orphaned process, 490–491 rebasing, 184–185 OSR Driver Loader, 470–471 Run Trace option, 395 OSs (operating systems), backup screen capture decoding with, 616 images of, 30 scriptable debugging, 200–201 Outlook Express, 579–580 shellcode analysis, 196–197 output functions, tracing from, 286 strncmp function in, 663 OutputDebugString function, 353, tracing, 192–194 460, 664 viewing threads and stacks, overanalysis, danger of, 308 185–186 overloading, 430–431 vulnerabilities in, 363–365 WinUpack and, 400 P OllyDump, 198, 389–390 packed DLLs, 401 dumping unpacked program, 694 packed executables Find OEP by Section Hop (Trace detecting, 23 Into), 686 entropy calculation for, 387–388 Find OEP by Section Hop (Trace identifying, 387–388 Over), 685, 687 loading in OllyDbg, 389 forcing code disassembly, 686 repairing import table for, 390 opcodes, in x86 architecture, 67, 70 packed files open source sniffer, 53 indications of, 480 OpenMutex function, 152, 460, 522 strings and, 483 OpenProcess function, 460 packed malware, 13–14 OpenProcessToken function, 247, 730 detecting with PEiD, 14 OpenSCManager function, 153, 460, 514, packers, 383–402 515, 549, 550, 554 anatomy, 384–387 OpenService function, 549, 550 labs, 403 OpenSSL, 281 solutions, 684–695 operands resolving imports, 385 formatting in IDA Pro, 100 tail jump, 386 in x86 architecture, 69, 70 tips and tricks for common, operating systems (OSs), backup 397–400 images of, 30 unpacking illustrated, 386–387 Operation filter, in procmon, 45 packet listing, in Wireshark, 53 operational replication, 308 packet sniffing, with Wireshark, 53–55 operations security (OPSEC), 299 packing algorithm, program to run in or instruction, 76 reverse, 389 OR logical operator, in x86 padding characters, Base64 architecture, 75 string and, 279 ordinal, executable import of func- Parallels, 31 tions by, 16–17, 43 parent classes in C++, 432 original entry point (OEP) child class functions from, 436 code around, 399 parent-child relationships, in DLLs, 401 in classes, 432 finding, 391–395 parsing routines with automated tools, 391–392 analyzing, 318–320 manually, 392–395 IDA Pro graph of, 318–319 indications of, 694 pass-the-hash attacks, 236

754 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig password check function, 533 Phatbot, VMware detection, 375–376 testing if disabled, 534 phishing, targeted, 299 passwords, 661 PIC (position-independent code), getting correct, 665 408–409 sniffing, 53 pipe symbol (|), in Snort, 304 PatchByte function, 337, 339 plug-ins PatchGuard, 227 for extending IDA Pro, 103–106 patching, in OllyDbg, 195–196 in OllyDbg, 197–200, 354 payload rule options, in Snort, 303 PEiD, running of executables, 14 PCRE (Perl Compatible Regular third-party, for Internet Expression) notation, in Explorer, 157 Snort, 305, 316 pointers, handles vs., 137 pcre Snort rule keyword, 305 Poison Ivy, 189, 234 .pdata section, in PE file, 22 tracing, 193–194 PDF Dissector, 471 use of VirtualAlloc function, .pdf documents, 704–712 189–190 analyzing with Process Explorer, 50 polling, 239 objects created for, 716 polymorphism, 434 PDF Tools, 471 pop instruction, 77, 79 PE Explorer, 26, 471 after call, 409–411 unpacking plug-ins, 388 and tail jump, 394 PE file format. See Portable Execut- pop-up ads, 560–561 able (PE) file format popa instruction, 79, 244 PEB (Process Environment Block) popad instruction, 79 structure, 352, 591–592 port 80, backdoor and, 232 documented, 354 Portable Executable (PE) file format, PEBrowse Professional, 26 14–15, 396 PECompact, 397–398 copying sections into memory, PeekNamedPipe function, 460, 634 593–594 PEiD, 471, 478, 479–480 examining file structure, 486 detecting packers with, 14 header vulnerabilities, OllyDbg, KANAL output, 610 363–365 peripheral devices, connecting and headers and sections, 21–26 disconnecting, 34–35 summary information, 26 Perl Compatible IDA Pro support for, 87 (PCRE) notation, in Snort, indications in, 729 305, 316 packed executables formatting of, persistence, 241–245, 572 385 AppInit_DLLs for, 575 parsing export data, 415–417 DLL load-order hijacking, 244–245 PEview for examining, 22–24 of registry, 139 rebasing and, 184 trojanized system binaries, 243–244 Resource Hacker tool for viewing, Windows Registry for, 241–243 25–26 Petite, 398 resource section, 254, 567 PEview, 471, 478 section headers, and OllyDbg examining PE files with, 22–24 crash, 364 finding base address with, 545 .tls section, 360, 662 original and trojanized versions of ports, malware use of, 52 cisvc.exe, 584–585 position-independent code (PIC), PhantOm plug-in, 354, 658, 659, 665 408–409

Practical Malware Analysis INDEX 755 © 2012 Michael Sikorski and Andrew Honig POST method, 309 function to open and printf function, 120 manipulate, 20 call compiled for 32-bit hidden, 566 processor, 445 interprocess coordination with call compiled for 64-bit mutexes, 151–152 processor, 446 Properties window for, 48 IDA Pro problems recognizing, 502 resuming suspended, 595 privilege escalation, 245–247 starting and replacing, 596 SeDebugPrivilege, 246–247 ProcessHeap flag, in PEB structure, 355 privileged mode, 177 procmon. See Process Monitor ProcDump, 400 (procmon) Process activity filter, in procmon, 46 programs. See executables process context, 158 prologue Process Environment Block (PEB) 64-bit code, 446–447 structure, 352, 591–592 in functions, 77 documented, 354 Properties window, in Process Process Explorer, 58, 472, 483 Explorer, 48 comparing strings, 49 protocols, attackers mimicking Dependency Walker, 49 existing, 309–310 for finding DLL injection, 589 psapi.dll, 586, 600 Verify option, 48–49 push instruction, 77, 79, 244, 329, 689 viewing processes with, 47–50 vs. mov, 120 Process Hacker, 472 with return instruction for Process Monitor (procmon), 43–46, tail jump, 399 472, 483 to start functions in disassembly, 394 boot logging options, 46 Pwdump, 236 display, 44 PyCommand Python script, 200–201 Filter dialog, 484 PyCrypto cryptography library, filtering in, 44–46 290, 625 filters on toolbar, 46 potential pitfalls, 626 reviewing results, 58 Python, 472 toggling event capture on IDAPython, 105–106 and off, 749 program to decode Base64- Process Name filter, in procmon, 45 encoded string, 289 Process Properties window, PyCommand script, 200–201 Strings tab, 49 script for converting data to string, process replacement, 48–49, 257–259 500–501 Process32First function, 255, 263, 460 Process32Next function, 255, 263, 460 Q processes query, of I/O communication port, creating, 147–149, 590 375–377 dumping from memory, 390, 400 QueryPerformanceCounter function, dynamically resolving enumera- 358–359, 460, 667–668 tion imports, 600–601 QueueUserAPC function, 263, 460 EBX register of suspended newly created, 591 enumerating, 601 for following running malware, radio-frequency identification (RFID) 147–149 tokens, 235 RaiseException function, 157, 344

756 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig Random function, 313, 314 scripting with .reg files, 142–143 random number generator seed, 484 snapshots with Regshot, 50–51 RAT (remote administration tool), VMware artifacts in, 371 233–234 Registry Editor (Regedit), 140–141 raw data, translating to Base64, Registry filter, in procmon, 46 277–278 registry keys, 20 RC4 algorithm, 283 malware and, 42 RCPT command (SMTP), 572 references to debuggers, 356 .rdata section, in PE file, 21 \Registry\Machine strings, 549 rdtsc function, 669 RegMon tool, 43 rdtsc instruction, for timing RegOpenKey function, 461 check, 358 RegOpenKeyEx function, 141, 142, read breakpoints, for finding 448, 508 tail jump, 394 RegSetValueEx function, 141, 508 ReadFile function, 137, 219 Regshot, 50–51, 56, 472, 487–488 origin of handle passed to, 623 regular expressions, for identifying ReadProcessMemory function, 460, 590 malware patterns, 631 rebasing, 88 relative addresses, vs. absolute in OllyDbg, 184–185 addresses, in OllyDbg, receiving data, and code analysis, 312 184–185 recovery of hidden files, 559–560 relative virtual addresses (RVAs), for recursive function, 527 PE files, 416 recv function, 143, 144, 313, 461 ReleaseMutex function, 151 Red Pill anti-VM technique, 374–375. .reloc section, in PE file, 22 See also sidt instruction remote administration tool (RAT), (Red Pill) 233–234 reference Snort rule keyword, 305 remote hooks, 260 RegCreateKeyEx function, 448 remote machine, program receiving RegDeleteKeyEx function, 448 commands from, 522 Regedit (Registry Editor), 140–141 remote process, VirtualAllocEx RegGetValue function, 141 function and, 255 Regional Internet Registries remote shell session function, 497 (RIRs), 301 remote socket, program register operands, 69 connecting to, 727 RegisterClassEx function, 20 rep instructions, in x86 architecture, RegisterHotKey function, 20, 461 81–83 registers, 68 REP MOVSx instruction, 536 shifting, 75 replication, operational, 308 in x64 architecture, 443 resource extraction import in x86 architecture, 71–73 functions, 567 Registers window, in OllyDbg, 182 Resource Hacker, 25–26, 472, 482, registries, for Internet addresses, 301 554, 596–597 Registry (Windows), 139–143 resource section analyzing code, 141–142 executable file stored in, 555 common functions, 141 loading data from, 481 defining services, 242 resources function for string search, 679 imports for manipulating, 600 indications of modification, 508 obfuscated with single-byte XOR for persistence, 241–243 encoding, 609 root keys, 140

Practical Malware Analysis INDEX 757 © 2012 Michael Sikorski and Andrew Honig resources management, rtutils.dll, comparing trojanized and processes for, 147 clean versions, 243 ResumeThread function, 259, 461 rule options, in Snort, 303 ret instruction, 77, 386, 409 Run subkey, for running programs retn instruction, 342–343, 693 automatically, 140 return instruction, for tail jump, push run trace, in OllyDbg, 193 instruction with, 399 rundll32.exe, 42–43, 488 return pointer, abuse, 342–343 filter for process, 572 rev keyword, in Snort, 304 for running DLL malware, 42–43 reverse-engineering, 3 running process, attaching network protocols, 53 OllyDbg to, 181 in x86 disassembly, 67–68 running services, listing, 152 reverse-engineering environment, 466 runtime linking, 15 reverse IP lookups, 301 RVAs (relative virtual addresses), for reverse shell, 232–233 PE files, 416 analysis, 544 creating, 703 S reversible cipher, 271 safe environment, 29. See also virtual RFID (radio-frequency identification) machines tokens, 235 SafeSEH, 345 right rotation (ror), 76 SAM (Security Account Manager), Rijndael algorithm, 618 password hashes of local user RIP-relative addressing, 443 accounts, 236 RIRs (Regional Internet Registries), SamIConnect function, 237, 461 301 SamIGetPrivateData function, 237, 461 Ritchie, Dennis, The C Programming SamQueryInformationUse function, 461 Language, 110 SamrQueryInformationUser function, 237 Robin, John, 373 samsrv.dll library, obtaining RobTex, 302 handle to, 237 rogue byte, 337 sandboxes, 40–42, 473 ROL encoding algorithm, 276 Sandboxie, 473 rol instruction, 76 sc command, 555 Roman Empire, Caesar cipher and, 270 scareware, 4 root key, in registry, 139 scasb instruction, 82 rootkits, 4, 221–225 scasx instruction, 81 finding, 555–556 ScoopyNG, 379 interrupts and, 225 screen capture, function for, 615 user-mode rootkits, 247–250 ScreenEA function, 105 ROR encoding algorithm, 276 scriptable debugging, in OllyDbg, ror instruction, 76 200–201 ROT encoding algorithm, 276 scripts, IDC, 104–105 rotation, instruction for, 76 searching .rsrc section, in PE file, 22, 25–26 default order for loading DLLs in RtlCompareMemory function, 557–558 Windows XP, 245 RtlCreateRegistryKey function, 461, in IDA Pro, 94–95 549, 553 for symbols, 212–213 RtlInitUnicodeString function, 219, 559 Section Hop, 391 RtlWriteRegistryValue function, 461, Secure Hash Algorithm 1 (SHA-1), 10 549, 553

758 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig Security Account Manager (SAM), shared folders, 36 password hashes of local user in VMware, 380 accounts, 236 shell, connecting pipe to output, 624 security descriptor, 246 Shell32.dll, 20 SeDebugPrivilege privilege-escalation shellcode procedure, 603 64-bit version, 442 segment registers, 71 decoder with alphabetic SEH (Structured Exception encoding, 697 Handling), 157, 665 finding, 423–424 chain, 345 hash array, 700–701 misusing, 344–346 locating open handle to PDF, 708 Seitz, Justin, Gray Hat Python, 201 payload, 698 self-decoding, 288–289 writing into cisvc.exe, 583–584 self-deletion scripting code, 674 shellcode analysis, 407–424 send function, 143, 144, 313, 461 dynamic, 706–707 installing inline hook, 574 encodings, 421–422 sending data, and code analysis, 312 identifying execution location, server side of network, 144–145 409–413 ServiceMain function, 673 labs, 425–426 services solutions, 696–712 defining in Registry, 242 loading code for, 408 function creating, 677 manual symbol resolution, 413–418 functions indicating creation, 549 finding kernel32.dll in memory, handles for, OpenService 413–415 function for, 550 parsing PE export data, 415–417 malware creation, 514 using hashed exported names, malware installed as, 487 417–418 program creating, 561 NOP sled, 422–423 sc command for information in OllyDbg, 196–197 about, 555 position-independent code (PIC), in Windows, 152–154 408–409 SetColor function, 105 shellcode_launcher.exe, 408, 411, 696 setdll tool, 262 ShellExecute function, 462, 636 SetFilePointer function, 709 shifting registers, 75 SetFileTime function, 461 shl instruction, 75, 76 SetThreadContext function, 259, 461, ShowWindow function, 20 590, 595 shr instruction, 75 SetWaitableTimer function, 516 sid keyword, in Snort, 304 SetWindowsHookEx function, 20, 239, sidt instruction (Red Pill), 375, 260, 261, 462, 597 670, 671 SetWindowText function, 20 virtual machine and, 374 SF (sign) flag, 72 signature-based IDSs, 302 sfc_os.dll, 604 signatures. See network signatures SfcTerminateWatcherThread function, simple ciphers, 270–280 462, 604 Base64, 277–280 sgdt instruction Caesar cipher, 270 virtual machine and, 374 other encoding schemes, 276–277 and VMware detection, 375 XOR cipher, 271–276 SHA-1 (Secure Hash Algorithm 1), 10 simple instructions, in x86 shared files, 138 architecture, 73–76

Practical Malware Analysis INDEX 759 © 2012 Michael Sikorski and Andrew Honig single-byte XOR encoding, 271 spear-phishing, 299 single-stepping special files, in Windows API, 138–139 in debuggers, 169–170, 176 sprintf function, annotated code for and icebp instruction, 363 arguments, 628–629 in OllyDbg, 187 spyware, 20 sinkhole, 297 SSDT (System Service Descriptor Size of Raw Data, 23–24 Table) SizeOfRawData field, in PE header, 365 checking for, 222 SizeofResource function, 254, 596, 609 hooking, 221–222 sldt instruction (No Pill), 670, 672 stack, 69 and VMware detection, 375 addresses for local variables, 111 Sleep function, 239, 263, 329, 479 ExceptionHandler code and, 345 in loop, 629 fixing for function, 506–507 parameter for, 499 identifying parameters pushed sandboxes and, 41 onto, 502–503 Sleuth Kit, The (TSK), 473 objects created on, 437 smart cards, 235 viewing in OllyDbg, 185–186 snapshots in x64 architecture, differences in comparing with Regshot, 50–51, 58 usage, 443–447 of registry, 487–488 in x86 architecture, 77–80 of virtual machines, 35–36 function calls, 77–78 Snort, 473 layout, 78–80 analyzing parsing routines, stack overflow, 158 318–320 stack pointer, negative number for, 348 creating signature, 317 stack variables, automatically false positives in, 306 naming, 100 intrusion detection with, 303–304 Stack window, in OllyDbg, 182–183 Perl Compatible Regular Expres- stack-formed strings, decoding, sion (PCRE) notation in, 305 540–541 signature for rule, 632 stack-frame analysis, thwarting, targeting multiple elements, 347–349 320–321 standard back trace, in OllyDbg, sockaddr_in structure, 543, 702 192–193 socket function, 143, 144, 313 StartAddress function, 516 symbolic constants for, 500 START_PENDING, as service status, 517 sockets StartService function, 153, 549, Berkeley compatible, 143–144 550, 554 code for creating, 701–702 StartServiceCtrlDispatcher function, program connecting to remote, 727 462, 514 SoftICE, 168 STARTUPINFO structure, 148, 233 software, modifying execution with manipulating, 544 debugger, 177 static analysis, 9–26, 65 software breakpoints, 357 advanced, 3 vs. hardware, 687 basic, 2 in OllyDbg, 188–189 combining with dynamic analysis, Software Data Execution Prevention 307–321 Software (DEP), 345 Dependency Walker for, 468 source-level debuggers, vs. example, PotentialKeylogger.exe, assembly-level, 168 18–21 spam-sending malware, 4

760 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig labs, 27–28 strncmp function, 256, 523, 524, 715 solutions, 477–481 for module name comparison, 666 techniques, 482–485 in OllyDbg, 663 static IP addresses, 632 strncpy function, 611 static libraries, 145 strrchr function, 541, 725 static linking, 15 strstr function, 640 static unpacking programs, Structured Exception Handling automated, 389 (SEH), 157, 665 static values in memory, 69 chain, 345 status flags, 71 misusing, 344–346 STATUS_BREAKPOINT exception, 362 structures stdcall calling convention, 120 applying in IDA Pro, 547–548 stepping, in OllyDbg, 187 AT_INFO, 547–548 stepping-into, in debuggers, 170–171 EPROCESS stepping-over, in debuggers, changing, 566 170–171, 187 examining in WinDbg, 565 Storm worm, 375 identifying, 128–130 stosx instruction, 81 InInitializationOrderLinks list of, 414 str instruction, 670, 671–672 LIST_ENTRY, 414, 565 to detect VMware, 377–378 manually checking, 353–356 and virtual machine detection, 377 Microsoft symbols and viewing strcat function, risk in using, 421 information on, 213–214 strcpy function, risk in using, 421 overlaying data onto, 214 stricmp function, 527 sockaddr_in, 543, 702 string instructions, 81 STARTUPINFO, 148, 233, 594 strings SYSTEMTIME, 516 comparing in Process Explorer, 49 time-related, manipulating, 516 comparison of malware names, 666 UNICODE_STRING, for Windows concatenation functions, 535 kernel, 219 decoding stack-formed, 540–541 Structures window, in IDA Pro, 92 decoding XOR encoded, 542–543 SUB encoding algorithm, 276 finding, 11–13 sub links, in IDA Pro, 93 finding anti-VM techniques using, subkey, in registry, 139 679–683 subtraction, instruction for, 74 functions for manipulating, 715 suspended process, resuming, 595 in malware, 487 suspended state, creating obfuscated comparison, 640–641 process in, 258 packed files and, 483 SuspendThread function, 462 Python script for converting data SvcHost DLLs, 242–243 to, 500–501 svchost.exe, 257–258 recognizing in cryptographic malware launch from, 488 algorithms, 281–282 running as orphaned process, sending to debugger for 490–491 display, 353 switch statement, 121–126, 722–723 strings listings, identifying keyloggers graph indicating, 509–510 in, 240–241 if style for, 122–123, 124 Strings tool, 473 jump table for, 123–126, 641–642 to search executable, 11–12 symbolic constants, for socket Strings window, in IDA Pro, 91 function, 500

Practical Malware Analysis INDEX 761 © 2012 Michael Sikorski and Andrew Honig symbolic links, creating, 562 Thread Environment Block (TEB), 344 symbols, 212–215 thread identifiers (TID), 575–576 configuring, 215 Thread Information Block (TIB), 344 searching for, 212–213 thread local storage (TLS) callbacks, and viewing structure information, 359–361 213–214 Thread32First function, 462 SYSCALL instruction, 158, 221 Thread32Next function, 462 SYSENTER instruction, 158 threads , Autoruns program, 241 program accessing context of, 591 SYSTEM account, 152 targeting, 261 system binaries, trojanized, for viewing in OllyDbg, 185–186 persistence, 243–244 in Windows, 149–151 system calls, filtering on, 45 ThreatExpert, 40 system function, 462 TIB (Thread Information Block), 344 system memory. See memory TID (thread identifiers), 575–576 system residue, checking for, 356 Time Date Stamp description, in PE System Service Descriptor Table file, 22–23 (SSDT) time-related structures, checking for, 222 manipulating, 516 hooking, 221–222 timestomping, 535 SystemFunction025 function, 237 timing checks, 357–359 SystemFunction027 function, 237 GetTickCount function, 668–669 SYSTEMTIME structure, 516 with QueryPerformanceCounter, SystemTimeToFileTime function, 516 667–668 rdtsc function, 669 T TLS (thread local storage) callbacks, 359–361 tail jump, 386 Toolhelp32ReadProcessMemory eliminating code as, 693 function, 462 examining code for, 687–688 Tor, 300, 474 and finding OEP, 392 tracing, in OllyDbg, 192–194 for program packed with traffic logs, of malware activities, 312 UPack, 399 transferring files, from virtual targeted malware, 4 machine, 36 targeted phishing, 299 trap flag, 176–177 TCP handshake, capturing, 59 trojanized system binaries, for TCPView, 473 persistence, 243–244 TEB (Thread Environment Block), 344 Truman, 474 TerminateProcess function, IAT TSK (The Sleuth Kit), 473 hooking of, 248 type library, loading manually in test instruction, 80 IDA Pro, 102 text mode, in IDA Pro, 90–91 types, in Windows API, 136 .text section, in PE file, 21, 22 TF (trap) flag, 72 The Sleuth Kit (TSK), 473 U Themida, 400 u (unassemble) command, Thinking in C++ (Eckel), 428 in WinDbg, 212 this pointer, 428–430, 712–713, 719 Ultimate Packer for eXecutables. See in disassembly, 430 UPX (Ultimate Packer for thread context, 149 eXecutables)

762 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig unconditional jump, 80, 517 user32.dll, 17, 20, 545 undo feature, snapshots as, 35 User-Agent, 312, 317 unescape function (JavaScript), 423, dynamically generated, 511 705–706 for malware, 303, 310, 628 unhandled exception, 344 string for signature, 643 UnhookWindowsHookEx function, 261 user-mode APC, 263 strings, 11–12 user-mode rootkits, 247–250 UNICODE_STRING structure, for Windows IAT hooking, 248 kernel, 219 inline hooking, 248–250 uniform resource locators (URLs), opening to download V malware, 651–652, 654 value entry, in registry, 140 unload function, analysis in WinDbg vs. variables, global vs. local, 110–112 IDA Pro, 553 VERA (Visualizing Executables for UnMapViewOfSection function, 592 Reversing and Analysis), unpacking, 14, 685–686 475–476 analyzing malware without, victim information, malware 400–401 gathering of, 722 example, 386–387 viewing processes, with Process manual, 389–397 Explorer, 47–50 unpacking stub, 383, 384, 389, 692 virtual addresses, automatically size of, 399 naming, 100 UPack, 388, 398 virtual function tables, 434–435, 715 UPX (Ultimate Packer for recognizing, 435–436 eXecutables), 14, 388, virtual functions, vs. nonvirtual, 389, 475 432–436 packing with modified version, virtual machines, 29–38. See also anti- 684–685 virtual machine (anti-VM) tips and tricks, 397 techniques UPX-packed malware, 479 crashing from procmon, 44 URLDownloadToCacheFile function, 232, disconnecting network, 32 606, 626, 628, 642 escaping, 380 URLDownloadToFile function, 313, hiding precise location, 300 462, 482 malware detection on, 42 URLs (uniform resource locators), malware efforts to detect, 369, opening to download 670–672 malware, 651–652, 654 option to boot debugger-enabled USB flash drives, 206 version of OS, 208 user mode setting up, 580 calls from application, 206–207 structure, 30–31 for debuggers, vs. kernel mode, taking snapshots, 35–36 168–169 transferring files from, 36 in Windows, 158–159 using multiple, 33 virtual machine team, 33 APC injection from, 263–264 virtual networking, 32, 57 keyloggers, 239–240 Virtual Size, 23–24 looking at code, 215–216 VirtualAlloc function, 596 Poison Ivy use of, 189–190

Practical Malware Analysis INDEX 763 © 2012 Michael Sikorski and Andrew Honig VirtualAllocEx function, 255, 256, 423, WaitForSingleObject function, 151 462, 586, 588, 730 WaitForSingleObjectEx function, 263 and direct injection, 257 Watches window, in OllyDbg, 197 and process injection, 254 web applications, Burp Suite for VirtualProtectEx function, 462 testing, 467 VirtualSize field, in PE header, 365 web browser, malware determination virus, 4 of default, 699–703 language setting and, 177 WEP (Wired Equivalent Privacy), 34 VirusTotal, 10, 475, 478, 479 while loops, 118 Visualizing Executables for Reversing WH_KEYBOARD procedures, 260 and Analysis (VERA), 475–476 WH_KEYBOARD_LL procedures, 260 VMcat, 380 whois requests, for domains, 301–302 VMchat, 380 whosthere-alt, 238 VMdrag-n-hack, 380 wide character string, 11 VMdrag-n-sploit, 380 WideCharToMultiByte function, 462 VMftp, 380 Wi-Fi Protected Access (WPA), 34 VMware, 30 Win32 device namespace, 138 artifacts, 370–373 WIN32_SHARE_PROCESS type, 153 configuring, 31–33 WinDbg, 168, 205–227, 475 configuring to create virtual con- arithmetic operators, 211 nection with host OS, 208–209 breakpoints, 211–212 disk space use, 31 connecting to virtual machine kernel debugging setup, 207–210 with, 209–210 movie-capture feature, 37 EPROCESS structure examined Network Address Translation with, 565 (NAT) mode, 34 finding device driver in record/replay, 37, 170 memory, 563 risks of using for malware analysis, vs. IDA Pro, 553 36–37 for kernel debugger, 552 settings to avoid detection, labs, 228 379–380 solutions, 548–566 Snapshot Manager, 35 loading drivers, 226 VMware Player, 30 module listing, 212 VMware Tools output, 726 installing, 31 reading from memory, 210–211 stopping service, 371 rootkits, 221–225 VMware Workstation, 30–31, 475 SSDT viewed in, 222 VMwareService.exe, 370 system breakpoint and, 361 VMwareTray.exe, 370 viewing driver, 551–553 VMwareUser.exe, 370 window modes, in IDA Pro, 89–90 .vmx file, 379 Windows Volatility Framework, 475 blue screen, 158 Von Neumann architecture, 68 Component Object Model (COM), vtables, 434–435 154–157 recognizing, 435–436 device drivers, 206 executables, common sections, 22 W following running malware, W, at end of Windows function 145–158 name, 17 dynamic link libraries (DLLs), WaitForMultipleObjectsEx function, 263 145–147

764 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig exceptions, 157–158 , kernel issues for, interprocess coordination with 226–227 mutexes, 151–152 Windows XP processes, 147–149 default search order for loading services, 152–154 DLLs, 245 threads, 149–151 disabled firewall, 549 functions for importing linked WinExec function, 462, 482 functions, 15 WinGraph32 application, 98 kernel vs. user mode, 158–159 WinHex, 468, 596–597, 609 Native API, 159–161 WinINet (Windows Internet) API, reverse shell, 233 145, 313, 504, 639–640 tool for dumping process, 400 advantages and disadvantages, 633 as virtual OS, 31 wininet.dll, 17, 501 Windows 7, kernel issues in, 226–227 imports from, 480 Windows 32-bit on Windows 64-bit Winlogon, opening handle to, 603 (WOW64) subsystem, 447 Winlogon Notify, 242 Windows API, 136–139 WinMain function, analysis, 640 code calling functions, 526 WinMD5 calculator, 10, 11 debugger detection with, 352–353 WinObj Object Manager, 138 file system functions, 137–138 Winsock (Windows Sockets) API, 313 handles, 137 Winsock libraries, 143 IDA Pro catalog of named WinUpack, 398–400, 691–695 constants, 102 Wired Equivalent Privacy (WEP), 34 networking APIs, 143–145 Wireshark, 57, 475, 483 special files, 138–139 DNS and HTTP example, 54 Windows debugger detection, Follow TCP Stream window, 54 352–356 packet sniffing with, 53–55 manually checking structures, reviewing capture, 59 353–356 Witty worm, 138 with Windows API, 352–353 Wlx, function names beginning Windows File Protection, 604, 605–606 with, 235 Windows functions, 453–463 WlxLoggedOnSAS function, 463 Ex suffix for, 17 Word documents, analyzing with Windows Internet (WinINet) API, Process Explorer, 50 145, 313, 504, 639–640 WORD type, in Windows API, 136 advantages and disadvantages, 633 worm, 4 Windows malware, 135–161 WOW64 (Windows 32-bit on Windows labs, 162–163 64-bit) subsystem, 447 solutions, 513–529 Wow64DisableWow64FsRedirection Windows NT/2000 Native API Reference function, 448, 463 (Nebbett), 160 WPA (Wi-Fi Protected Access), 34 Windows Registry. See Registry WriteFile function, 137, 215, 219, 585 (Windows) origin of handle passed to, 623 Windows Sockets (Winsock) API, 313 WriteProcessMemory function, 255, 256, Windows Update binary 423, 463, 586, 590, 593 malware creation of handler, and direct injection, 257 605–606 and process injection, 254 moving to temporary directory, 605 ws2_32.dll, 17, 144, 483 string to temporary move, 606 imports from, 521 Windows virtual machine, 57 WSAGetLastError function, 144, 313

Practical Malware Analysis INDEX 765 © 2012 Michael Sikorski and Andrew Honig WSASocket function, 542, 727 x86 disassembly, 65–85 WSAStartup function, 144, 313, 463, levels of abstraction, 66–67 542, 727 reverse-engineer, 67–68 wshtcpip.dll, 483 x87 floating-point unit (FPU), WSock32.dll, 17 411–413 wupdmgr.exe, 604 Xen, 31 launching, 606 XOR cipher, 271–276 brute-forcing, 271–273 X identifying loops in IDA Pro, 274–276 x command, WinDbg, 213 NULL preserving single-byte, x64 architecture, 441 273–274 differences in calling convention XOR encoded strings, decoding, and stack usage, 443–447 542–543 exception handling, 445 XOR encoding loop, 620–621 malware with component for, 729 xor instruction, 76, 596 x64 Windows, kernel issues for, forms, 275 226–227 searching for, 612–613 x86-64 architecture, 441 searching for nonzeroing, 608 x86 architecture, 68–85 XOR logical operator, in x86 branching, 80–81 architecture, 75 C main method and offsets, 83–84 xref. See cross-references (xref) code types and data access, 408 Xrefs window, in IDA Pro, 96 conditionals, 80 documentation manuals, 85 Y instructions, 69–70 instruction set, general-purpose YARA, 475 register for, 409 Yuschuk, Oleh, 179 main memory, 69 NOP instruction, 76 Z opcodes and endianness, 70 Zero Wine, 475 operands, 70 zero-day exploit, 33, 245 registers, 71–73, 374 ZF (zero) flag, 72, 80 rep instructions, 81–83 zombies, 234 search for vulnerable instructions, ZwContinue function, 386 670–672 ZwCreateFile function, 219 simple instructions, 73–76 ZwDeviceIoControlFile function, inline stack, 77–80 hooking of, 249–250 function calls, 77–78 ZwUnmapViewOfSection function, 258 layout, 78–80 Zynamics BinDiff, 106

766 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig