Dark.NetDark.Net gasgasgasgas 1 簡介簡介 MalwareMalware DotDot NetNet FrameworkFramework .net.net rootkitrootkit AntiAnti techtech QQ && AA 2 MalwareMalware 3 MalwareMalware VirusVirus BackdoorBackdoor TrojanTrojan horsehorse RootkitRootkit ScarewareScareware AdwareAdware WormWorm 4 InfectInfect ExecutableExecutable InterpretedInterpreted filefile KernelKernel ServiceService MBRMBR HypervisorHypervisor 5 HypervisorHypervisor rootkitrootkit AppApp AppApp TargetTarget OSOS HardwareHardware 6 HypervisorHypervisor rootkitrootkit AppApp AppApp RogueRogue appapp TargetTarget OSOS HostHost OSOS VirtualVirtual machinemachine monitormonitor HardwareHardware 7 MalwareMalware designdesign && techtech MetamorphismMetamorphism ObfuscationsObfuscations AntiAnti--emulationemulation AntiAnti--VirtualVirtual MachineMachine AntiAnti--debuggersdebuggers RootkitRootkit TechnologyTechnology 8 MetamorphismMetamorphism push ecx mov ecx, [ebp + 10] push ecx mov ecx, ebp mov ecx, ebp push eax push eax add eax, 2342 push ecx mov eax, 33 mov eax, 33 mov ecx,ebp add ecx, eax add ecx, eax push ecx mov [ebp - 3], eax add ecx,33 pop eax pop eax mov ecx,ebp push esi mov eax, esi add ecx,33 mov esi,ecx push esi push eax mov [ecx-36],eax sub esi,34 mov esi, ecx mov esi, ecx pop ecx mov [esi-2],eax push edx push edx pop esi xor edx, 778f pop ecx mov edx, 34 mov edx, 34 sub esi, edx sub esi, edx pop edx pop edx mov [esi - 2], eax mov [esi-2], eax pop esi pop esi pop ecx pop ecx 9 ObfsucationsObfsucations NORMAL CALL OBFUSCATED CALL L0a: push L1 L0b: push L5 L0: call L5 L0c: ret L1: … L1: … L2: … L2: … L3: … L3: … L4: … L4: … L5: <proc> L5: <proc> L6: … L6: … Call Obfsucations to prevent static analysis 10 AntiAnti--emulationemulation vsvs antianti--debugdebug AntiAnti--debugdebug • Hide the fact that someone with a debugger is stepping/monitoring your program • Focus in differences in system when a debugger is active vs not Memory structures Time usage (ticks) API behaviour Suspicious windows/drivers/services, e.g. debug rights without asking… 11 AntiAnti--emulationemulation vsvs AntiAnti--debugdebug AntiAnti--emulationemulation • There is no debugger to hide • Detect the difference between an emulated system and a real system Access complex resources, use complex calculations Detect limitations which are not possible (or very time consuming) to emulate Use (or setup) exotic APIs so they deliver a specific error condition • Can this be used against it? WhatWhat isis virtualvirtual machinemachine detection?detection? 12 ChallengeChallenge ForFor EmulatorsEmulators Code that “does the bad stuff” is hidden in many ways • Runtime libraries • Compressors UPX, FSG, PEC… • Encryptors Simple or advanced runtime encryption • Protectors SVKP, Themida… • Installers Nullsoft, RARSFX, ZIPSFX etc • Embedded dropped components Libraries/services, kernel drivers, scripts, executables etc. What to do with a single component; DLL or driver? • Download links Download malware components in proprietary formats & protocols • Bad records inside file formats (like XLS, JPG etc) Exploits to run binary code 13 AntiAnti EmulatorEmulator CodeCode CreateFileACreateFileA (e.g.(e.g. "C:"C:\\WINDOWSWINDOWS\\SYSTEM32SYSTEM32\\driversdrivers\\ntfs.sys)ntfs.sys) GetFileSizeGetFileSize (0x0000002A,0x00000000)(0x0000002A,0x00000000) WriteProcessMemoryWriteProcessMemory (0xFFFFFFFF,0x0043661D,STACK_ADDR,0(0xFFFFFFFF,0x0043661D,STACK_ADDR,0 x00000004,0x00000000)x00000004,0x00000000) EnumWindowStationsAEnumWindowStationsA()() -->> callbackcallback EnumServicesStatusAEnumServicesStatusA()() -->> lookinglooking forfor standardstandard servicesservices 14 AntiAnti--VirtualVirtual MachinesMachines Pseudo code: IF detect_vmware THEN do nothing, destroy self, destroy system ELSE Continue with malware payload DASHER Variant Disassembly Example: PS______:00401D51 push offset aNetStartFindst ; "net start | findstr VMware && echo VMwa"... PS______:00401D52 push edi PS______:00401D53 call sub_402148 PS______:00401D58 lea eax, [ebp+var_300] PS______:00401D5E push eax PS______:00401D5F push offset aNetStartFind_0 ; "net start | findstr Virtual &&echo Vir"... PS______:00401D64 push edi PS______:00401D65 call sub_402148 PS______:00401D6A push offset aDel0 ; "del %%0\r\n“ 15 AntiAnti--debuggersdebuggers MakingMaking reversereverse--engineeringengineering andand disassemblydisassembly painfulpainful • Polymorphism • Encryption • Interrupt disabling • Debugger detection Behavior modification Crashing debugger 16 FormsForms ofof RootkitRootkit KERNELKERNEL--LEVELLEVEL SYSTEMSYSTEM ACCESSACCESS APPLICATIONAPPLICATION--LEVELLEVEL 17 SystemSystem ServiceService CallCall CycleCycle User Application call to CreateFile API return CreateFile result Kernel32.DLL call stub NtCreateFile API return NtCreateFile result USER MODE NTDLL.DLL EAX = 0x00000020 Switch Back to USER call INT 2Eh MODE KERNEL MODE NTOSKRNL.EXE 18 NTDLLNTDLL InterfaceInterface Kernel32.DLL imports solely on the library NTDLL.DLL NTDLL.DLL is an interface to Int 2Eh function of Windows NT Int 2Eh signals a need to switch from user mode to kernel mode Int 2Eh is internally known as KiSystemService(). Int 2Eh handler looks up on a table in NTOSKRNL called KeServiceDescriptorTable() 19 NTOSKRNLNTOSKRNL ExportsExports The structure of KeServiceDescriptorTable: typedef struct ServiceDescriptorTable { PVOID ServiceTableBase; PVOIDServiceCounterTable(0); unsigned int NumberOfServices; PVOID ParamTableBase; } 20 GettingGetting IntoInto TheThe RootRoot Application: Call to CreateFile() API Kernel32.DLL: Call to NtCreateFile() -- Native API NTDLL.DLL Invokes KiSystemService() NTOSKRNL.EXE: Call to KeServiceDescriptor Table 21 KeServiceDescriptorKeServiceDescriptor TableTable ServiceTableBase ParamTableBase … … 0x20 @ NtCreateFile 0x2C bytes … … 0x29 @NtCreateProcess 0x20 bytes … 0x6A @ NtOpenProcess 0x10 bytes … … … 22 HookingHooking SystemSystem ServiceService ChooseChoose aa systemsystem serviceservice exportedexported byby NTOSKRNL.EXENTOSKRNL.EXE ObtainObtain thethe addressaddress ofof thisthis functionfunction VerifyVerify ifif thethe functionfunction startsstarts withwith aa MOVMOV EAX,EAX, 0xXXXXXXXX0xXXXXXXXX construct.construct. RetrieveRetrieve thethe indexindex valuevalue associatedassociated withwith thethe function.function. 23 HookingHooking SystemSystem ServiceService Example of NTDLL Exported Functions 24 HookingHooking SystemSystem ServiceService ImportImport thethe undocumentedundocumented structurestructure KeServiceDescriptorTableKeServiceDescriptorTable.. LocateLocate thethe functionfunction indexindex OverwriteOverwrite thethe correspondingcorresponding ServiceTableBaseServiceTableBase valuevalue withwith thethe newnew systemsystem serviceservice handlerhandler 25 APIAPI Hooking:Hooking: IATIAT ModificationModification PE File Before IAT Patching Headers Code Section CALL [CreateFileA] Kernel32.dll Import Section CreateFileA(): CreateFileA: … 0x12345678 26 APIAPI Hooking:Hooking: IATIAT ModificationModification PE File Before IAT Patching Headers Hook: Code Section JMP 0x12345678 CALL [CreateFileA] Kernel32.dll Import Section CreateFileA(): CreateFileA: … Addr of Hook 27 APIAPI Hooking:Hooking: DynamicDynamic CodeCode PatchingPatching Original FindNextFile() API Function FindNextFileA: 195D6: 55 PUSH EBP 195D7: 8BEC MOV EBP, ESP 195D9: 81EC60020000 SUB ESP, 260 Continue_Here: 194DF: 53 PUSH EBX 195E0: 8D85A0FDFFFF LEA EAX, [EBP-260] 195DF: XX <…original code continues…> 28 APIAPI Hooking:Hooking: DynamicDynamic CodeCode PatchingPatching Patched FindNextFile() API Function FindNextFileA: 195D6: E9XXXXXXXX JMP Hook 195DB: 90 NOP 195DC: 90 NOP 195DD: 90 NOP 195DE: 90 NOP Continue_Here: 194DF: 53 PUSH EBX 195E0: 8D85A0FDFFFF LEA EAX, [EBP-260] 195DF: XX <…original code continues…> Hook: <process params> call Saved_Original <alter data> ret 29 DLLDLL InjectionInjection Using Malware Process CreateRemoteThread(), a call to LoadLibrary() Call to CreateRemoteThread() API of can cause a malicious DLL to be loaded on the remote Victim Process process’ address space. Call to LoadLibrary() Malicious DLL 30 DirectDirect MemoryMemory WritingWriting Attacking Process Victim Process HEADERS HEADERS Code Section Code Section VirtualAllocEx() Heap VirtualProtectEx() WriteProcessMemory() Install_Hooks(); CreateRemoteThread() Patching Another Process 31 DotDot NetNet FrameWorkFrameWork 32 What is Microsoft .NET? WhatWhat isis .NET?.NET? •• NewNew MicrosoftMicrosoft FrameworkFramework forfor thethe InternetInternet DevelopmentDevelopment Environment.Environment. •• ItIt isis aa protocolprotocol stackstack andand computingcomputing modelmodel forfor TCPI/IPTCPI/IP--based,based, distributeddistributed computing.computing. •• TheThe .NET.NET EnterpriseEnterprise serversservers areare builtbuilt forfor interoperabilityinteroperability fromfrom thethe groundground up,up, usingusing openopen WebWeb standardsstandards suchsuch asas XMLXML withwith increasedincreased scalabilityscalability andand reliability.reliability. 33 .NET Architecture Overview 34 Common Language Runtime (CLR) .NET applications are compiled to a common language known as Microsoft Intermediate Language, or "IL". The CLR, then, handles compiling the IL to machine language, at which point the program is executed. The CLR architecture provides expansive tool support , simpler deployment (end of "DLL Hell"), superior scalability, support for multiple programming languages and a common data type system 35 ECMAECMA--335335 36 Common Language