IP? - The Fengs

advertisement
Part 6: Special Topics
Chapter 19: Shellcode Analysis
Chapter 20: C++ Analysis
Chapter 21: 64-bit Malware
Chapter 19: Shellcode Analysis
Shellcode Analysis
1. Position-Independent Code
2. Identifying Execution Location
3. Manual Symbol Resolution
4. Shellcode Encodings
5. NOP Sleds
6. Finding Shellcode
Shellcode Analysis
Shellcode


Payload of raw executable code that allows adversary to
obtain interactive shell access on compromised system
Often used alongside exploit to subvert running program
Issues to overcome



Getting placed in preferred memory location
Applying address locations if it cannot be placed properly
Loading required libraries and resolving external
dependencies
1. Position-Independent Code
No hard-coded addresses




All branches and jumps relative
Code can be placed anywhere in memory and still function
as intended
Essential in exploit code and shellcode being injected from a
remote location since addresses are not necessarily known
Table 19-1
2. Identifying Execution Location
Shellcode may need to find out its execution location



x86 does not provide EIP-relative access to embedded data as it
does for control-flow instructions
Must load EIP into general purpose register
Problem: “mov eax,eip” not allowed
Two methods


call/pop
•
call pushes EIP of next instruction onto stack, pop
retrieves it (Listing 19-1)
•
stores 28-byte structure of FPU state to memory
•
FPU runs parallel to CPU, so must be able to
accurately identify faulting instruction
•
fpu_instruction_pointer = EIP of last instruction that
used FPU (Listing 19-2, 19-3)
fnstenv
3. Manual Symbol Resolution
Shellcode can not use Windows loader to ensure libraries
are in process memory

Must dynamically locate functions such as LoadLibraryA and
GetProcAddress (both located in kernel32.dll)
Finding kernel32.dll in memory

Undocumented structure traversal (Figure 19-1, Listing 19-4)
Parsing kernel32.dll PE Export Data



Addresses of exported calls in header (relative virtual
addresses in IMAGE_EXPORT_DIRECTORY
AddressOfFunctions, AddressOfNames,
AddressOfNameOrdinals arrays (Figure 19-2)
To make shellcode compact, hashes of function names used
to compare (Listing 19-6)
4. Shellcode Encodings
Many exploits target unsafe string functions

strcpy, strcat
strcpy( buffer, argv[1] );


Injection of malicious code must avoid NULL bytes which will
terminate buffer overflow pre-maturely (Listing 19-8)
Example
mov eax, 0
; 4 bytes of NULL
xor eax, eax
; No NULL bytes
ASCII armor


Hardens against buffer overflow
If exploit requires injection of addresses, then force
addresses to include NULL by putting all code/data within
ASCII armor at beginning of address space
5. NOP Sleds
Sequence of NOPs preceing shell code


Address targeting inexact
Allows exploit to increase likelihood of hits by giving a range
of addresses that will result in shellcode executing
Buffer[0..256]
Shell Code
[stuff]
Return
addr
New New
Addr Addr
[stuff]
New New
Addr Addr
5. NOP Sleds
NOP
NOP
NOP
NOP
NOP
IP?
IP?
NOP
NOP
NOP
IP?
NOP
NOP
NOP
NOP
IP?
xor eax, eax
NOP
mov al, 70
NOP
xor ebx, ebx
NOP
xor ecx, ecx
xor eax, eax
int 0x80
mov al, 70
jmp short two
xor ebx, ebx
xor ecx, ecx
one:
Shell Code
pop ebx
int 0x80
xor eax, eax
jmp short two
one:
mov [ebx+7], al
mov [ebx+8], ebx
pop ebx
mov [ebx+12], eax
xor eax, eax
mov al, 11
Shell Code
mov [ebx+7], al
lea ecx, [ebx+8]
mov [ebx+8], ebx
lea edx, [ebx+12]
mov [ebx+12], eax
int 0x80
mov al, 11
two:
call one
db '/bin/shXAAAABBBB'
lea ecx, [ebx+8]
lea edx, [ebx+12]
int 0x80
two:
call one
db '/bin/shXAAAABBBB'
6. Finding Shellcode
In Javascript

Binary instructions encoded via
unescape%u1122%u3344%u5566%u7788 = 22 11 44 33 55
66 88 77
In payloads


Common API calls (VirtualAllocEx, WriteProcessMemory,
CreateRemoteThread)
Common opcodes (Call, Unconditional jumps, Loops, Short
conditional jumps)
In-class exercise
Lab 19-02




In IDA, find the code that opens the registry to find the default web
browser
Find the code that attempts to create a new web browser process
Find the place in the code where the browser process is opened and the
malicious payload is injected into it and run
In OllyDbg
• Set a breakpoint in main and single step (F8). What
happens?
•
•
•
View the buffer containing the shellcode to be injected into
the browser (address was found in IDA Pro)
– In OllyDbg code pane, right click to “Go to” address
– Set origin to address and run
Generate Listing 19-4L
Use the remaining time to attempt to complete the
shellcode analysis. Where does your analysis get
blocked?
In-class exercise
Lab 19-03



Run strings on the PDF file to generate Listing 19-11L
Implement the Python script in Listing 19-12L and generate the
shellcode. Does it differ from the included code?
Load shellcode_launcher.exe into IDA Pro or Olly
• Set arguments to point to match command line shown
below Listing 19-12L. Find where the shellcode has been
loaded and will be launched
•
Set a breakpoint just before the launch of the shellcode and
single-step *into* the call
•
Where has the code been loaded? Generate Listing 1913L with these run-time addresses
•
Single-step through to find the loop that populates the
kernel32 API calls
Chapter 20: C++ Analysis
C++ Analysis
1. Object-Oriented Programming
2. Virtual vs. Nonvirtual Functions
3. Creating and Destroying Objects
1. Object-Oriented Programming
Functions (i.e. methods) in C++ associated with particular
classes of objects


Classes used to define objects
Similar to structs, but also include functions
“this” pointer





Implicit pointer to object that holds the variable being
accessed
Implied in every variable access within a function that does
not specify an object
Passed as a compiler-generated parameter to a function
(typically the ECX register, sometimes ESI)
“thiscall” calling convention (compared to stdcall, cdecl, and
fastcall calling conventions)
Listing 20-2, Listing 20-3
1. Object-Oriented Programming
Overloading and Mangling





Method overloading allows multiple functions to have same
name, but accept different parameters
When function called, compiler determines which version to
use (Listing 20-4)
C++ uses name mangling to support this construct in the PE
file
Algorithm for mangling is compiler-specific
IDA Pro demangles based on what it knows about specific
compilers
2. Virtual vs. Nonvirtual Functions
Virtual functions



Can be overridden by a subclass (polymorphism)
Execution is determined at runtime with the child subclass
overriding the parent
Can keep parent functionality by changing the type of the
object to be an instance of the parent class
Nonvirtual functions



Execution is determined at compile time
If object is an instance of the parent, the parent class's
function will be called, even if the object at run-time belongs
to the child class
Table 20-1
2. Virtual vs. Nonvirtual Functions
Implementation


Nonvirtual functions the same
Polymorphism via virtual function tables (vtables), effectively
an array of pointers to code (Table 20-2)
• Should point to legitimate subroutines in IDA Pro
(sub_####) (Listing 20-6)
• Switch tables similar but point to legitimate code
locations within code in IDA Pro(loc_#####)

Virtual functions do not use “call” instruction
• Code xrefs within IDA Pro do not resolve into
“calls”

Vtable similarity can be used to associate objects
• Listing 20-7
3. Creating and Destroying Objects
Constructor and Destructor functions




Object either stored on stack for local variables
Object stored in heap if “new” is used
Note: Implicit “deletes” for objects that go out of scope may
be handled as exceptions
Listing 20-8
• Initializes vtable for object stored on stack
• Creates another object via “new” call (note the
name mangling)
In-class exercise
Lab 20-1





In IDA Pro, what does the first subroutine called in WinMain
do?
What does the instruction at 0x0401019 do?
What does the instruction at 0x040101C do?
Follow the second subroutine call. What does it do?
What does the instruction at 0x0401055 do?
Chapter 21: 64-bit Malware
64-bit Malware
1. Why 64-bit Malware?
2. Differences in x64 architectures
3. Windows 32-Bit on Windows 64-Bit
4. 64-Bit Hints at Malware Functionality
1. Why 64-bit Malware?
AMD64 now known as x64 or x86-64


Similar to 32-bit x86 with quad extensions
Not all tools support it
Most malware still 32-bit

Backwards compatibility support for 32-bit ensures that 32bit malware can run on both 32-bit and 64-bit machines
Reasons for 64-bit malware


Kernel rootkits must be 64-bit for machines to run on a 64-bit
OS
Malware and shellcode being injected into a 64-bit process
must be 64-bit
2. Differences in x64 Architecture
64-bit vs. 32-bit x86





All addresses and pointers 64-bit
All general purpose registers 64-bit (RAX vs. EAX)
Special purpose registers also 64-bit (RIP vs. EIP)
Double the general purpose registers (R8-R15)
• R8 = 64-bits
•
R8D = 32-bit DWORD
•
R8W = 16-bit WORD
•
R8L = 8-bit LOW byte
RIP-relative data addressing (Listing 21-2 vs. Listing 21-3)
• Recall “call/pop” needed previously to get location of data
attached to exploit code
•
Allows compiler to easily generate position-independent
code
•
Decreases the amount of relocation needed when
code/DLLs are loaded
•
Without call/pop, it is much harder to identify exploit code
2. Differences in x64 Architecture
64-bit vs. 32-bit x86

Calling convention and stack usage
• Similar to “fastcall”
•
First four parameters passed in RCX, RDX, R8, and R9
•
Additional parameters passed on stack
•
Hand-coded malware may completely deviate from this
convention to confuse analysis
•
Stack space is allocated at beginning of function call for the
duration of the call (i.e. no push/pop within function)
(Figure 21-1)
•
Microsoft's 64-bit exception handling model assumes a
static stack
•
Reverse engineering complicated since local variables and
function parameters co-mingled (Listing 21-4 vs 21-5)
2. Differences in x64 Architecture
64-bit vs. 32-bit x86

Leaf and Nonleaf Functions
• Functions that call other functions are non-leaf or frame
functions as they require a frame to be allocated
•

Nonleaf functions required to allocate at least 0x20 bytes of
stack space when calling another function to save register
parameters (local variables bump allocation beyond 0x20)
64-Bit Exception Handling
• For 32-bit, SEH handling uses stack
•
For 64-bit, static exception information table stored in PE
file and stored in .pdata section per function. (Does not
use stack)
3. Windows 32-Bit on Windows 64-Bit
WOW64 subsystem allows 32-bit Windows to run on 64-bit
Windows




Redirects accesses to C:\Windows\System32 to
C:\Windows\WOW64
So if 32-bit malware running on 64-bit Windows writes a file
to C:\Windows\System32, it shows up in
C:\WINDOWS\WOW64
Similar redirection for registry keys
32-bit malware wishing to “break-out” of WOW64 to infect
64-bit system can disable redirection (IsWow64Process,
C:\Windows\Sysnative, Wow64DisableWow64FsRedirection
to disable for a thread)
4. 64-Bit Hints at Malware
Functionality
64-bit shortcuts



Integers often stored in 32-bit values
Pointers are always 64-bit
Can differentiate non-pointers from pointers via size of
register used (Table 21-1)
Download