Malware Mondays
Episode 1: Procmon
Start with Process ID (PID) When seeing the initial process drop new files, hash both files to compare whether they are the same.
From the Process-Tree select the top process executing other processes and select include-subtree. Gives a filter that includes child processes.
Filters
CreateFile not only creates a file, but also means creating a handle to a file, which happens a lot. Instead filter on WriteFile: if a file is important, data will be probably written to it. #RegSetValue #DeleteFile
Tip: save filters as a baseline, include process tree, take that as the baseline for analysing new samples.
Hotkeys
Ctrl-J to jump to file location
Done with particular events? Right-click → remove events before
source code
tip: check out my repositories with source code link and analyse executables in Procmon.
Reverse Engineering Malware with Ghidra
Overview notes
Native code (IDA (Pro), Ghidra, Binary Ninja) Interpreted code (.NET, Java, dnSpy, JD)
Check out the courses:
- Identifying and defeating code obfuscation
- Identifying and defeating packing
- Identifying and defeating anti-reverse engineering and anti-analysis
Menu and windows
Windows:
- Program trees (provides an overview of the binary structure of the program)
- Symbol tree (breakdown and overview of all program symbols such as imports, way to identify functions)
- Data type manager (structures and other data types, typically from header files, or created by you)
- Listing (disassembly of the executable code from the program)
- sidebar displays program overview, entropy and a number of different bookmarks
- default is a linear view, may open a graph view per function
- can patch/modify the listing
- options change based on area of program you are exploring
- create bookmarks and add labels to help with analysis
- modify register values and convert data types (convert data into code)
Decompiler
Listed to the right of the Listing window Converts machine code to assembly then PCode then C Warning: there’s not necessarily a direct match in the decompiled code from the original source code You can modify the decompiler output: - edit local variables, data structures, return types - consider changing a signature instead of a local instance - changes in signature are also reflected in the listing window - leverage header files when possible (usually not available)
The decompiler creates structures which help with program analysis and comprehension It can lock analysis through the ‘Decompiler Parameter ID’ (locking signatures) and committing parameters, return values and local variables trace variable usage and highlight variables that may be impacted going forwards/backwards (navigate through a function by way of a variable) Provides the ability to export functions to use with different tools
Demo: Analyzing a trojan
At entry point a call to __security_init_cookie and then an unconditional jump to another location. This is a telltale that it’s likely compiler generated code. To identify main is to scroll on and identify a call preceded by three pushes, corresponding to three pointers to:
- argc
- -argv
- environment p The three arguments to main.
First, follow that unconditional jump and then scroll until you see three pushes. Double click the following function and to get the graph, use the shortcut icon or the file menu to view the graph.
One of the first things you’ll want to analyze, is whether its packed. The presence of IsDebuggerPresent is not necessarily suspicious. The call will return a true or false, whether a debugger is attached. If the return value is true and a debugger is present, a message is returned. The message in that message box is:
“This is a third-party compiled AutoIt script” If this is in fact compiled by AutoIt, then we may be looking at the entire AutoIt interpreter, a legitimate and common way to compile and use an included AutoIt-interpreter to run it. The next point of interest would be to extract the AutoIt-scripts. PEstudio would be able to identify the AutoIt-script and display its location/offset. Ghidra will be able to identify that there is a script there, but not an AutoIt-script, as it has no signatures to check this script against. Knowing which tool to use when, is important!