Quartz 4

Josh Stroschein 7

5 min read

Malware Mondays

Episode 1: Procmon

Start with Process ID (PID) When seeing the initial process drop new files, hash both files to compare whether they are the same.

From the Process-Tree select the top process executing other processes and select include-subtree. Gives a filter that includes child processes.

Filters

CreateFile not only creates a file, but also means creating a handle to a file, which happens a lot. Instead filter on WriteFile: if a file is important, data will be probably written to it. #RegSetValue #DeleteFile

Tip: save filters as a baseline, include process tree, take that as the baseline for analysing new samples.

Hotkeys

Ctrl-J to jump to file location

Done with particular events? Right-click remove events before

source code

tip: check out my repositories with source code link and analyse executables in Procmon.

testing

Reverse Engineering Malware with Ghidra

Overview notes

Native code (IDA (Pro), Ghidra, Binary Ninja) Interpreted code (.NET, Java, dnSpy, JD)

Check out the courses:

  • Identifying and defeating code obfuscation
  • Identifying and defeating packing
  • Identifying and defeating anti-reverse engineering and anti-analysis

Windows:

  • Program trees (provides an overview of the binary structure of the program)
  • Symbol tree (breakdown and overview of all program symbols such as imports, way to identify functions)
  • Data type manager (structures and other data types, typically from header files, or created by you)
  • Listing (disassembly of the executable code from the program)
    • sidebar displays program overview, entropy and a number of different bookmarks
    • default is a linear view, may open a graph view per function
    • can patch/modify the listing
    • options change based on area of program you are exploring
    • create bookmarks and add labels to help with analysis
    • modify register values and convert data types (convert data into code)

Decompiler

Listed to the right of the Listing window Converts machine code to assembly then PCode then C Warning: there’s not necessarily a direct match in the decompiled code from the original source code You can modify the decompiler output: - edit local variables, data structures, return types - consider changing a signature instead of a local instance - changes in signature are also reflected in the listing window - leverage header files when possible (usually not available)

The decompiler creates structures which help with program analysis and comprehension It can lock analysis through the ‘Decompiler Parameter ID’ (locking signatures) and committing parameters, return values and local variables trace variable usage and highlight variables that may be impacted going forwards/backwards (navigate through a function by way of a variable) Provides the ability to export functions to use with different tools

Demo: Analyzing a trojan

At entry point a call to __security_init_cookie and then an unconditional jump to another location. This is a telltale that it’s likely compiler generated code. To identify main is to scroll on and identify a call preceded by three pushes, corresponding to three pointers to:

  • argc (argument count)
  • -argv (argument vector (list))
  • envp (array of pointers to environment variables) The three arguments to main.

First, follow that unconditional jump and then scroll until you see three pushes. Double click the following function and to get the graph, use the shortcut icon or the file menu to view the graph.

CodeBrowser

Highlighting: hold ‘Windows’ key and highlight an mnemonic or data in listing window Annotating the CodeBrowser allows you to add your insights into the program. You can use labels to mark locations of interest. Ghidra will add labels during autoanalysis. You can have multiple labels per address.

There are five types of comments:

  • EOL
  • plate
  • post
  • pre
  • repeatable

Data types: can be applied at a single address or a selected range Use the data type manager window to select the type you want to apply, drag and drop it to the location you want to apply it, and you enhance you understand the code you’re analyzing.

Processor specific help: you can right-click on instructions and select ‘processor manual’

Tools and techniques to perform function analysis

Additional function windows:

  • function call graph (shows function calls from current function)
  • function graph
  • function call trees depict a hierarchical relationship of function calls

Important: you need to understand where you are, when you begin analyzing a program. Generally, you have a function, strings or some other indicator that will drive you to begin analysis at a certain point. In the absence of those indicators, you will want to start at the beginning of the program, ignoring unnecessary code, like code generated by the compiler.

Ghidra can manage external programs. You can add additional programs (libraries) that your program depends on. This way you can quickly navigate to functions in those programs.

During flow analysis of a program, perhaps not all functions are identified. You can instead right-click and create or edit a function. This way you can change parameter types, change the calling convention, undefine functions, etcetera.

You can also add symbols, if they are available. Usually with malware you don’t have access to PDB files.

Demo: function analysis

Graph View