原文始发于8ksecresearch:Dissecting Windows Malware Series – Beginner To Advanced – Part 1
We hear about “cyber attacks” in the news every week! But – what actually happens ‘during’ the attack, what happens in the background, behind the scenes, from the moment the event ‘begins’ until the moment it’s realized something is amiss? Or worse – when it’s not realized something is amiss and things continue on autopilot…
我们每周都会在新闻中听到有关“网络攻击”的消息! 但是,从事件“开始”到意识到不对劲的那一刻,在后台、幕后发生了什么?或者更糟糕的是——当它没有意识到有什么不对劲并且事情继续自动驾驶时……
What’s In It For Me
对我 有什么好处
We’ll see various mechanisms malware uses to achieve their main objectives, and emphasize main key points to keep in mind for future investigations.
在这篇博文中,我们将奠定分析和逆向工程 Windows 恶意文件的基础。我们将看到恶意软件用来实现其主要目标的各种机制,并强调未来调查时要牢记的主要关键点。
Already a Malware Analyst?
已经是恶意软件分析师?
Already dissecting malware as you sleep?
睡觉时已经在剖析恶意软件了吗?
Should I Read This Article
我应该读这篇文章 吗
-
those considering a career as a Malware Analyst or in Reverse Engineering in various fields.
本文可以为那些考虑在各个领域从事恶意软件分析师或逆向工程职业的人提供良好的第一印象。-
What do these roles involve?
这些角色涉及什么? -
What background is required?
需要什么背景? -
Are you genuinely interested in it, beyond the flashy descriptions of ‘high-tech salary’ and ‘catching hackers’.
你真的对它感兴趣吗,除了“高科技薪水”和“抓黑客”的华而不实的描述之外。
-
-
The second group are professional developers.
第二类是专业开发人员。Many developers, particularly those at the beginning of their careers or those less engaged in development within security-oriented or driver contexts, do not fully understand:
许多开发人员,尤其是那些处于职业生涯初期的开发人员,或者那些不太参与面向安全或驱动程序上下文的开发人员,并不完全了解:-
How different types of malware operate?
不同类型的恶意软件是如何运作的? -
What are their objectives?
他们的目标是什么? -
What are the underlying processes and mechanisms being involved.
涉及哪些基本流程和机制。
-
A Bit Of Theory Before We Start
在我们开始 之前先了解一些理论
In general, the malware Analysis process is composed of the following 4 stages:
一般来说,恶意软件分析过程由以下 4 个阶段组成:
-
Basic Static Analysis – At this stage, we try to extract as much information as possible about the malware without executing it.
基本静态分析 – 在此阶段,我们尝试在不执行恶意软件的情况下提取尽可能多的有关恶意软件的信息。We check which strings are embedded in it (if any), which functions and DLL libraries it uses to run, whether it is Packed or not, and any other information that can give us initial clues about what the malware does.
我们检查其中嵌入了哪些字符串(如果有),它用于运行哪些函数和 DLL 库,它是否被打包,以及任何其他可以为我们提供有关恶意软件行为的初步线索的信息。 -
Basic Dynamic Analysis – At this stage, we execute the malware to see how it runs “live” and try to extract as much information as possible using the tools at our disposal (mainly using Sysinternals, Wireshark, and others as needed).
基本动态分析 – 在此阶段,我们执行恶意软件以查看它如何“实时”运行,并尝试使用我们可以使用的工具(主要使用 Sysinternals、Wireshark 和其他需要的工具)提取尽可能多的信息。 -
Advanced Static Analysis – At this stage, we return to static analysis of the malware, but now we dive deeper into its innards.
高级静态分析 – 在这个阶段,我们回到恶意软件的静态分析,但现在我们更深入地研究其内部。We use tools that perform the Disassembly process (the popular ones: IDA Pro or Ghidra) to convert the malicious file – converting an exe file to a file containing assembly code that we can then analyze.
我们使用执行反汇编过程的工具(流行的工具:IDA Pro 或 Ghidra)来转换恶意文件——将 exe 文件转换为包含汇编代码的文件,然后我们可以对其进行分析。 -
Advanced Dynamic Analysis – After the previous stage, we should have a relatively clear picture of what the Malware does and how it does it.
高级动态分析 – 在上一阶段之后,我们应该对恶意软件的作用和作用有一个相对清晰的了解。At this stage, we can fill in the missing pieces of the puzzle.
在这个阶段,我们可以填补拼图中缺失的部分。We execute the malware using Debuggers (the popular ones: x32Dbg, x64Sbg, OllyDbg, WinDbg) to identify missing parts that we couldn’t detect earlier, or to identify the value of different parameters/functions that are called dynamically, only at the time of the program’s execution.
我们使用调试器(流行的:x32Dbg、x64Sbg、OllyDbg、WinDbg)来执行恶意软件,以识别我们之前无法检测到的缺失部分,或识别动态调用的不同参数/函数的值,仅在程序执行时。
Malware’s Main Objectives
-
Gaining a foothold/persistence at the endpoint – Aka Persistence
在端点获得立足点/持久性 – 又名持久性 -
Acquiring elevated privileges for various manipulations at the endpoint – Aka Privilege Escalation
在端点上为各种操作获取提升的权限 – 又名权限升级 -
Achieving stealth execution at the endpoint, in order to continue operating in the background without the user’s knowledge – Aka Evasion
在端点实现隐身执行,以便在用户不知情的情况下继续在后台运行 – 又名规避
Let’s Start Reversing
Basic Static Analysis 基本静态分析
Advanced Static Analysis stage, so we will mention the details gathered in the previous stages in order to get a broad picture of our thought process, why we chose this approach, why we came to such and such hypothesis, etc.
本文将主要关注高级静态分析阶段,因此我们将提及在前面阶段收集的细节,以便大致了解我们的思维过程,为什么我们选择这种方法,为什么我们得出这样那样的假设,等等。
During the Basic Static Analysis, stage, using strings.exe, we saw that the malware contains several strings.
在基本静态分析阶段,使用 strings.exe,我们看到恶意软件包含多个字符串。
OUTLOOK.EXE, MSIMN.EXE, and THEBAT.EXE
我们看到该文件在某种程度上与电子邮件发送服务相关,因为使用了以下字符串:OUTLOOK.EXE、MSIMN.EXE 和 THEBAT.EXE.
Indicating processes related to Email-Exchange services. Additionally, we have a Registry Key value that might contain interesting information – we’ll check it after running the file.
指示与 Email-Exchange 服务相关的进程。此外,我们有一个注册表项值,该值可能包含有趣的信息 – 我们将在运行文件后检查它。
The cherry on top, we see the use of AppInit_DLLs – a mechanism of Windows that allows a list of DLL files to be dynamically loaded into various processes (in User Space) – primarily implemented to achieve Persistence at the endpoint.
最重要的是,我们看到了 AppInit_DLLs 的使用——一种 Windows 机制,允许将 DLL 文件列表动态加载到各种进程中(在用户空间中)——主要是为了在端点实现持久性。
It’s possible that the file name we saw – spoolvxx32.dll
我们看到的文件名 – spoolvxx32.dll 可能在某种程度上与通过AppInit_DLLs实现持久性有关,但我们需要更深入地调查才能确定。
Basic Dynamic Analysis 基本动态分析
Now, we advance to the Basic Dynamic Analysis stage. We execute the malware and look for:
现在,我们进入基本动态分析阶段。我们执行恶意软件并查找:
-
Created/Modified Processes
创建/修改的进程 -
Files being created/written to
正在创建/写入的文件 -
Any Registry modification
任何注册表修改
By cross referencing the data we got from running: Procmon, Process Explorer and RegShot, we saw that the malware:
通过交叉引用我们从运行中获得的数据:Procmon、Process Explorer 和 RegShot,我们发现恶意软件:
-
Opens a file called Lab11-02.ini.
打开一个名为 Lab11-02.ini 的文件。 -
Opens the file spoolvxx32.dll located at the path: C:\Windows\System32\spoolvxx32.dll
打开位于以下路径的文件spoolvxx32.dll:C:\Windows\System32\spoolvxx32.dlland performs an Overwrite operation on it.
并对其执行覆盖操作。
-
Additionally, we saw that Windows API call – RegSetValue for changing a value in the Registry at the following path: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
此外,我们还看到 Windows API 调用 – RegSetValue 用于更改注册表中以下路径的值:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
IDA Pro, IDA Pro, IDA Pro…
Advanced Static Analysis
高级静态分析
Last but not least, we move on to perform Advanced Static Analysis
最后但并非最不重要的一点是,我们继续进行高级静态分析:
We begin to analyze the file after it has undergone a Disassembly process and is presented to us as assembly code.
A few lines after the main function, we see calls to the following functions:
在 main 函数后面的几行中,我们看到对以下函数的调用:
-
GetModuleFileName
-
sub_1000105B
-
CreateFile 创建文件
Just by analyzing these calls (and a bit of delving into the parameters they receive) we can understand the following:
通过分析这些调用(并深入研究它们接收的参数),我们可以了解以下内容:
-
The Handle to the Module (A module is a Dll or an EXE file) is loaded by the current Process and is being returned.
模块的句柄(模块是 Dll 或 EXE 文件)由当前进程加载并返回。(A Handle is essentially a reference to a specific object/resource. Many functions return Handles so that other functions can take this Handle as a parameter and continue to access/manipulate this object/resource.)
(句柄本质上是对特定对象/资源的引用。许多函数返回句柄,以便其他函数可以将此句柄作为参数并继续访问/操作此对象/资源。 -
A call is made to the function sub_1000105B – since it’s not a Windows API function but a function written by the attacker (in the high-level language in which the malware was written) it is not tagged with a string hinting at its functionality.
调用函数sub_1000105B – 由于它不是 Windows API 函数,而是由攻击者编写的函数(使用编写恶意软件的高级语言),因此不会使用暗示其功能的字符串进行标记。For convenience, I’ll reveal that it’s a function that returns the path of the system directory of the endpoint.
为方便起见,我将揭示它是一个返回端点系统目录路径的函数。 -
Then, a call is made to the function strncat which receives Source and Destination strings and performs a concatenate operation on them.
然后,调用函数 strncat,该函数接收 Source 和 Destination 字符串并对它们执行串联操作。 -
Now, a call is made to the function CreateFile
现在,根据函数 CreateFile 接收到的参数对其进行调用(并对“MSDN CreateFile”进行一些谷歌搜索,我们确定执行的是文件的打开,而不是创建)。
-
ReadFile to read the content of the file (apparently it looks like a random collection of letters and numbers).
稍后,还会调用 ReadFile 来读取文件的内容(显然它看起来像是字母和数字的随机集合)。In addition, a call is made to another function sub_100010B3 which contains many arithmetic operations such as: XOR, AND, OR, etc… -> hints to us that probably this function performs a decoding operation on the gibberish content we saw earlier in the file -> we’ll return to it later.
此外,还调用了另一个函数sub_100010B3,该函数包含许多算术运算,例如:XOR、AND、OR 等…… -> 提示我们,此函数可能对我们之前在文件中看到的乱码内容执行解码操作 ->我们稍后会返回它。 -
Persistence Mechanism
这个代码片段再次证实了我们关于持久性机制的假设.
Since the malware installs itself as an AppInit_DLL for achieving Persistence, it means it will load into every User Space process!
由于恶意软件将自己安装为实现持久性的AppInit_DLL,这意味着它将加载到每个用户空间进程中!
In other words, every process that contains some kind of User Interface and uses User32.dll at the endpoint -> Will load this *.dll file to memory!
换句话说,每个包含某种用户界面并在端点使用User32.dll的进程 -> 都会将这个 *.dll 文件加载到内存中!
This functionality makes it difficult to remove the malware (since “all” User Space processes run the malware).
此功能使删除恶意软件变得困难(因为“所有”用户空间进程都运行恶意软件)。
In the code snippet at the beginning of the paragraph, we essentially see that the malware copies itself to the system as spoolvxx32.dll (here comes into play the aspect of Evasion – changing its name to a more generic one, in order to make it harder for the user to identify).
在本段开头的代码片段中,我们基本上看到恶意软件将自己复制到系统中spoolvxx32.dll(这里发挥了 Evasion 的方面——将其名称更改为更通用的名称,以使用户更难识别)。
Then it calls the function RegSetValue in order to install itself in the mentioned Registry Key AppInit_DLLs.
然后,它调用函数 RegSetValue,以便将自身安装在上述注册表项AppInit_DLLs中。
-
OUTLOOK.EXE, MSIMN.EXE, THEBAT.EXE
OUTLOOK.EXE、MSIMN.EXE、THEBAT.EXE(we can identify this by the string labels that IDA Pro adds for us, in addition to performing backtracking to the values passed to the registers and passed to the memcmp calls).
(除了对传递给寄存器并传递给 memcmp 调用的值执行回溯之外,我们还可以通过 IDA Pro 为我们添加的字符串标签来识别这一点)。 -
The last code block appears to be a User Space rootkit.
最后一个代码块似乎是用户空间 rootkit。Beginning with loading the wsocks32.dll library and specifically hooking the send
从加载 wsocks32.dll 库开始,特别是挂钩 send 函数调用。
– a malicious file designed to hide the existence of a malware at the endpoint. Here we see a more advanced implementation of the Evasion aspect we talked about rather than just changing the name as we discovered earlier.
Rootkit – 一种恶意文件,旨在隐藏端点上存在的恶意软件。在这里,我们看到我们谈到的 Evasion 方面的更高级实现,而不仅仅是我们之前发现的更改名称。
(Since this code purpose is only to implement the Evasion aspect, it usually comes with another malicious file/part of a more extensive malware that implements the rest of the functionality).
(由于此代码目的仅用于实现规避方面,因此它通常带有另一个恶意文件/实现其余功能的更广泛恶意软件的一部分)。
-
Analyzing the the code right after passing the following strings: wsock32.dll and send
在传递以下字符串后立即分析代码: wsock32.dll 和 send,我们看到以下内容:
-
Receives a Handle to wsock32.dll (for communication using sockets).
接收要wsock32.dll的句柄(用于使用套接字进行通信)。 -
Calls GetProcAddress to perform Dynamic Linking (resolving and calling functions ‘dynamically’, aka as the software executes).
调用 GetProcAddress 以执行动态链接(“动态”解析和调用函数,即在软件执行时)。This loads a function in the DLL library that was previously loaded (wsock32.dll).
这将在以前加载的 DLL 库中加载 (wsock32.dll) 中的函数。Finally, another call is made to the function: sub_10001203
最后,对函数 sub_10001203 进行另一个调用(此函数实际上实现了用户空间 Rootkit)。
User Space Rootkit – We Finally Made It
-
send function.
在 0x10001209 – 0x10001212 之间的地址空间(标记为黄色)中,我们看到正在对某个地址进行计算,并将其传递给 eax 寄存器 ->本质上,它是对 Jump 地址的计算,我们将在调用 send 函数后跳转到该地址。 -
In the address space between 0x10001218 – 0x10001221 (marked in green), actually a call is made to the function VirtualProtect, based on the parameters (and a search on MSDN) we understand that a change of access settings to this process’s memory is being made, in order to change the content of the code in memory of the send function.
在 0x10001218 – 0x10001221 之间的地址空间(标记为绿色)中,实际上调用了函数 VirtualProtect,根据参数(以及在 MSDN 上的搜索),我们了解到正在更改此进程内存的访问设置,以更改 send 函数内存中的代码内容。 -
In the address space between 0x10001253 – 0x1000126E (marked in orange), the malware saves the code that appears at the beginning of the send function and then overwrites the beginning of it with the value 0xE9.
在 0x10001253 – 0x1000126E 之间的地址空间(以橙色标记)中,恶意软件会保存出现在 send 函数开头的代码,然后用值 0xE9 覆盖其开头。 -
Finally, in the address space between 0x10001274 – 0x1000127D (marked in blue) the writing of the Jump address (stored in the variable – var_4) is performed in place of the original code segment that appears at the beginning of the send function.
最后,在 0x10001274 – 0x1000127D(标记为蓝色)之间的地址空间中,执行 Jump 地址(存储在变量 – var_4 中)的写入,以代替出现在 send 函数开头的原始代码段。
This, my friends, is a beautiful implementation of a User Space Rootkit, based on Hooking the send function in the dll library: ws2_32.dll
我的朋友们,这是一个漂亮的用户空间 Rootkit 实现,它基于 Hooking the send 函数 in the dll library: ws2_32.dll.
Hooking – Hooking can be done in two main manners:
挂钩 – 挂钩可以通过两种主要方式完成:
-
IAT Hooking – Changing only the pointer to the function that will be called
IAT 挂钩 – 仅更改指向将要调用的函数的指针 -
Inline Hooking – Changing the function itself, to execute malicious code
Inline Hooking – 更改函数本身,以执行恶意代码
We’ll elaborate on both of these in the future
A Bit Of Theory Regarding WSock32.Dll And WS2_32.Dll
Wrapper for ws2_32.dll.
A Wrapper program is an additional layer of data added that’s being added on top of the internal program, for proper operation.
Wrapping Up The Rootkit
结束 Rootkit
-
send function in the following DLL file: ws2_32.dll
作为上一阶段的结论,钩子过程实际上是在以下DLL文件中的发送函数上执行的:ws2_32.dll. -
The hook is done at the Jump to the address stored in var_4
钩子是在跳转到存储在var_4中的地址时完成的.
Advanced Dynamic Analysis
高级动态分析
-
Advanced Dynamic Analysis stage, running the malware while monitoring its operation using the known x32Dbg Debugger we discover what is the value of the gibberish data we saw.
执行高级动态分析阶段,运行恶意软件,同时使用已知的 x32Dbg 调试器监控其操作,我们发现我们看到的乱码数据的价值是什么。We place a breakpoint exactly at the address where the Decode function finishes running, after all the XOR, AND and OR… operations and just before performing the Return and moving on to the next Instruction.
我们在 Decode 函数完成运行的地址上放置一个断点,毕竟 XOR、AND 和 OR…操作,并在执行 Return 并继续执行下一条指令之前。
So What Have We Seen
-
The malware uses the AppInit_DLL mechanism to achieve Persistence: forcing the malware to load into every User Space process (that loads User32.dll).
恶意软件使用 AppInit_DLL 机制来实现持久性:强制恶意软件加载到每个用户空间进程(加载User32.dll)中。 -
The malware uses a User Space Rootkit (the more professional term for the process we saw is called In-line Hooking) to achieve Evasion at the endpoint.
该恶意软件使用用户空间 Rootkit(我们看到的流程的更专业术语称为 In-line Hooking)在端点实现规避。 -
The malware manipulates email exchange related processes
该恶意软件操纵与电子邮件交换相关的过程-
Hooking the send function.
挂接 send 函数。 -
Decoding the email address extracted from the *.ini file.
解码从 *.ini 文件中提取的电子邮件地址。 -
Adding that address as the recipient to every email sent so that it is also forwarded to the attacker.
将该地址作为收件人添加到发送的每封电子邮件中,以便将其转发给攻击者。
This way the attacker achieves access to all emails sent from the endpoint.
通过这种方式,攻击者可以访问从端点发送的所有电子邮件。 -
-
Overall, this was an Introduction Blog Post to analyzing Windows malicious files.
总的来说,这是一篇分析 Windows 恶意文件的介绍性博客文章。
We talked about the different types of Analysis: Static and Dynamic from Basic to Advanced, and saw an example scenario showcasing the core objectives malware will try to achieve: Persistence and Evasion
我们讨论了不同类型的分析:静态和动态,从基本到高级,并看到了一个示例场景,展示了恶意软件将尝试实现的核心目标:持久性和规避
Before Your Next Analysis
-
Beware of assumptions without Decisive Proofs
谨防没有决定性证据的假设We saw that in many cases, we could guess the purpose of a specific code snippet and in many cases also got decisive proofs that confirm the correctness of our hypothesis.
我们看到,在许多情况下,我们可以猜测特定代码片段的目的,并且在许多情况下还得到了决定性的证据,证实了我们假设的正确性。In future malware samples we’ll review, you’ll see an increasing usage of Anti-Reverse Engineering techniques. The attacker will go to great extent to try and make you think you got it all figured out – Keep that in mind!
在我们将审查的未来恶意软件示例中,你会看到反逆向工程技术的使用越来越多。攻击者会竭尽全力让你认为你已经弄清楚了一切——请记住这一点! -
Reverse Engineering is a game between High-level and Low-level dissecting
逆向工程是高级和低级剖析之间的游戏A good malware analyst knows how to analyze a malware from a high-level point of view, and only dives deep down an dissects each and every instruction from a low-level point of view when needed.
一个好的恶意软件分析师知道如何从高层次的角度分析恶意软件,并且只有在需要时才会从低层次的角度深入研究和剖析每一条指令。 -
Exploited libraries, files or API calls being used will change – methodologies won’t
被利用的库、文件或正在使用的 API 调用将发生变化——方法不会As Windows enhances its security measures, malware authors will persist in developing increasingly sophisticated malware.
随着 Windows 增强其安全措施,恶意软件作者将坚持开发越来越复杂的恶意软件。Meaning, the libraries you perceived as being potentially risky, will be replaced by others – But the methodologies will always remain the same:
这意味着,您认为有潜在风险的库将被其他库取代 – 但方法将始终保持不变:-
Performing some sort of hooking: Whether it’s by overwriting the code, or just by altering the pointer to the code.
执行某种挂钩:无论是通过覆盖代码,还是仅通过更改指向代码的指针。 -
Performing process injection or replacement by writing malicious code to a process memory in run time.
通过在运行时将恶意代码写入进程内存来执行进程注入或替换。 -
Taking advantage of Dll files that are frequently loaded or causing them to load.
利用频繁加载或导致它们加载的 Dll 文件。 -
And much more… 还有更多…
Knowing the methodologies will help you understand the purpose and functionality way better.
了解这些方法将帮助您更好地理解目的和功能。
-
-
Cross-referencing, Pivoting, Grouping together pieces of code
交叉引用、透视、将代码片段组合在一起Being a good malware analyst requires a skill of ‘connecting the dots’ and knowing how to cross reference pieces of information altogether to a single chronological line.
成为一名优秀的恶意软件分析师需要具备“连接点”的技能,并知道如何将信息片段完全交叉引用到一条按时间顺序排列的行上。Don’t worry, this skill is gained by experience, just keep at it.
别担心,这个技能是通过经验获得的,只要坚持下去。
-
Finally, we would say that aspiring malware analysts, should be:
最后,我们想说的是,有抱负的恶意软件分析师应该是:-
Curious people by nature.
天生好奇的人。 -
Passionate about understanding how things work behind the scenes.
热衷于了解幕后的工作方式。 -
Being Persistent, and able to delve into assembly code for hours (or even days).
坚持不懈,能够深入研究汇编代码数小时(甚至数天)。 -
Be eager to understand how Operating Systems work, mechanisms of network communication, Function call mechanisms, Kernel access and much more!
渴望了解操作系统的工作原理、网络通信机制、函数调用机制、内核访问等等! -
The most important skill in my opinion, is being able to doubt your hypotheses until you’ve found a decisive proof that they are correct -> Only thus can you truly reach a high level of professionalism in reverse engineering
-
So What’s Next
Process Injections
因此,从现在开始,我们将加紧讨论工艺注射领域.
We’ll explain the main types of Process Injection techniques and see a a number of use cases where they are being implemented.
我们将解释流程注入技术的主要类型,并查看一些正在实施这些技术的用例。
We’ll link the Process Injection techniques to one (and very central) objective malware try to obtain when infecting an endpoint.
我们将进程注入技术链接到一个(也是非常核心的)目标恶意软件在感染端点时尝试获取的目标。
References 引用
-
Practical Malware Analysis By Michael Sikorski and Andrew Honig
实用恶意软件分析 作者:Michael Sikorski 和 Andrew Honig -
Also, the images of: 此外,以下图像:
-
Kernel Space VS User Space
内核空间 VS 用户空间 -
Wrapper program 包装程序
Were also taken from the Practical Malware Analysis Amazing Book!
也取自实用恶意软件分析惊人书! -
-
All other tips and insights come from Reverse Engineering Malware.
所有其他提示和见解均来自逆向工程恶意软件。
版权声明:admin 发表于 2024年4月11日 上午9:45。
转载请注明:Dissecting Windows Malware Series – Beginner To Advanced – Part 1 | CTF导航
转载请注明:Dissecting Windows Malware Series – Beginner To Advanced – Part 1 | CTF导航
相关文章
