Malware Execution and DLLs in IDA

 
Following Malware Execution in IDA
 
 
IDA Pro’s control flow graphs are very useful for viewing the
malware’s possible execution paths
Function calls, loops, if statements, etc
But malware can transfer execution in ways other than jumps
and calls
Often need to find out how the malware is executing other code
Following Malware Execution
 
DLLs
 
 
Dynamic link library
Exports functions for other executables to use
Advantage: can be shared among running processes, saving
memory
Any disadvantages?
DLL review
 
By storing malicious code
May export functions to other malware files
May be loaded into another process
By using Windows DLLs
To interact with the operating system via Windows API functions
By using third-party DLLs
To interact with other non-Windows programs
To use a library that may not be on the victim’s machine
How Malware Uses DLLs
 
DLLs have many points from which code can be executed from
Each exported function
DllMain – which is not called explicitly, but rather
DllMain is called whenever a process loads or unloads the DLL
Normally used for managing any resources specific to a process, but
malware sometimes uses it for other purposes
Analyzing DLLs
 
Processes
 
 
Process – program in execution
Used to keep programs from interfering with each other
Have separate address spaces
OS manages how processes access shared resources (CPU,
filesystem, hardware, etc)
Process Review
 
The CreateProcess function is typically used to create a
process
Has many parameters, gives caller a high amount of control
over how the process is created
Creating a Process
 
Suppose the Malware contains an executable as a resource
Uses FindResource, LoadResource, CreateFile, etc to write
resource to disk
Uses CreateProcess to run the resource
Running an Embedded Executable
 
Remote shell – allows an attacker to run commands on the
victim’s computer remotely
Can create a remote shell by opening a socket to the attacker’s
machine, and then making a single call to CreateProcess!
Creating a Remote Shell
 
Need to pass specific arguments to CreateProcess
The lpStartupInfo parameter points to a STARTUPINFO struct
This struct contains handles to stdin, stdout, and stderr
Point stdin, stdout, and stderr to the socket
Call CreateProcess
All input from the malware actor over the socket is run on the
command line
Creating a Remote Shell
 
Creating a Remote Shell – Sample Code
Practical Malware Analysis pg 148
 
Malware can inject its own code into a different process
Typically performed using the VirtualAlloc,
WriteProcessMemory, and CreateRemoteThread API calls
Will cover this and other covert launching techniques later
Process Injection
 
Threads
 
 
Thread – sequence of instructions belonging to a process that
is executed by the CPU
Each process contains one or more threads
All threads share the process’ memory space
Each thread has its own registers and stack
Thread Review
 
Done using the CreateThread function
Takes lpStartAddress, a pointer to a function
Also takes lpParameter, a single parameter to the function
The thread executes the function until it returns
Creating a Thread
 
Can use CreateThread to covertly load a malicious library into
a process
Need to set certain parameters to CreateThread
Pass the address of the LoadLibrary Windows API function as the
lpStartAddress parameter
Pass the name of the desired library as lpParameter
Even more stealthy if “LoadLibrary” and the name of the library
are obfuscated
Covertly Loading a Malicious Library
 
Services
 
 
Service – a task that runs in the background without an
associated process or thread
Managed by the Windows service manager
T
h
e
 
c
o
m
m
a
n
d
 
n
e
t
 
s
t
a
r
t
 
c
a
n
 
t
e
l
l
 
y
o
u
 
w
h
a
t
 
s
e
r
v
i
c
e
s
 
a
r
e
 
r
u
n
n
i
n
g
Services Review
 
Can be set to automatically run when the computer boots
Gives persistence
Often run with SYSTEM privileges
But need admin to specify this
Why Malware Uses Services
 
OpenSCManager – Returns a handle to the service control
manager, which is needed for all other service-related API calls
CreateService – Adds a new service to the service control
manager
Can specify that the service automatically runs at boot
StartService – Starts a service manually
Creating / Starting a Service
 
WIN32_SHARE_PROCESS – Stores code for a service in a
DLL, run by svchost.exe
WIN32_OWN_PROCESS – Stores code in an EXE, runs as an
independent process
KERNEL_DRIVER – Used for loading code into the kernel
Types of Services
 
Exceptions
 
 
Exception – allows a program to handle events outside its
normal execution path
Can be triggered by:
Errors (such as a divide by 0)
Hardware (such as invalid memory access)
Explicit call to RaiseException
Exceptions Review
 
Structured Exception Handling (SEH) – Windows mechanism
for handling exceptions
List of functions for handling exceptions
Each function can handle the exception or pass it to the next handler
If an exception makes it to the end of the list without being handled, it
is considered an unhandled exception and crashes the process
Structured Exception Handling
 
The SEH is a type of flow control that can’t be followed by
disassemblers and can fool debuggers
Malware can add its own custom exception handler to the SEH
and then use trigger an exception to transfer execution to the
handler
How Malware Uses  Exceptions
Slide Note
Embed
Share

Exploring how malware executes in IDA Pro, the significance of control flow graphs, DLL review, methods of utilizing DLLs for malicious activities, analyzing DLLs for code execution, and the management of processes in a secure environment. Gain insights into malware behaviors involving DLLs and process creation.

  • Malware Execution
  • DLLs
  • IDA Pro
  • Process Management
  • Code Analysis
pent_vi
pent_vi Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Following Malware Execution in IDA 1 1

  2. Following Malware Execution IDA Pro s control flow graphs are very useful for viewing the malware s possible execution paths Function calls, loops, if statements, etc But malware can transfer execution in ways other than jumps and calls Often need to find out how the malware is executing other code 2

  3. DLLs 3 3

  4. DLL review Dynamic link library Exports functions for other executables to use Advantage: can be shared among running processes, saving memory Any disadvantages? 4

  5. How Malware Uses DLLs By storing malicious code May export functions to other malware files May be loaded into another process By using Windows DLLs To interact with the operating system via Windows API functions By using third-party DLLs To interact with other non-Windows programs To use a library that may not be on the victim s machine 5

  6. Analyzing DLLs DLLs have many points from which code can be executed from Each exported function DllMain which is not called explicitly, but rather DllMain is called whenever a process loads or unloads the DLL Normally used for managing any resources specific to a process, but malware sometimes uses it for other purposes 6

  7. Processes 7 7

  8. Process Review Process program in execution Used to keep programs from interfering with each other Have separate address spaces OS manages how processes access shared resources (CPU, filesystem, hardware, etc) 8

  9. Creating a Process The CreateProcess function is typically used to create a process Has many parameters, gives caller a high amount of control over how the process is created 9

  10. Running an Embedded Executable Suppose the Malware contains an executable as a resource Uses FindResource, LoadResource, CreateFile, etc to write resource to disk Uses CreateProcess to run the resource 10

  11. Creating a Remote Shell Remote shell allows an attacker to run commands on the victim s computer remotely Can create a remote shell by opening a socket to the attacker s machine, and then making a single call to CreateProcess! 11

  12. Creating a Remote Shell Need to pass specific arguments to CreateProcess The lpStartupInfo parameter points to a STARTUPINFO struct This struct contains handles to stdin, stdout, and stderr Point stdin, stdout, and stderr to the socket Call CreateProcess All input from the malware actor over the socket is run on the command line 12

  13. Creating a Remote Shell Sample Code Practical Malware Analysis pg 148 13

  14. Process Injection Malware can inject its own code into a different process Typically performed using the VirtualAlloc, WriteProcessMemory, and CreateRemoteThread API calls Will cover this and other covert launching techniques later 14

  15. Threads 15 15

  16. Thread Review Thread sequence of instructions belonging to a process that is executed by the CPU Each process contains one or more threads All threads share the process memory space Each thread has its own registers and stack 16

  17. Creating a Thread Done using the CreateThread function Takes lpStartAddress, a pointer to a function Also takes lpParameter, a single parameter to the function The thread executes the function until it returns 17

  18. Covertly Loading a Malicious Library Can use CreateThread to covertly load a malicious library into a process Need to set certain parameters to CreateThread Pass the address of the LoadLibrary Windows API function as the lpStartAddress parameter Pass the name of the desired library as lpParameter Even more stealthy if LoadLibrary and the name of the library are obfuscated 18

  19. Services 19 19

  20. Services Review Service a task that runs in the background without an associated process or thread Managed by the Windows service manager The command net start can tell you what services are running 20

  21. Why Malware Uses Services Can be set to automatically run when the computer boots Gives persistence Often run with SYSTEM privileges But need admin to specify this 21

  22. Creating / Starting a Service OpenSCManager Returns a handle to the service control manager, which is needed for all other service-related API calls CreateService Adds a new service to the service control manager Can specify that the service automatically runs at boot StartService Starts a service manually 22

  23. Types of Services WIN32_SHARE_PROCESS Stores code for a service in a DLL, run by svchost.exe WIN32_OWN_PROCESS Stores code in an EXE, runs as an independent process KERNEL_DRIVER Used for loading code into the kernel 23

  24. Exceptions 24 24

  25. Exceptions Review Exception allows a program to handle events outside its normal execution path Can be triggered by: Errors (such as a divide by 0) Hardware (such as invalid memory access) Explicit call to RaiseException 25

  26. Structured Exception Handling Structured Exception Handling (SEH) Windows mechanism for handling exceptions List of functions for handling exceptions Each function can handle the exception or pass it to the next handler If an exception makes it to the end of the list without being handled, it is considered an unhandled exception and crashes the process 26

  27. How Malware Uses Exceptions The SEH is a type of flow control that can t be followed by disassemblers and can fool debuggers Malware can add its own custom exception handler to the SEH and then use trigger an exception to transfer execution to the handler 27

Related


Malware: Types, Risks, and Prevention

Malware: Types, Risks, and Prevention

andi
Malware Analysis with OllyDbg: A Practical Approach

Malware Analysis with OllyDbg: A Practical Approach

mirren
Malware: Types, Usage, and Protection

Malware: Types, Usage, and Protection

zipporah
Malware: Definitions and Types

Malware: Definitions and Types

azel963
Malicious Software and Its Impact on Computer Systems

Malicious Software and Its Impact on Computer Systems

bess_wyn
Comprehensive Malware Analysis Techniques

Comprehensive Malware Analysis Techniques

kerschner_l
Malware and Computer Security

Malware and Computer Security

cwirk
Malware Dynamic Analysis Part 6 Overview

Malware Dynamic Analysis Part 6 Overview

couillard_n
Malware: Types, Symptoms, and Countermeasures

Malware: Types, Symptoms, and Countermeasures

kennade
Malicious Software in Computer Security

Malicious Software in Computer Security

kendallw
DLL Hijacking in Windows

DLL Hijacking in Windows

griinta
Malware: Types, Risks, and Removal Methods

Malware: Types, Risks, and Removal Methods

pron
Malware Analysis Using Cuckoo Sandbox

Malware Analysis Using Cuckoo Sandbox

ash_g
Context-Aware Malware Detection Using GANs in Signal Systems

Context-Aware Malware Detection Using GANs in Signal Systems

sart_an
Analyzing Android Applications for Malware Detection

Analyzing Android Applications for Malware Detection

mare117
Malware: Types, Risks, and Prevention

Malware: Types, Risks, and Prevention

lkmy
MapReduce Method for Malware Detection in Parallel Systems

MapReduce Method for Malware Detection in Parallel Systems

zaer318
Evaluating Android Anti-malware Against Transformation Attacks

Evaluating Android Anti-malware Against Transformation Attacks

nady
Computer System Security Threats and Malware Types at Eshan College of Engineering

Computer System Security Threats and Malware Types at Eshan College of Engineering

balbuena_c
SMT Solvers for Malware Unpacking

SMT Solvers for Malware Unpacking

ray_904
Analysis of Mixed-Mode Malware and Malware Analysis Tools

Analysis of Mixed-Mode Malware and Malware Analysis Tools

mac_h
Introduction to Malware Reverse Engineering

Introduction to Malware Reverse Engineering

joel_708

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#