0% found this document useful (0 votes)
82 views75 pages

Practical Malware Analysis: CH 7: Analyzing Malicious Windows Programs

The document discusses various techniques that malicious programs use to interact with the Windows operating system and maintain persistence. It covers the Windows API and common functions for file I/O, registry access, networking, process and thread management, dynamic link libraries, services, and more. These techniques allow malware to load code into memory, communicate over the network, auto-start on system boot, and otherwise operate covertly on an infected system.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
82 views75 pages

Practical Malware Analysis: CH 7: Analyzing Malicious Windows Programs

The document discusses various techniques that malicious programs use to interact with the Windows operating system and maintain persistence. It covers the Windows API and common functions for file I/O, registry access, networking, process and thread management, dynamic link libraries, services, and more. These techniques allow malware to load code into memory, communicate over the network, auto-start on system boot, and otherwise operate covertly on an infected system.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 75

Practical Malware Analysis

Ch 7: Analyzing Malicious Windows


Programs

Rev. 9-29-14
Show MFIR Report from CERT
The Windows API
(Application Programming Interface)
What is the API?
• Governs how programs interact with
Microsoft libraries
• Concepts
– Types and Hungarian Notation
– Handles
– File System Functions
– Special Files
Types and Hungarian Notation
• Windows API has its own names to represent
C data types
– Such as DWORD for 32-bit unsigned integers and
WORD for 16-bit unsigned integers
• Hungarian Notation
– Variables that contain a 32-bit unsigned integer
start with the prefix dw
Common API Types
• Type (Prefix)
• WORD (w) 16-bit unsigned value
• DWORD (dw) 32-bit unsigned value
• Handle (H) A reference to an object
• Long Pointer (LP) Points to another type
Handles
• Items opened or created in the OS, like
– Window, process, menu, file, ...
• Handles are like pointers to those objects
– They not pointers, however
• The only thing you can do with a handle is
store it and use it in a later function call to
refer to the same object
Handle Example
• The CreateWindowEx function returns an
HWND, a handle to the window
• To do anything to that window (such as
DestroyWindow) , use that handle
File System Functions
• CreateFile, ReadFile, WriteFile
– Normal file input/output
• CreateFileMapping, MapViewOfFile
– Used by malware, loads file into RAM
– Can be used to execute a file without using the
Windows loader
Special Files
• Shared files like \\server\share
– Or \\?\server\share
• Disables string parsing, allows longer filenames
• Namespaces
– Special folders in the Windows file system
\ Lowest namespace, contains everything
\\.\ Device namespace used for direct disk
input/output
Witty worm wrote to \\.\PhysicalDisk1 to corrupt the disk
Link Ch 7a
Special Files
• Alternate Data
Streams
– Second stream
of data attached
to a filename
– File.txt:otherfile.txt
The Windows Registry
Registry Purpose
• Store operating system and program
configuration settings
– Desktop background, mouse preferences, etc.
• Malware uses the registry for persistence
– Making malware re-start when the system
reboots
Registry Terms

• Root keys These 5

• Subkey A folder within a folder


• Key A folder; can contain folders or values
• Value entry Two parts: name and data
• Value or Data The data stored in a registry entry
• REGEDIT Tool to view/edit the Registry
Root Keys
Run Key
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– Executables that start when a user logs on
Autoruns
• Sysinternals tool
• Lists code that will run automatically when
system starts
– Executables
– DLLs loaded into IE and other programs
– Drivers loaded into Kernel
– It checks 25 to 30 registry locations
– Won't necessarily find all automatically running code
• Link Ch 7b
Autoruns
Common Registry Functions
• RegOpenKeyEx
– Opens a registry key for editing and querying
• RegSetValueEx
– Adds a new value to the registry & sets its data
• RegGetValue
– Returns the data for a value entry in the Registry
• Note: Documentation will omit the trailing W
(wide) or A (ASCII) character in a call like
RegOpenKeyExW
Ex, A, and W Suffixes

• From Ch 2
Registry Code
.REG Files
.REG Files
.REG Files
Networking APIs
Berkeley Compatible Sockets
• Winsock libraries, primarily in ws2_32.dll
– Almost identical in Windows and Unix
Server and Client Sides
• Server side
– Maintains an open socket waiting for connections
– Calls, in order, socket, bind, listen, accept
– Then send and recv as necessary
• Client side
– Connects to a waiting socket
– Calls, in order, socket, connect
– Then send and recv as necessary
Simplified
Server
Program
Realistic code
would call
WSAGetLastError
many times
The WinINet API
• Higher-level API than Winsock
• Functions in Wininet.dll
• Implements Application-layer protocols like
HTTP and FTP
• InternetOpen – connects to Internet
• InternetOpenURL –connects to a URL
• InternetReadFile –reads data from a
downloaded file
Following Running Malware
Transferring Execution
• jmp and call transfer execution to another part
of code, but there are other ways
– DLLs
– Processes
– Threads
– Mutexes
– Services
– Component Object Model (COM)
– Exceptions
DLLs (Dynamic Link Libraries)
• Share code among multiple applications
• DLLs export code that can be used by other
applications
• Static libraries were used before DLLs
– They still exist, but are much less common
– They cannot share memory among running
processes
– Static libraries use more RAM than DLLs
DLL Advantages
• Using DLLs already included in Windows
makes code smaller
• Software companies can also make custom
DLLs
– Distribute DLLs along with EXEs
How Malware Authors Use DLLs
• Store malicious code in DLL
– Sometimes load malicious DLL into another
process
• Using Windows DLLs
– Nearly all malware uses basic Windows DLLS
• Using third-party DLLs
– Use Firefox DLL to connect to a server, instead of
Windows API
Basic DLL Structure
• DLLs are very similar to EXEs
• PE file format
• A single flag indicates that it's a DLL instead of
an EXE
• DLLs have more exports & fewer imports
• DllMain is the main function, not exported, but
specified as the entry point in the PE Header
– Called when a function loads or unloads the library
Processes
• Every program being executed by Windows is
a process
• Each process has its own resources
– Handles, memory
• Each process has one or more threads
• Older malware ran as an independent process
• Newer malware executes its code as part of
another process
Many Processes Run at Once
Memory Management
• Each process uses resources, like CPU, file
system, and memory
• OS allocates memory to each process
• Two processes accessing the same memory
address actually access different locations in
RAM
– Virtual address space (link Ch 7c)
Creating a New Process
• CreateProcess
– Can create a simple remote shell with one
function call
– STARTUPINFO parameter contains handles for
standard input, standard output, and standard
error streams
• Can be set to a socket, creating a remote shell
Code to Create a Shell

• Loads socket handle, StdError, StdOutput and


StdInput into lpProcessInformation
• CommandLine contains the command line
• It's executed when CreateProcess is called
Threads
• Processes are containers
– Each process contains one or more threads
• Threads are what Windows actually executes
• Threads
– Independent sequences of instructions
– Executed by CPU without waiting for other threads
– Threads within a process share the same memory
space
– Each thread has its own registers and stack
Thread Context
• When a thread is running, it has complete
control of the CPU
• Other threads cannot affect the state of the CPU
• When a thread changes a register, it does not
affect any other threads
• When the OS switches to another thread, it
saves all CPU values in a structure called the
thread context
Creating a Thread
• CreateThread
– Caller specified a start address, also called a start
function
How Malware Uses Threads
• Use CreateThread to load a malicious DLL into
a process
• Create two threads, for input and output
– Used to communicate with a running application
Interprocess Coordination with
Mutexes
• Mutexes are global objects that coordinate
multiple processes and threads
• In the kernel, they are called mutants
• Mutexes often use hard-coded names which
can be used to identify malware
Functions for Mutexes
• WaitForSingleObject
– Gives a thread access to the mutex
– Any subsequent threads attempting to gain access to it
must wait
• ReleaseMutex
– Called when a thread is done using the mutex
• CreateMutex
• OpenMutex
– Gets a handle to another process's mutex
Making Sure Only One Copy of
Malware is Running
• OpenMutex
checks if HGL345
exists
• If not, it is
created with
CreateMutex
• test eax, eax
sets Z flag if eax is
zero (link Ch 7d)
Services
• Services run in the background without user
input
SYSTEM Account
• Services often run as SYSTEM which is even
more powerful than the Administrator
• Services can run automatically when Windows
starts
– An easy way for malware to maintain persistence
– Persistent malware survives a restart
Service API Functions
• OpenSCManager
– Returns a handle to the Service Control Manager
• CreateService
– Adds a new service to the Service Control Manager
– Can specify whether the service will start
automatically at boot time
• StartService
– Only used if the service is set to start manually
Svchost.exe
• WIN32_SHARE_PROCESS
– Most common type of service used by malware
– Stores code for service in a DLL
– Combines several services into a single shared
process named svchost.exe
Svchost.exe in Process Explorer
Other Common Service Types
• WIN32_OWN_PROCESS
– Runs as an EXE in an independent process
• KERNEL_DRIVER
– Used to load code into the Kernel
Service Information in the Registry
• HKLM\System\CurrentControlSet\Services
– Start value = 0x03 for "Load on Demand"
– Type = 0x20 for WIN32_SHARE_PROCESS
• Link Ch 7e
SC Command
• Included in Windows
• Gives information about Services
Component Object Model (COM)
• Allows different software components to
share code
• Every thread that uses COM must call
OleInitialize or CoInitializeEx before calling
other COM libraries
GUIDs, CLSIDs, IIDs
• COM objects are accessed via Globally Unique
Identifiers (GUIDs)
• There are several types of GUIDs, including
– Class Identifiers (CLSIDs)
• in Registry at HKEY_CLASSES_ROOT\CLSID
– Interface Identifiers (IIDs)
• in Registry at HKEY_CLASSES_ROOT\Interface
• Link Ch 7f
Exceptions
• Exceptions are caused by errors, such as
division by zero or invalid memory access
• When an exception occurs, execution
transfers to the Structured Exception Handler
fs:0 Stores Exception Location

• FS is one of six Segment Registers


• Link Ch 7g-i
Kernel v. User Mode
Two Privilege Levels
• Ring 0: Kernel Mode
• Ring 3: User mode
• Rings 1 and 2 are
not used by
Windows
– Link Ch 7j
User Mode
• Nearly all code runs in user mode
– Except OS and hardware drivers, which run in
kernel mode
• User mode cannot access hardware directly
• Restricted to a subset of CPU instructions
• Can only manipulate hardware through the
Windows API
User Mode Processes
• Each process has its own memory, security
permissions, and resources
• If a user-mode program executes an invalid
instruction and crashes, Windows can reclaim
the resources and terminate the program
Calling the Kernel
• It's not possible to jump directly from user
mode to the kernel
• SYSENTER, SYSCALL, or INT 0x2E instructions
use lookup tables to locate predefined
functions
Kernel Processes
• All kernel processes share resources and
memory addresses
• Fewer security checks
• If kernel code executes an invalid instruction,
the OS crashes with the Blue Screen of Death
• Antivirus software and firewalls run in Kernel
mode
Malware in Kernel Mode
• More powerful than user-mode malware
• Auditing doesn't apply to kernel
• Almost all rootkits use kernel code
• Most malware does not use kernel mode
The Native API
The Native API
• Lower-level interface for interacting with
Windows
• Rarely used by nonmalicious programs
• Popular among malware writers
• Ntdll.dll
manages
interactions
between user
space and the
kernel
• Ntdll functions
make up the
Native API
The Native API
• Undocumented
• Intended for internal Windows use
• Can be used by programs
• Native API calls can be more powerful and
stealthier than Windows API calls
Popular Native API Calls in
Malware
• NTtQuerySystemInformation
• NTtQueryInformationProcess
• NTtQueryInformationThread
• NTtQueryInformationFile
• NTtQueryInformationKey
– Provide much more information than any
available Win32 calls
Popular Native API Calls in
Malware
• NtContinue
– Returns from an exception
– Can be used to transfer execution in complicated
ways
– Used to confuse analysts and make a program
more difficult to debug

You might also like