Practical Malware Analysis

Ch 7: Analyzing Malicious Windows

Programs

Rev. 9-29-14
Show MFIR Report from CERT
 The Windows API
(Application Programming Interface)
 What is the API?
• Governs how programs interact with
Microsoft libraries
• Concepts
– Types and Hungarian Notation
– Handles
– File System Functions
– Special Files
 Types and Hungarian Notation
• Windows API has its own names to represent
C data types
– Such as DWORD for 32-bit unsigned integers and
WORD for 16-bit unsigned integers
• Hungarian Notation
– Variables that contain a 32-bit unsigned integer
start with the prefix dw
 Common API Types
• Type (Prefix)
• WORD (w) 16-bit unsigned value
• DWORD (dw) 32-bit unsigned value
• Handle (H) A reference to an object
• Long Pointer (LP) Points to another type
 Handles
• Items opened or created in the OS, like
– Window, process, menu, file, ...
• Handles are like pointers to those objects
– They not pointers, however
• The only thing you can do with a handle is
store it and use it in a later function call to
refer to the same object
 Handle Example
• The CreateWindowEx function returns an
HWND, a handle to the window
• To do anything to that window (such as
DestroyWindow) , use that handle
 File System Functions
• CreateFile, ReadFile, WriteFile
– Normal file input/output
• CreateFileMapping, MapViewOfFile
– Used by malware, loads file into RAM
– Can be used to execute a file without using the
Windows loader
 Special Files
• Shared files like \\server\share
– Or \\?\server\share
• Disables string parsing, allows longer filenames
• Namespaces
– Special folders in the Windows file system
\ Lowest namespace, contains everything
\\.\ Device namespace used for direct disk
input/output
Witty worm wrote to \\.\PhysicalDisk1 to corrupt the disk
Link Ch 7a
 Special Files
• Alternate Data
Streams
– Second stream
of data attached
to a filename
– File.txt:otherfile.txt
The Windows Registry
 Registry Purpose
• Store operating system and program
configuration settings
– Desktop background, mouse preferences, etc.
• Malware uses the registry for persistence
– Making malware re-start when the system
reboots
Registry Terms

• Root keys These 5

• Subkey A folder within a folder

• Key A folder; can contain folders or values
• Value entry Two parts: name and data
• Value or Data The data stored in a registry entry
• REGEDIT Tool to view/edit the Registry
Root Keys
 Run Key
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– Executables that start when a user logs on
 Autoruns
• Sysinternals tool
• Lists code that will run automatically when
system starts
– Executables
– DLLs loaded into IE and other programs
– Drivers loaded into Kernel
– It checks 25 to 30 registry locations
– Won't necessarily find all automatically running code
• Link Ch 7b
Autoruns
 Common Registry Functions
• RegOpenKeyEx
– Opens a registry key for editing and querying
• RegSetValueEx
– Adds a new value to the registry & sets its data
• RegGetValue
– Returns the data for a value entry in the Registry
• Note: Documentation will omit the trailing W
(wide) or A (ASCII) character in a call like
RegOpenKeyExW
 Ex, A, and W Suffixes

• From Ch 2
Registry Code
.REG Files
.REG Files
.REG Files
Networking APIs
 Berkeley Compatible Sockets
• Winsock libraries, primarily in ws2_32.dll
– Almost identical in Windows and Unix
 Server and Client Sides
• Server side
– Maintains an open socket waiting for connections
– Calls, in order, socket, bind, listen, accept
– Then send and recv as necessary
• Client side
– Connects to a waiting socket
– Calls, in order, socket, connect
– Then send and recv as necessary
Simplified
Server
Program
Realistic code
would call
WSAGetLastError
many times
 The WinINet API
• Higher-level API than Winsock
• Functions in Wininet.dll
• Implements Application-layer protocols like
HTTP and FTP
• InternetOpen – connects to Internet
• InternetOpenURL –connects to a URL
• InternetReadFile –reads data from a
downloaded file
Following Running Malware
 Transferring Execution
• jmp and call transfer execution to another part
of code, but there are other ways
– DLLs
– Processes
– Threads
– Mutexes
– Services
– Component Object Model (COM)
– Exceptions
 DLLs (Dynamic Link Libraries)
• Share code among multiple applications
• DLLs export code that can be used by other
applications
• Static libraries were used before DLLs
– They still exist, but are much less common
– They cannot share memory among running
processes
– Static libraries use more RAM than DLLs
 DLL Advantages
• Using DLLs already included in Windows
makes code smaller
• Software companies can also make custom
DLLs
– Distribute DLLs along with EXEs
 How Malware Authors Use DLLs
• Store malicious code in DLL
– Sometimes load malicious DLL into another
process
• Using Windows DLLs
– Nearly all malware uses basic Windows DLLS
• Using third-party DLLs
– Use Firefox DLL to connect to a server, instead of
Windows API
 Basic DLL Structure
• DLLs are very similar to EXEs
• PE file format
• A single flag indicates that it's a DLL instead of
an EXE
• DLLs have more exports & fewer imports
• DllMain is the main function, not exported, but
specified as the entry point in the PE Header
– Called when a function loads or unloads the library
 Processes
• Every program being executed by Windows is
a process
• Each process has its own resources
– Handles, memory
• Each process has one or more threads
• Older malware ran as an independent process
• Newer malware executes its code as part of
another process
Many Processes Run at Once
 Memory Management
• Each process uses resources, like CPU, file
system, and memory
• OS allocates memory to each process
• Two processes accessing the same memory
address actually access different locations in
RAM
– Virtual address space (link Ch 7c)
 Creating a New Process
• CreateProcess
– Can create a simple remote shell with one
function call
– STARTUPINFO parameter contains handles for
standard input, standard output, and standard
error streams
• Can be set to a socket, creating a remote shell
 Code to Create a Shell

• Loads socket handle, StdError, StdOutput and

StdInput into lpProcessInformation
• CommandLine contains the command line
• It's executed when CreateProcess is called
 Threads
• Processes are containers
– Each process contains one or more threads
• Threads are what Windows actually executes
• Threads
– Independent sequences of instructions
– Executed by CPU without waiting for other threads
– Threads within a process share the same memory
space
– Each thread has its own registers and stack
 Thread Context
• When a thread is running, it has complete
control of the CPU
• Other threads cannot affect the state of the CPU
• When a thread changes a register, it does not
affect any other threads
• When the OS switches to another thread, it
saves all CPU values in a structure called the
thread context
 Creating a Thread
• CreateThread
– Caller specified a start address, also called a start
function
 How Malware Uses Threads
• Use CreateThread to load a malicious DLL into
a process
• Create two threads, for input and output
– Used to communicate with a running application
 Interprocess Coordination with
Mutexes
• Mutexes are global objects that coordinate
multiple processes and threads
• In the kernel, they are called mutants
• Mutexes often use hard-coded names which
can be used to identify malware
 Functions for Mutexes
• WaitForSingleObject
– Gives a thread access to the mutex
– Any subsequent threads attempting to gain access to it
must wait
• ReleaseMutex
– Called when a thread is done using the mutex
• CreateMutex
• OpenMutex
– Gets a handle to another process's mutex
 Making Sure Only One Copy of
Malware is Running
• OpenMutex
checks if HGL345
exists
• If not, it is
created with
CreateMutex
• test eax, eax
sets Z flag if eax is
zero (link Ch 7d)
 Services
• Services run in the background without user
input
 SYSTEM Account
• Services often run as SYSTEM which is even
more powerful than the Administrator
• Services can run automatically when Windows
starts
– An easy way for malware to maintain persistence
– Persistent malware survives a restart
 Service API Functions
• OpenSCManager
– Returns a handle to the Service Control Manager
• CreateService
– Adds a new service to the Service Control Manager
– Can specify whether the service will start
automatically at boot time
• StartService
– Only used if the service is set to start manually
 Svchost.exe
• WIN32_SHARE_PROCESS
– Most common type of service used by malware
– Stores code for service in a DLL
– Combines several services into a single shared
process named svchost.exe
Svchost.exe in Process Explorer
 Other Common Service Types
• WIN32_OWN_PROCESS
– Runs as an EXE in an independent process
• KERNEL_DRIVER
– Used to load code into the Kernel
Service Information in the Registry
• HKLM\System\CurrentControlSet\Services
– Start value = 0x03 for "Load on Demand"
– Type = 0x20 for WIN32_SHARE_PROCESS
• Link Ch 7e
 SC Command
• Included in Windows
• Gives information about Services
 Component Object Model (COM)
• Allows different software components to
share code
• Every thread that uses COM must call
OleInitialize or CoInitializeEx before calling
other COM libraries
 GUIDs, CLSIDs, IIDs
• COM objects are accessed via Globally Unique
Identifiers (GUIDs)
• There are several types of GUIDs, including
– Class Identifiers (CLSIDs)
• in Registry at HKEY_CLASSES_ROOT\CLSID
– Interface Identifiers (IIDs)
• in Registry at HKEY_CLASSES_ROOT\Interface
• Link Ch 7f
 Exceptions
• Exceptions are caused by errors, such as
division by zero or invalid memory access
• When an exception occurs, execution
transfers to the Structured Exception Handler
 fs:0 Stores Exception Location

• FS is one of six Segment Registers

• Link Ch 7g-i
Kernel v. User Mode
 Two Privilege Levels
• Ring 0: Kernel Mode
• Ring 3: User mode
• Rings 1 and 2 are
not used by
Windows
– Link Ch 7j
 User Mode
• Nearly all code runs in user mode
– Except OS and hardware drivers, which run in
kernel mode
• User mode cannot access hardware directly
• Restricted to a subset of CPU instructions
• Can only manipulate hardware through the
Windows API
 User Mode Processes
• Each process has its own memory, security
permissions, and resources
• If a user-mode program executes an invalid
instruction and crashes, Windows can reclaim
the resources and terminate the program
 Calling the Kernel
• It's not possible to jump directly from user
mode to the kernel
• SYSENTER, SYSCALL, or INT 0x2E instructions
use lookup tables to locate predefined
functions
 Kernel Processes
• All kernel processes share resources and
memory addresses
• Fewer security checks
• If kernel code executes an invalid instruction,
the OS crashes with the Blue Screen of Death
• Antivirus software and firewalls run in Kernel
mode
 Malware in Kernel Mode
• More powerful than user-mode malware
• Auditing doesn't apply to kernel
• Almost all rootkits use kernel code
• Most malware does not use kernel mode
The Native API
 The Native API
• Lower-level interface for interacting with
Windows
• Rarely used by nonmalicious programs
• Popular among malware writers
• Ntdll.dll
manages
interactions
between user
space and the
kernel
• Ntdll functions
make up the
Native API
 The Native API
• Undocumented
• Intended for internal Windows use
• Can be used by programs
• Native API calls can be more powerful and
stealthier than Windows API calls
 Popular Native API Calls in
Malware
• NTtQuerySystemInformation
• NTtQueryInformationProcess
• NTtQueryInformationThread
• NTtQueryInformationFile
• NTtQueryInformationKey
– Provide much more information than any
available Win32 calls
 Popular Native API Calls in
Malware
• NtContinue
– Returns from an exception
– Can be used to transfer execution in complicated
ways
– Used to confuse analysts and make a program
more difficult to debug