Catch Me If You Can

•

5 gefällt mir•1,397 views

pinkflawd

SSTIC 2014, Marion Marschalek, Malware Anti-Analysis Tricks

Ingenieurwesen Technologie

ANALYST
aims to detect
MALWARE
MALWARE
aims to detect
ANALYST

LEVELS of SOPHISTICATION
Mass
Sophisticated
Toolified
APT
aAPT
EPT
?
Malware
Malware
Malware
Malware
Malware
Malware

while some are not all that sophisticated ....

SIMULATION
DEBUGGING
VIRTUALIZATION
DISASSEMBLINGSTATIC ANALYSIS
ARTIFICIAL
INTELLIGENCE

SIMULATION
VIRTUALIZATION
STATIC ANALYSIS
DISASSEMBLING
DEBUGGING
ARTIFICIAL
INTELLIGENCE

SIMULATION
VIRTUALIZATION
STATIC ANALYSIS
DISASSEMBLING
DEBUGGING
ARTIFICIAL
INTELLIGENCE
RANDOMNESS

THE ANCIENT ART
OF BYPASSING
ANTI-ANALYSIS

PEBBeingDebugged Flag: IsDebuggerPresent()
PEBNtGlobalFlag, Heap Flags
DebugPort: CheckRemoteDebuggerPresent() /
NtQueryInformationProcess()
Debugger Interrupts
Timing Checks
SeDebugPrivilege
Parent Process
DebugObject: NtQueryObject()
Debugger Window
Debugger Process
Device Drivers
OllyDbg: Guard Pages
Software Breakpoint Detection
Hardware Breakpoint Detection
Patching Detection via Code Checksum Calculation
Encryption and Compression
Garbage Code and Code Permutation
Anti-Disassembly
Misdirection and Stopping Execution via Exceptions
Blocking Input
ThreadHideFromDebugger
Disabling Breakpoints
Unhandled Exception Filter
OllyDbg: OutputDebugString() Format String Bug
Process Injection
Debugger Blocker
TLS Callbacks
Stolen Bytes
API Redirection
Multi-Threaded Packers
Virtual Machines

THE AWESOMENESS COMPILATION
THE „ULTIMATE“ ANTI-DEBUGGING REFERENCE [Ferrie]
http://pferrie.host22.com/papers/antidebug.pdf
THE ART OF UNPACKING [Yason]
https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-
07-yason-WP.pdf
SCIENTIFIC BUT NOT ACADEMICAL OVERVIEW OF MALWARE ANTI-DEBUGGING,
ANTI-DEBUGGING AND ANTI-VM TECHNIQUES [Branco, Barbosa, Neto]
http://research.dissect.pe/docs/blackhat2012-paper.pdf
VIRTUAL MACHINE DETECTION ENHANCED [Rin, EP_X0FF]
http://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf

UPATRE
SMALL | NASTY | THORNY | standardmalwareofftheshelf
PAYLOAD
PACKERPROTECTION

WINDOW
CONFUSION
and implicit breakpoint detection

CITADEL
IDA Stealth Bruteforcing
PEB!NtGlobalFlags Anti-debug r.e.d.a.c.t.e.d.
Let‘s start at the end .....

CVE-2014-1776
.html vshow.swf
cmmon.js
Heap Preparation
Timer Registration
Eval ( something)
Prepare ROP Chain
Corrupt Memory
Fill SoundObject with Shellcode
Invoke SoundObject.toString()

MIUREF
Once upon a time ...
and it‘s packer

Visual Basic 6.0
Microsoft, 1998
Object-based / event-driven
Rapid Application Development
Replaced by VB .NET in 2002
End of support in 2008
VB6

P-CODE
TRANSLATION
P-code mnemonics
interpreted
by msvbvm60.dll
handler13:
ExitProcHresult
...
handler14:
ExitProc
...
handler15:
ExitProcI2
...
... FC C8 13 76 ...

Ou lá lá...
x86 !
POST VB6 PACKER POST C++ PACKER

THANK YOU!
Marion Marschalek
marion@0x1338.at
0x1338.blogspot.co.at
@pinkflawd

Weitere ähnliche Inhalte

Andere mochten auch

Analysis of catch me if you can.benwhite16

Catch me if you can timeline (1)TaylorLydia

CATCH US IF YOU CAN - Anna IshaAnna Isha

API - Como fazer?Felipe Caparelli

Catch me if you canMingo Peiro

LONDONguest67e57d19

Top 10 Most Eaten Foods In The WorldEason Chan

Oscars 2016: Winners and Highlightsmaditabalnco

Can We Assess Creativity?John Spencer

Andere mochten auch (9)

Analysis of catch me if you can.

Catch me if you can timeline (1)

CATCH US IF YOU CAN - Anna Isha

API - Como fazer?

Catch me if you can

LONDON

Top 10 Most Eaten Foods In The World

Oscars 2016: Winners and Highlights

Can We Assess Creativity?

Mehr von pinkflawd

The Magic Superpowers of a well-established "Us"pinkflawd

La Quadrature Du Cercle - The APTs That Weren'tpinkflawd

Big Game Hunting - Peculiarities In Nation State Malware Researchpinkflawd

Shootingpinkflawd

The A and the P of the Tpinkflawd

Zeus' Not Dead Yetpinkflawd

TS/NOFORNpinkflawd

How would you find what you can't see?pinkflawd

Curing A 15 Year Old Deseasepinkflawd

Troopers Diffray v1.1pinkflawd

brightfuturepinkflawd

Mehr von pinkflawd (11)

The Magic Superpowers of a well-established "Us"

La Quadrature Du Cercle - The APTs That Weren't

Big Game Hunting - Peculiarities In Nation State Malware Research

Shooting

The A and the P of the T

Zeus' Not Dead Yet

TS/NOFORN

How would you find what you can't see?

Curing A 15 Year Old Desease

Troopers Diffray v1.1

brightfuture

Kürzlich hochgeladen

Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth

High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile

Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth

The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat

Java Programming :Event Handling(Types of Events)simmis5

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla

Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis

(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat

ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya

DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEslot gacor bisa pakai pulsa

Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile

High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat

(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat

KubeKraft presentation @CloudNativeHooghlysanyuktamishra911

Online banking management system project.pdfKamal Acharya

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile

UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan

University management System project report..pdfKamal Acharya

Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan

Kürzlich hochgeladen (20)

Glass Ceramics: Processing and Properties

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...

High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts

Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...

The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...

Java Programming :Event Handling(Types of Events)

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx

Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...

(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...

ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf

DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE

Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik

High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts

(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...

KubeKraft presentation @CloudNativeHooghly

Online banking management system project.pdf

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...

UNIT-V FMM.HYDRAULIC TURBINE - Construction and working

University management System project report..pdf

Coefficient of Thermal Expansion and their Importance.pptx

Catch Me If You Can

1. CATCH ME IF YOU CAN

2. HUNTER HUNTED and HAUNTED

3. YOUR HUNTER TODAY Marion Marschalek

4. ANALYST aims to detect MALWARE MALWARE aims to detect ANALYST

5. LEVELS of SOPHISTICATION Mass Sophisticated Toolified APT aAPT EPT ? Malware Malware Malware Malware Malware Malware

6. while some are not all that sophisticated ....

7. SIMULATION DEBUGGING VIRTUALIZATION DISASSEMBLINGSTATIC ANALYSIS ARTIFICIAL INTELLIGENCE

8. SIMULATION VIRTUALIZATION STATIC ANALYSIS DISASSEMBLING DEBUGGING ARTIFICIAL INTELLIGENCE

9. SIMULATION VIRTUALIZATION STATIC ANALYSIS DISASSEMBLING DEBUGGING ARTIFICIAL INTELLIGENCE

10. SIMULATION VIRTUALIZATION STATIC ANALYSIS DISASSEMBLING DEBUGGING ARTIFICIAL INTELLIGENCE

11. SIMULATION VIRTUALIZATION STATIC ANALYSIS DISASSEMBLING DEBUGGING ARTIFICIAL INTELLIGENCE

12. SIMULATION VIRTUALIZATION STATIC ANALYSIS DISASSEMBLING DEBUGGING ARTIFICIAL INTELLIGENCE ...

13. SIMULATION VIRTUALIZATION STATIC ANALYSIS DISASSEMBLING DEBUGGING ARTIFICIAL INTELLIGENCE RANDOMNESS

14. THE ANCIENT ART OF BYPASSING ANTI-ANALYSIS

15. PEBBeingDebugged Flag: IsDebuggerPresent() PEBNtGlobalFlag, Heap Flags DebugPort: CheckRemoteDebuggerPresent() / NtQueryInformationProcess() Debugger Interrupts Timing Checks SeDebugPrivilege Parent Process DebugObject: NtQueryObject() Debugger Window Debugger Process Device Drivers OllyDbg: Guard Pages Software Breakpoint Detection Hardware Breakpoint Detection Patching Detection via Code Checksum Calculation Encryption and Compression Garbage Code and Code Permutation Anti-Disassembly Misdirection and Stopping Execution via Exceptions Blocking Input ThreadHideFromDebugger Disabling Breakpoints Unhandled Exception Filter OllyDbg: OutputDebugString() Format String Bug Process Injection Debugger Blocker TLS Callbacks Stolen Bytes API Redirection Multi-Threaded Packers Virtual Machines

16. THE AWESOMENESS COMPILATION THE „ULTIMATE“ ANTI-DEBUGGING REFERENCE [Ferrie] http://pferrie.host22.com/papers/antidebug.pdf THE ART OF UNPACKING [Yason] https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa- 07-yason-WP.pdf SCIENTIFIC BUT NOT ACADEMICAL OVERVIEW OF MALWARE ANTI-DEBUGGING, ANTI-DEBUGGING AND ANTI-VM TECHNIQUES [Branco, Barbosa, Neto] http://research.dissect.pe/docs/blackhat2012-paper.pdf VIRTUAL MACHINE DETECTION ENHANCED [Rin, EP_X0FF] http://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf

17. AWESOMENESS IMPLEMENTED

18.

19.

20. UPATRE SMALL | NASTY | THORNY | standardmalwareofftheshelf PAYLOAD PACKERPROTECTION

21. ANTI-SIMULATION

22. WINDOW CONFUSION and implicit breakpoint detection

23. *WANNABE* TIMING DEFENCE

24. CITADEL IDA Stealth Bruteforcing PEB!NtGlobalFlags Anti-debug r.e.d.a.c.t.e.d. Let‘s start at the end .....

25. ...

26.

27. WITH DEBUGGER WITHOUT DEBUGGER

28. CVE-2014-1776 .html vshow.swf cmmon.js Heap Preparation Timer Registration Eval ( something) Prepare ROP Chain Corrupt Memory Fill SoundObject with Shellcode Invoke SoundObject.toString()

29. SNEAKY EXPLOIT BEING SNEAKY

30. ... DECODING OF THE ACTUAL EXPLOIT

31. ALMOST WONDERFUL wonderfl

32.

33. MIUREF Once upon a time ... and it‘s packer

34. Visual Basic 6.0 Microsoft, 1998 Object-based / event-driven Rapid Application Development Replaced by VB .NET in 2002 End of support in 2008 VB6

35. VB6 IS NOT DEAD

36. NATIVE CODE

37. PSEUDO CODE

38. P-CODE TRANSLATION P-code mnemonics interpreted by msvbvm60.dll handler13: ExitProcHresult ... handler14: ExitProc ... handler15: ExitProcI2 ... ... FC C8 13 76 ...

39. DYNAMIC ANALYSIS

40. DECOMPILATION