dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg - - PowerPoint PPT Presentation

dirtbox a x86 windows dirtbox a x86 windows emulator
SMART_READER_LITE
LIVE PREVIEW

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg - - PowerPoint PPT Presentation

Apr 23, 2023 252 likes •552 views

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team BlackHat USA, 2010-07-29 Motivation & System Overview Motivation & System Overview Why not just use CWSandbox,

slide-1
SLIDE 1

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator

Georg Wicherski Virus Analyst, Global Research and Analysis Team

BlackHat USA, 2010-07-29

slide-2
SLIDE 2

Motivation & System Overview Motivation & System Overview

Why not just use CWSandbox, Anubis, Norman‘s, JoeBox, …

slide-3
SLIDE 3

Malware Analysis Sandbox Solutions

VMWare „Rootkits“

CWSandbox CWSandbox JoeBox ThreatExpert ThreatExpert zBox …

Norman

Sandbox

Anubis

2010-07-29 BlackHat USA 2010, Las Vegas

slide-4
SLIDE 4

Malware Detection Emulators (A/V)

Most serious A/V

solutions have one solutions have one

API level emulation Often pure

Often pure software emulators

Detection by

Unimplented APIs Heap Layout, SEH handling, … …

2010-07-29 BlackHat USA 2010, Las Vegas

slide-5
SLIDE 5

Detection by API Side-Effects

Functions containing try { in VS C++ share code

Epilogue is always the same Epilogue is always the same Uses sequence push ecx / ret to return to caller The ecx register belongs to the called function by definition, so it is d fi d API t undefinde upon API return The ecx value can be predicted because it will point to the API‘s ret

This breaks a lot of A/V emulators right away

There are some funny but trivially detected workarounds Could be used for generic anti-emulation detection (use of Could be used for generic anti emulation detection (use of undefined registers after SEH protected API calls)

Relies on the fact that the API‘s bytecode is not

l d

2010-07-29 BlackHat USA 2010, Las Vegas

emulated

slide-6
SLIDE 6

System Overview or „A cat pooped into my sandbox and now I have a dirtbox!“

System Call Layer

Emulation of Windows

ntdll‘s native code is

i id i t l CPU run inside virtual CPU

Other libraries wrap around kernel32 which Ring 0 malware.exe ntdll wraps around ntdll

Malware issuing

system calls directly system calls directly supported

2010-07-29 BlackHat USA 2010, Las Vegas

slide-7
SLIDE 7

libcpu libcpu

Custom x86 Basic Block Level Virtualization

slide-8
SLIDE 8

libcpu Overview

Software emulation of x86 bytecode is too slow

A l t f dditi l d h tdll & k l32 A lot of additional code, such as ntdll & kernel32

Existing Virtualization solutions are too

f l powerful

Implementing their own MMU, support for privileged instructions instructions

We want instruction level introspection Homebrew x86 virtualization based on LDT

2010-07-29 BlackHat USA 2010, Las Vegas

slide-9
SLIDE 9

x86 Memory Views

Virtual

Physical

Logical

2010-07-29 BlackHat USA 2010, Las Vegas

slide-10
SLIDE 10

x86 Memory View on Current OS

Virtual

Physical

Logical

2010-07-29 BlackHat USA 2010, Las Vegas

slide-11
SLIDE 11

x86 Segmentation

Global Descriptor Table

Allocated by Operating System Allocated by Operating System Shared among processes

Local Descriptor Table

Local Descriptor Table

Has to be allocated by the OS, too

  • SYS modify ldt

_ y_

  • NtSetLdtEntries

Process specific, usually not present

Define 2 GB guest „userland“ LDT segment

2010-07-29 BlackHat USA 2010, Las Vegas

g „ g

slide-12
SLIDE 12

Rogue Code Execution

Basic block level execution on host CPU

No instruction rewriting required (thanks to host MMU) No instruction rewriting required (thanks to host MMU)

Basic block is terminated by

Control flow modifying instruction Control flow modifying instruction Privileged instructions

Exception: Backward pointing jumps Exception: Backward pointing jumps

Directly copy if points into same basic block Enhanced loop execution speeds Enhanced loop execution speeds

Currently no code cache, could cache

disassembly results (length of basic block)

2010-07-29 BlackHat USA 2010, Las Vegas

disassembly results (length of basic block)

slide-13
SLIDE 13

Self-Modifying Code

2010-07-29 BlackHat USA 2010, Las Vegas

slide-14
SLIDE 14

libcpu Demo

2010-07-29 BlackHat USA 2010, Las Vegas

slide-15
SLIDE 15

libscizzle libscizzle

Or „libx86shellcodedetection“ if you prefer…

slide-16
SLIDE 16

Shellcode Detection

Simple Approach: Brute-Force over byte buffer

If n valid instructions can be executed from there If n valid instructions can be executed from there, assume we found valid shellcode

Pre-filter buffers: Scan for „GetPC“ sequences

1. Find GetPC opcode candiates: 89, a3, d9, e8

  • mov r/m32, r32 or mov rm/32, eax → SEH based

GetPC

  • fstenv
  • call rel32

2. Check for valid memory operands or FS prefix

  • Require fstenv operand to be esp relative

2010-07-29 BlackHat USA 2010, Las Vegas

  • Require fstenv operand to be esp relative
slide-17
SLIDE 17

Free Shellcode Detector: http://code mwcollect org/libscizzle http://code.mwcollect.org/libscizzle Free Shellcode Emulator: Free Shellcode Emulator: http://libemu.carnivore.it/

slide-18
SLIDE 18

libscizzle Demo

2010-07-29 BlackHat USA 2010, Las Vegas

slide-19
SLIDE 19

dirtbox dirtbox

Or „The System Call Implementor‘s Sysiphus Tale“

slide-20
SLIDE 20

Why System Call Layer Emulation

System Calls mostly undocumented

y y

Wine, ReactOS, …

We get a lot of genuine environment for free! There is a fixed number of system calls but an

unbound number of APIs (think third party DLLs)

Some malware uses system calls directly anyway Less detectability by API side effects (because we run

i i l b t d )

  • riginal bytecode)

2010-07-29 BlackHat USA 2010, Las Vegas

slide-21
SLIDE 21

Things for Free: PE Parsing & Loading (!)

Process startup handled mostly by new process

C ti ll t Creating process allocates new process: NtCreateProcess Creates „Section“ of new image & ntdll and maps into „ g & p process, this requires kernel to parse section headers Creates new Thread on Entry Point with APC in ntdll ntdll!LdrInitializeThunk will relocate images if necessary, resolve imports recursively, invoke TLS and DLL startup routines and do magic (see demo). routines and do magic (see demo).

All we have to implement is NtCreateSection &

NtMapViewOfSection for SEC IMAGE → we

2010-07-29 BlackHat USA 2010, Las Vegas

NtMapViewOfSection for SEC_IMAGE we

  • nly need to parse PE‘s section headers!
slide-22
SLIDE 22

Things for free: Accurate Heap Implementation

A lot of A/V emulators naturally come with their

  • n g est heap allocator implementations
  • wn guest heap allocator implementations

Some even do not put heap headers before blocks Let alone arena structures Let alone arena structures, …

The Windows heap is implemented in ntdll

Interfacing the kernel with NtVirtualAlloc & NtVirtualFree Interfacing the kernel with NtVirtualAlloc & NtVirtualFree All protections like heap cookies are present

Fingerprinting other emulators: Fingerprinting other emulators:

Look at malloc(0)-8, look for proper block header Or overflow until the heap cookie and free

2010-07-29 BlackHat USA 2010, Las Vegas

Or overflow until the heap cookie and free

slide-23
SLIDE 23

Things for free: Proper SEH Handling

Generate CONTEXT record from current CPU state Jump to ntdll!KiUserExceptionDispatcher Jump to ntdll!KiUserExceptionDispatcher ntdll will do proper SEH handling for us

Lookup current top of SEH chain in TEB Lookup current top of SEH chain in TEB Walk list, invoke exception handlers with correct flags Checking for SafeSEH structures etc. Checking for SafeSEH structures etc.

Trivial detection for other emulators:

Link with SafeSEH header Link with SafeSEH header Trigger exception with invalid handler registered Check in UnhandledExceptionHandler

2010-07-29 BlackHat USA 2010, Las Vegas

Check in UnhandledExceptionHandler

slide-24
SLIDE 24

dirtbox Demo

2010-07-29 BlackHat USA 2010, Las Vegas

slide-25
SLIDE 25

Conclusion & Future Work Conclusion & Future Work

Let‘s use this for exploit development!

slide-26
SLIDE 26

Detecting dirtbox / Anti-Emulation

No leaked registers in Ring 0 transition except for eax

N d t id t d d Need to provide proper return codes, esp. error codes ntdll just cares about ≥ 0xc0000000; malware might look for specific error codes p

Side effects on buffers etc., especially in error

cases cases

Fill out IN OUT PDWORD Length in case of error? Roll back system calls performing multiple things?

Tradeoff between detectability and performance

2010-07-29 BlackHat USA 2010, Las Vegas

slide-27
SLIDE 27

Future Work: Adding Tainting & SAT Checking

Already did Proof-of-Concept based on STP Interleave static analysis into dynamic emulation Interleave static analysis into dynamic emulation

Look for interesting values (e.g. reads from network, date) Do static forward data-flow analysis on usage If used in conditional jumps, identify interesting values with a SAT Checker (there are better domain specific with a SAT Checker (there are better domain specific ways, but I‘m lazy)

Automatic reconstruction of network protocols (e.g.

C ) commands in IRC bots)

Identify specific trigger based behaviour Id

tif A ti E l ti b h i

2010-07-29 BlackHat USA 2010, Las Vegas

Identify Anti-Emulation behaviour

slide-28
SLIDE 28

Questions? Thank You! Questions? Thank You!

georg wicherski@kaspersky com georg.wicherski@kaspersky.com blog.oxff.net & securelist.com