dirtbox a x86 windows emulator
play

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, - PowerPoint PPT Presentation

Jul 28, 2023 •346 likes •604 views

dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team Motivation & System Overview Why not just use CWSandbox, Anubis, Normans , JoeBox , Malware are Analys lysis is Sandbox Solutions

  1. dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team

  2. Motivation & System Overview Why not just use CWSandbox, Anubis, Norman‘s , JoeBox , …

  3. Malware are Analys lysis is Sandbox Solutions utions  VMWare „ Rootkits “  CWSandbox  JoeBox  ThreatExpert  zBox  …  Norman Sandbox  Anubis 2010-07-11 REcon 2010, Montreal

  4. Malware are Detection tion Emulat lator ors (A/V) V)  Most serious A/V solutions have one  API level emulation  Often pure software emulators  Detection by  Unimplented APIs  Heap Layout, SEH handling , …  … 2010-07-11 REcon 2010, Montreal

  5. Det etection ction by by API Side-Ef Effects ects  Functions containing try { in VS C++ share code  Epilogue is always the same  Uses sequence push ecx / ret to return to caller  The ecx register belongs to the called function by definition, so it is undefinde upon API return  The ecx value can be predicted because it will point to the API‘s ret  This breaks a lot of A/V emulators right away  There are some funny but trivially detected workarounds  Could be used for generic anti-emulation detection (use of undefined registers after SEH protected API calls)  Relies on the fact that the API‘s bytecode is not emulated 2010-07-11 REcon 2010, Montreal

  6. Syst stem em Overvie iew or or „A cat pooped into my my sandbo box and now I I have a a dirtbo tbox !“  System Call Layer Emulation of Windows  ntdll‘s native code is run inside virtual CPU Ring 0  Other libraries wrap around kernel32 which wraps malware.exe ntdll around ntdll  Malware issuing system calls directly supported 2010-07-11 REcon 2010, Montreal

  7. libcpu Custom x86 Basic Block Level Virtualization

  8. libcpu pu Overvie iew  Software emulation of x86 bytecode is too slow  A lot of additional code, such as ntdll & kernel32  Existing Virtualization solutions are too powerful  Implementing their own MMU, support for privileged instructions  We want instruction level introspection  Homebrew x86 virtualization based on LDT 2010-07-11 REcon 2010, Montreal

  9. x86 Memory y Views Physical Logical Virtual 2010-07-11 REcon 2010, Montreal

  10. x86 Memory y View on Curren rent OS OS Physical Logical Virtual 2010-07-11 REcon 2010, Montreal

  11. x86 Segmentatio mentation  Global Descriptor Table  Allocated by Operating System  Shared among processes  Local Descriptor Table  Has to be allocated by the OS, too • SYS_modify_ldt • NtSetLdtEntries  Process specific, usually not present  Define 2 GB guest „ userland “ LDT segment 2010-07-11 REcon 2010, Montreal

  12. Rogue ue Code Executio ecution  Basic block level execution on host CPU  No instruction rewriting required (thanks to host MMU)  Basic block is terminated by  Control flow modifying instruction  Privileged instructions  Exception: Backward pointing jumps  Directly copy if points into same basic block  Enhanced loop execution speeds  Currently no code cache, could cache disassembly results (length of basic block) 2010-07-11 REcon 2010, Montreal

  13. Self-Mo Modifyi difying Code 2010-07-11 REcon 2010, Montreal

  14. libcpu pu Demo 2010-07-11 REcon 2010, Montreal

  15. dirtbox Or „The System Call Implementor‘s Sysiphus Tale“

  16. Why System em Call l Layer r Emulati lation on  System Calls mostly undocumented  Wine, ReactOS , …  We get a lot of genuine environment for free!  There is a fixed number of system calls but an unbound number of APIs (think third party DLLs)  Some malware uses system calls directly anyway  Less detectability by API side effects (because we run original bytecode) 2010-07-11 REcon 2010, Montreal

  17. Thing ngs s for Free: : PE Pa Parsing sing & & Loading ng (!)  Process startup handled mostly by new process  Creating process allocates new process: NtCreateProcess  Creates „ Section “ of new image & ntdll and maps into process, this requires kernel to parse section headers  Creates new Thread on Entry Point with APC in ntdll  ntdll!LdrInitializeThunk will relocate images if necessary, resolve imports recursively, invoke TLS and DLL startup routines and do magic (see demo).  All we have to implement is NtCreateSection & NtMapViewOfSection for SEC_IMAGE → we only need to parse PE‘s section headers! 2010-07-11 REcon 2010, Montreal

  18. Thing ngs s for free: : Accurat ate Heap Implemen ementa tatio tion  A lot of A/V emulators naturally come with their own guest heap allocator implementations  Some even do not put heap headers before blocks  Let alone arena structures , …  The Windows heap is implemented in ntdll  Interfacing the kernel with NtVirtualAlloc & NtVirtualFree  All protections like heap cookies are present  Fingerprinting other emulators:  Look at malloc(0)-8 , look for proper block header  Or overflow until the heap cookie and free 2010-07-11 REcon 2010, Montreal

  19. Thing ngs s for free: : Proper er SEH H Handli ling  Generate CONTEXT record from current CPU state  Jump to ntdll!KiUserExceptionDispatcher  ntdll will do proper SEH handling for us  Lookup current top of SEH chain in TEB  Walk list, invoke exception handlers with correct flags  Checking for SafeSEH structures etc.  Trivial detection for other emulators:  Link with SafeSEH header  Trigger exception with invalid handler registered  Check in UnhandledExceptionHandler 2010-07-11 REcon 2010, Montreal

  20. dirtbo tbox Demo 2010-07-11 REcon 2010, Montreal

  21. Conclusion & Future Work Let‘s use this for exploit development!

  22. Det etecting cting dirtbo tbox / Anti-Emu Emulati lation on  No leaked registers in Ring 0 transition except for eax  Need to provide proper return codes, esp. error codes  ntdll just cares about ≥ 0xc0000000 ; malware might look for specific error codes  Side effects on buffers etc., especially in error cases  Fill out IN OUT PDWORD Length in case of error?  Roll back system calls performing multiple things?  Tradeoff between detectability and performance 2010-07-11 REcon 2010, Montreal

  23. Future ure Work rk: Adding Tainting ting & SAT Checking ing  Already did Proof-of-Concept based on STP  Interleave static analysis into dynamic emulation  Look for interesting values (e.g. reads from network, date)  Do static forward data-flow analysis on usage  If used in conditional jumps, identify interesting values with a SAT Checker (there are better domain specific ways, but I‘m lazy)  Automatic reconstruction of network protocols (e.g. commands in IRC bots)  Identify specific trigger based behaviour  Identify Anti-Emulation behaviour 2010-07-11 REcon 2010, Montreal

  24. Questions? Thank You! georg.wicherski@kaspersky.com blog.oxff.net & securelist.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global

dirtbox a x86/Windows dirtbox, a x86/Windows Emulator Georg Wicherski Virus Analyst, Global Research and Analysis Team BlackHat USA, 2010-07-29 Motivation & System Overview Motivation & System Overview Why not just use CWSandbox,

548 views • 28 slides
Emulator for OpenVMS on Windows Platform Introduction of Charon-VAX, possibilities,

Emulator for OpenVMS on Windows Platform Introduction of Charon-VAX, possibilities,

Emulator for OpenVMS on Windows Platform Introduction of Charon-VAX, possibilities, configuration and use. Why a VAX Emulator? Hardware is end-of-life and failing Service costs have increased significantly Application rewriting

485 views • 27 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
1 Gbps and 10 Gbps IP WAN Link Emulator - IPLinkSim Single Stream IP WAN Link Emulator 818

1 Gbps and 10 Gbps IP WAN Link Emulator - IPLinkSim Single Stream IP WAN Link Emulator 818

1 Gbps and 10 Gbps IP WAN Link Emulator - IPLinkSim Single Stream IP WAN Link Emulator 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website:

620 views • 27 slides
1 Gbps and 10 Gbps WAN Emulator IPNetSim Multi Stream IP WAN Emulator 818 West Diamond

1 Gbps and 10 Gbps WAN Emulator IPNetSim Multi Stream IP WAN Emulator 818 West Diamond

1 Gbps and 10 Gbps WAN Emulator IPNetSim Multi Stream IP WAN Emulator 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com

806 views • 27 slides
RD53A Emulator and 64b/66b Serial Link Status Lev Kurilenko (levkur@uw.edu) University of

RD53A Emulator and 64b/66b Serial Link Status Lev Kurilenko (levkur@uw.edu) University of

RD53A Emulator and 64b/66b Serial Link Status Lev Kurilenko (levkur@uw.edu) University of Washington LBL Instrumentation Progress Meeting June 16 2017 1 Emulator Block Diagram Emulator fully implemented, except Tx block Rx

257 views • 11 slides
Converse BlueGene Emulator Gengbin Zheng Parallel Programming Lab 2/27/2001 1 Objective

Converse BlueGene Emulator Gengbin Zheng Parallel Programming Lab 2/27/2001 1 Objective

Converse BlueGene Emulator Gengbin Zheng Parallel Programming Lab 2/27/2001 1 Objective Completely rewritten the previous Charm++ Blue Gene emulator; Bluegene emulator for architecture studying (PetaFLOPS computers);

337 views • 11 slides
FE Software Emulator Progress Nikola Whallon University of Washington April 14, 2017, LBNL

FE Software Emulator Progress Nikola Whallon University of Washington April 14, 2017, LBNL

FE Software Emulator Progress Nikola Whallon University of Washington April 14, 2017, LBNL Instrumentation Meeting 1 / 12 Current Emulator Flow Chart a lot of work has gone into refactoring the emulator to expand functionality and flexibility

335 views • 12 slides
Hit Finding Emulator Summary : Something about the module Integrations into

Hit Finding Emulator Summary : Something about the module Integrations into

Hit Finding Emulator Summary : Something about the module Integrations into DualDescriptor_weihao branch Results To Do 1 / 12 Something about the module A wrapper contains the emulator and a FIFO to cross the clock domain. The hit

385 views • 12 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
MFR Emulator 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784

MFR Emulator 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784

MFR Emulator 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: gl-info@gl.com Website: http://www.gl.com 1 1 MFR Emulator Working Principle Multi-Link Frame Relay Emulation

526 views • 19 slides
Computational Computational Thinkers: The Thinkers: The Emulator Example Emulator Example

Computational Computational Thinkers: The Thinkers: The Emulator Example Emulator Example

Computational Computational Thinkers: The Thinkers: The Emulator Example Emulator Example (Based on Clark and Grush Grush) ) (Based on Clark and 1 Realism about Computational Thinkers: The claim that the human brain and CNS, in at least

495 views • 33 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime

Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime

Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime Motives Tactics Money Spam Thuggery DDoS Espionage Targeted attacks Money Proxies Phishing

295 views • 13 slides
Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1

Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1

Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1 Introduction Malicious Logic: a set of instructions that cause violation of security policy Idea taken from Troy: to breach an impenetrable

1.3k views • 109 slides
Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare Outline 1. HTTPS Interceptors and How to Find Them: Common sources of MITM (Monsters in the Middle). 2. A technique for

701 views • 37 slides
Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil,

Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil,

Spam Prevention using Spam Prevention using Access Code (AC) Access Code (AC) Akhtar H Khalil, David J. Parish Akhtar H Khalil, David J. Parish a.h.khalil@lboro.ac.uk , , d.j.parish@lboro.ac.uk d.j.parish@lboro.ac.uk a.h.khalil@lboro.ac.uk

630 views • 18 slides
Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010

Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010

CCT395, Week 10 Database Security Catalin Bidian University of Toronto November 10, 2010 November 10, 2010 CCT395F 1 Database Security Main Objectives 1. Confidentiality (aka Secrecy): a. Data must be kept private b. Information

460 views • 45 slides
Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is

Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is

Trends in Malware DRAFT OUTLINE Wednesday, October 10, 12 Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,

316 views • 17 slides

More recommend