Malware analysis environment for 64 bit Windows Mauritius 2016 - - PowerPoint PPT Presentation

malware analysis environment for 64 bit windows
SMART_READER_LITE
LIVE PREVIEW

Malware analysis environment for 64 bit Windows Mauritius 2016 - - PowerPoint PPT Presentation

Feb 04, 2023 151 likes •502 views

Malware analysis environment for 64 bit Windows Mauritius 2016 FIRST TC Hiroshi Suzuki Internet Initiative Japan Inc. Who am I? Hiroshi Suzuki, from Internet Initiative Japan Inc. that is short for IIJ. IIJ is a Japanese

slide-1
SLIDE 1

Malware analysis environment for 64 bit Windows

Mauritius 2016 FIRST TC Hiroshi Suzuki Internet Initiative Japan Inc.

slide-2
SLIDE 2

Who am I?

  • Hiroshi Suzuki, from “Internet Initiative Japan Inc.” that is short for

“IIJ”.

– IIJ is a Japanese ISP (We are the first commercial ISP in Japan).

  • I’m a member of a CSIRT team called “IIJ-SECT”.

– I’m a malware and forensics analyst for our customer and our company. – Our jobs include…

  • Malware Analysis
  • Forensic Investigation
  • Incident Response and Handling
  • Developing and operating honeypot and web crawler

systems

  • Surveying malware and attacking technique trends
  • Hands-on Trainer, Speaker

– Including Blackhat, FIRST, internal lecture for Japanese government and so on.

  • Writing reports for our quarterly

report (called “IIR”) and blogs

slide-3
SLIDE 3

What is malware analysis?

slide-4
SLIDE 4

What is Malware Analysis?

  • It is to reveal malware behavior combining with

the below methods.

– Surface Analysis – Dynamic Analysis (Runtime analysis, Black box analysis) – Static Analysis (White box analysis, Reverse (Code) Engineering, Reversing…)

  • Terms and definitions are not fixed.

– Sometimes, surface analysis is included in static analysis.

  • There is public source analysis as well (in other words,

googling ;-)).

slide-5
SLIDE 5

What is Malware Analysis?

  • Each analysis is related.

Surface Analysis Dynamic Analysis Static Analysis Public Source Analysis

slide-6
SLIDE 6

Why do I focus on 64 bit windows?

slide-7
SLIDE 7

Why I focus on 64 bit windows?

  • There are a lot of tools on 32 bit windows.

– Many web sites and books introduce 32 bit tools.

  • But tools for 64 bit was different story until

recently.

– Now it’s turning for the better. – So it’s worth researching because of the period of transition from 32 bit to 64 bit.

  • And recent malware has both binaries.

– Sometimes, you will need to analyze 64 bit malware if infected machine is 64 bit windows.

slide-8
SLIDE 8

Surface analysis

slide-9
SLIDE 9

Surface analysis tools

Tool name 32 64 Description CFF Explorer ○ ○ PE Editor, Viewer PE Studio ○ ○ PE Viewer StudPE ○ ○ PE Editor, Viewer PE Insider ○ ○ PE Viewer pefile ○ ○ Python PE Editor, Viewer “64” means that it can handle pe32+.

slide-10
SLIDE 10

Surface analysis tools

slide-11
SLIDE 11

Surface analysis tools

slide-12
SLIDE 12

Surface analysis tools

slide-13
SLIDE 13

Dynamic analysis

slide-14
SLIDE 14

Dynamic analysis tools

  • System monitoring tools

Tool name 32 64 Description Sysinternals suite ○ ○ Procmon, Sysmon, Process explorer… Process Hacker ○ ○ Monitoring Process activities API Monitor ○ ○ Monitoring APIs Fakenet ○ ○ Internet Emulator / Packet capture Fakenet-ng ○ ○ Internet Emulator / Packet capture Wireshark ○ ○ Packet capture / analyzer regshot ○ ○ Monitoring Registry, File activities Capture-BAT ○ × Monitoring Registry, File activities

slide-15
SLIDE 15

Dynamic analysis tools

  • Process Monitor (Procmon)

– It can monitor:

  • Process Activities
  • File activities
  • Registry Activities
  • Network Activities
slide-16
SLIDE 16

Dynamic analysis tools

  • Process Explorer

– It is high functionality version of task manager. It can visualize:

  • Process tree
  • Handles
  • DLLs
  • Threads
  • TCP/IP
  • Strings

– file/memory

– And it has ability

  • To kill/suspend/

restart processes

  • To dump memory
slide-17
SLIDE 17

Dynamic analysis tools

  • Process Hacker

– It is similar to Process Explorer. In addition, this tool can also Read/Write on memory regions, and dump it.

  • It is useful when I analyze malware with process hollowing

technique.

slide-18
SLIDE 18

Dynamic analysis tools

  • API Monitor

– It can monitor as well as pause by setting breakpoints over 2,000 APIs including COM related APIs.

slide-19
SLIDE 19

Dynamic analysis tools

  • Fakenet-NG

– Internet emulator

  • Maintained by FireEye (Flare team)
  • This software redirects communications from malware to this software and

recording host names and/or IP addresses of C2 servers and its contents.

  • It has capturing packets feature as well.
slide-20
SLIDE 20

Dynamic analysis tools

  • Debugger

Tool name 32 64 Description OllyDbg ○ × Developing 64 bit, but it’s not released yet over two years. It’s very slow pace  Immunity Debugger ○ × There is only internal version for 64bit? x64dbg ○ ○ New de-facto standard? IDA Pro ○ ○ Commercial Debugger / Disassembler Actually, 64 bit debugger is a wrapper of WinDbg. WinAppDbg ○ ○ Python Command line Debugger WinDbg ○ ○ Microsoft original debugger

slide-21
SLIDE 21

Dynamic analysis tools

  • x64dbg

– This debugger has a similar look and feel to OllyDbg. – This is frequently updated (on weekly or nearly on daily basis). – It is superior to OllyDbg that :

  • Can handle 64bit binaries.
  • Has a memory breakpoint
  • n execution.
  • Has a decompiler.
  • Can display a graphical code

flow feature.

slide-22
SLIDE 22

Dynamic analysis tools

  • Debugger plugins

Tool name 32 64 Description OllyDump ○ × PE Dumper for unpacking OllyDumpEx ○ ○ PE Dumper for unpacking StrongOD ○ × Hide OllyDbg HideDebugger ○ × Hide OllyDbg ScyllaHide ○ ○ Hide debugger TitanHide ○ ○ Hide debugger OllyMigrate ○ ○ Debugger Migration Labeless ○ ○ Debugger collaboration (IDA Pro and

  • thers) for labels and comments

ret-sync ○ ○ Debugger collaboration (IDA Pro and

  • thers) for syncing EIP position
slide-23
SLIDE 23

Dynamic analysis tools

  • OllyDumpEx

– This is a kind of PE dumper based on OllyDump. – It is useful to unpack binaries for container (cryptor) type packers. – It is also useful for “turbo unpacking”. It can search PE image in memory regions, and Heap chunks. – It can handle many debuggers.

  • OllyDbg v1/v2
  • Immunity Debugger
  • x64dbg
  • WinDbg
  • IDA Pro
slide-24
SLIDE 24

Dynamic analysis tools

  • OllyMigrate

– It can move a debugger to another without restarting a target process in the middle of debugging. – It is useful to deal with anti debugger.

  • E.g. After I deal with anti debugger using a debugger with anti-anti-debugger plugins,

we can move it into another debugger like IDA Pro and continue to debug.

– It can handle many debuggers.

  • OllyDbg v1/v2
  • Immunity Debugger
  • x64dbg
  • WinDbg
  • IDA Pro
slide-25
SLIDE 25

Dynamic analysis tools

  • ScyllaHide

– It is an anti-anti debugger plugin. – It can handle several debuggers.

  • OllyDbg v1/v2
  • x64Dbg
  • IDA Pro
slide-26
SLIDE 26

Dynamic analysis tools

  • ret-sync

– It is a tool for collaboration between IDA and other debuggers.

  • It synchronize IDA Disassemble view with a debugger’s EIP.
slide-27
SLIDE 27

Dynamic analysis tools

  • Import Reconstruction Tools
  • Patch Guard Disabler

Tool name 32 64 Description DisPG

For Windows 7 SP1 meow

For Windows 8.1 Tool name 32 64 Description Imprec ○ ×

  • Scylla

○ ○

slide-28
SLIDE 28

Dynamic analysis tools

  • Scylla

– It is IAT reconstructor. – It is based on ImpRec, but it can handle 64 bit binaries.

slide-29
SLIDE 29

Static analysis

slide-30
SLIDE 30

Static analysis tools

  • Disassembler
  • Disassembler Plugins

Tool name 32 64 Description IDA Pro ○ ○ De facto standard disassembler Tool name 32 64 Description Findcrypt ○ × Find cryptographic algorithms IDA Sigsrch ○ ○ Find cryptographic algorithms CrowdDetox ○ × Code de-obfuscation ClassInformer ○ ○ Find C++ class BinDiff ○ ○ Binary Diffing Turbodiff ○ × Binary Diffing

slide-31
SLIDE 31

Static analysis tools

  • IDA Pro

– It is the one and only Disassembler in the world.

  • Of course I know, there are many disassemblers in the wild, but IDA Pro is

head and shoulders above the others.

  • It can handle 64 bit binaries (IDA Pro commercial version only)

– It is a wrapper for WinDbg.

– It has a lot of abilities that:

  • It can display GUI-based code flow graph.
  • It has cross reference feature.
  • It can rename function, variable names.
  • It can reconstruct C structure, enumeration (ENUM) and function types.

– IDA includes many predefined windows structures, enumerations and types by default.

  • It has script (IDC, python) feature to automate analysis and debugging

tasks.

  • It has a decompiler plugin.
slide-32
SLIDE 32

Static analysis tools

  • BinDiff

– It is a Binary Diffing tool provided as a plugin for IDA Pro.

  • It was a commercial tool, but now it’s free.

– It is a useful tool for analyzing variants.

  • Because it can compare

the differences between variants as well as import/export comments and names.

https://www.zynamics.com/bindiff.html

slide-33
SLIDE 33

Conclusion

  • Newer tools and existing tools that are

updated continuously can handle on 64 bit binaries.

– Now you can analyze 64 bit malware on 64 bit environment.

  • But some tools, especially reverse engineering

tools can’t handle on 64 bit binaries.

– Sometimes, we might experience tough situation in reverse engineering task.

slide-34
SLIDE 34

That’s it!

Any questions?

Twitter: @herosi_t