position independent code analysis
play

Position-Independent Code Analysis Problem Aleksandr Matrosov - PowerPoint PPT Presentation

Oct 25, 2022 •298 likes •1.2k views

Reconstructing Gapz: Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov @vxradius Outline of The Presentation Gapz: dropper exploprer.exe code injection trick Gapz: bootkit Classification

  1. Reconstructing Gapz: Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov @vxradius

  2. Outline of The Presentation  Gapz: dropper  exploprer.exe code injection trick  Gapz: bootkit  Classification of modern bootkits  New VBR bootkit technique  Gapz: payload  Hidden file system implementation  Disk hooks and Hooking engine  NDIS, TCP/IP stack implementation, HTTP protocol  C&C communications  Gapz: forensic approaches  HexRaysCodeXplorer

  3. Gapz: dropper

  4. PowerLoader Builder (since September 2012)

  5. PowerLoader Builder (since September 2012)

  6. Gapz Dropper Execution Stages Injecting into Local Privilege Infecting the stage 1 stage 2 explorer.exe Escalation system ( entry point ) ( icmnf ) ( isyspf )

  7. Bypassing HIPS with eplorer.exe Code Injection opens shared sections from \\BaseNamedObjects mapped into explorer.exe and writes shellcode

  8. Bypassing HIPS with eplorer.exe Code Injection The dropper searches for the window “ Shell_TrayWnd ”

  9. Bypassing HIPS with eplorer.exe Code Injection The dropper calls GetWindowLong() so as to get the address of the routine related to the “ Shell_TrayWnd ” window handler The dropper calls SetWindowLong() to modify “ Shell_TrayWnd ” window-related data

  10. Bypass HIPS with eplorer.exe Code Injection calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space arbitrary code execution in WndProc() of “ Shell_TrayWnd ”:

  11. Triggering Shellcode Execution SendNotifyMessage() transfers control to the address pointed to address points to the KiUserApcDispatcher() routine

  12. Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode

  13. Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode

  14. Triggering Shellcode Execution

  15. Gapz: bootkit

  16. Modern Bootkits Classification (BIOS based) Bootkits MBR VBR/IPL MBR Code Partition Table IPL Code BIOS Parameter modification modification modification Block modification TDL4 Olmasco Rovnix Gapz

  17. Gapz Bootkit Overview Gapz bootkit features:  hooks int 13h handler  patches modules: ntldr, bootmgr, winload.exe, kernel image to survive processor execution mode switching and kernel-mode code integrity checks Module Name Hooked Routine ntldr BlLoadBootDrivers bootmgr Archx86TransferTo32BitApplicationAsm winload.exe OslArchtransferToKernel ntoskrnl.exe IoInitSystem

  18. Gapz Bootkit Workflow Hook Int 13h handler Archx86TransferTo32BitApplicationAsm is hooked in bootmgr Bootmgr loads winload.exe Hook OslArchTransferToKernel in winload.exe Winload.exe loads kernel image Bootkit loads malicious Hook kernel-mode code and runs IoInitSystem in kernel image it in a new system thread

  19. Gapz VBR Bootkit Gapz VBR bootkit features:  Relies on Microsoft Windows VBR layout  The infections results in modifying only 4 bytes of VBR  The patched bytes might differ on various installations 0x1FE 0x000 0x003 0x054 0x19C 0x200 BIOS 0x55 VBR code Text Strings jmp Parameter 0xAA Block (BPB) transfer control

  20. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };

  21. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };

  22. Gapz BPB Modification NTFS Volume 0x200 0x1E00 IPL NTFS File System MBR VBR Number of “Hidden Sectors” before infection after infection Hard Drive NTFS Volume 0x200 0x1E00 Infected IPL NTFS File System Bootkit MBR VBR Modified value of number of “Hidden Sectors”

  23. Gapz: rootkit

  24. Gapz Rootkit Overview  Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms  Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism

  25. Gapz Rootkit Overview  Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms  Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism

  26. Gapz Kernel-mode Code Organization struct GAPZ_BASIC_BLOCK_HEADER { // A constant which is used to obtain addresses // of the routines implemented in the block unsigned int ProcBase; unsigned int Reserved[2]; // Offset to the next block unsigned int NextBlockOffset; // Offset of the routine performing block initialization unsigned int BlockInitialization; // Offset to configuration information // from the end of the kernel-mode module // valid only for the first block unsigned int CfgOffset; // Set to zeroes unsigned int Reserved1[2]; };

  27. Gapz Kernel-mode Code Blocks Block # Implemented Functionality General API, gathering information on the hard drives, CRT string routines and etc. 1 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc. 2 Hooking engine, disassembler engine. 3 Hidden Storage implementation. 4 Hard disk driver hooks, self-defense. 5 Payload manager. 6 Payload injector into processes’ user -mode address space. 7 Network communication: Data link layer. 8 Network communication: Transport layer. 9 Network communication: Protocol layer. 10 Payload communication interface. 11 Main routine. 12

  28. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “ \??\C:\System Volume Information\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX }”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV

  29. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “ \??\C:\System Volume Information\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX }”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV

  30. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “ \??\C:\System Volume Information\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX }”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV

  31. Gapz Crypto Library Implementation  Gapz crypto library functionality:  Hashing: MD5, SHA1  Symmetric ciphers: RC4, AES  Asymmetric cipher: ECC

  32. Gapz Self-Defence Mechanisms  Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and IRP_MJ_DEVICE_CONTROL handlers to monitor:  IOCTL_SCSI_PASS_THROUGH  IOCTL_SCSI_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH  IOCTL_ATA_PASS_THROUGH_DIRECT  Gapz protects:  MBR/VBR from being read/overwritten  its image on the hard drive from being overwritten

  33. Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked ( nop; mov edi, edi ; etc.):

  34. Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked ( nop; mov edi, edi ; etc.):

  35. Gapz Code Injection Functionality Allocate Write payload Create remote memory buffer and loader code thread in the in target process into allocated target process address space buffer Loader code DLL loader EXE loader 1 (load/unload DLL modules) (run EXE modules) Command executer EXE loader 2 (call specific handler in DLL payload (run EXE modules) and pass necessary parameters)

  36. Gapz Payload Loader Code: DLL Loader & Command Executer unload load Load or unload? Map image into address Execute export #2 space Fix relocations and Release image memory initialize IAT Execute export #1

  37. Gapz Payload Loader Code: EXE Loaders EXE Loader 2 Create legitimate suspended EXE Loader 1 process (via CreateProcessAsUser) Drop payload image into %TEMP% directory Overwrite process image with the malicious one Execute CreateProcessW Set process thread context API according to malicious image Resume process thread

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL Results 2 Motivation Bugs are

677 views • 52 slides
Independent Component Analysis Aleix M. Martinez aleix@ece.osu.edu Independent Component

Independent Component Analysis Aleix M. Martinez aleix@ece.osu.edu Independent Component

Machine Learning & Pattern Recognition Independent Component Analysis Aleix M. Martinez aleix@ece.osu.edu Independent Component Analysis Instead of minimizing the error, ICA seeks to find independent components of the data. x i ( t )

467 views • 5 slides
Position-Based Dynamics Analysis and Implementation Miles Macklin Analysis Position-Based

Position-Based Dynamics Analysis and Implementation Miles Macklin Analysis Position-Based

Position-Based Dynamics Analysis and Implementation Miles Macklin Analysis Position-Based Dynamics Very stable Highly damped Example Continuous Equations of Motion Newtons second law Will consider forces which we can

865 views • 82 slides
Machine Independent Code Optimizations Useless Code and Redundant Expression Elimination cs5363

Machine Independent Code Optimizations Useless Code and Redundant Expression Elimination cs5363

Machine Independent Code Optimizations Useless Code and Redundant Expression Elimination cs5363 1 Code Optimization Source Target IR IR optimizer Back end Front end program program (Mid end) compiler The goal of code

631 views • 34 slides
Assurance in in a Connected World Webinar 2 ISA WG position statement on Independent

Assurance in in a Connected World Webinar 2 ISA WG position statement on Independent

ISA Working Group 2020 Webinar Series (Webinar will commence at 11:05 am) Assurance in in a Connected World Webinar 2 ISA WG position statement on Independent Environment Assurance (IEA) and its relation to Independent Safety Assurance (ISA)

546 views • 30 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Code Analysis Tools and Tips (How to make your code ROCK!) This Presentation is About About

Code Analysis Tools and Tips (How to make your code ROCK!) This Presentation is About About

Darryl Parks Code Analysis Tools and Tips (How to make your code ROCK!) This Presentation is About About Code Analysis, not Run-Time monitoring This Presentation is NOT about Performance Analysis T ools Profiling Jconsole or other

913 views • 48 slides
Introduction to Machine Learning 10701 Independent Component Analysis Barnabs Pczos &

Introduction to Machine Learning 10701 Independent Component Analysis Barnabs Pczos &

Introduction to Machine Learning 10701 Independent Component Analysis Barnabs Pczos & Aarti Singh Independent Component Analysis 2 Independent Component Analysis Model Observations (Mixtures) original signals ICA estimated signals

820 views • 47 slides
CS502: Compiler Design Syntax Analysis Manas Thakur Fall 2020 Where are we? Character stream

CS502: Compiler Design Syntax Analysis Manas Thakur Fall 2020 Where are we? Character stream

CS502: Compiler Design Syntax Analysis Manas Thakur Fall 2020 Where are we? Character stream Machine-Independent Machine-Independent Lexical Analyzer Lexical Analyzer Code Optimizer Code Optimizer B a c k e n d Intermediate

685 views • 51 slides
Independent Component Independent Component Analysis y Class 20. 8 Nov 2012 Instructor: Bhiksha

Independent Component Independent Component Analysis y Class 20. 8 Nov 2012 Instructor: Bhiksha

11-755 Machine Learning for Signal Processing Independent Component Independent Component Analysis y Class 20. 8 Nov 2012 Instructor: Bhiksha Raj 8 Nov 2012 11755/18797 1 A brief review of basic probability Uncorrelated: Two random

810 views • 78 slides
CS502: Compiler Design Lexical Analysis Manas Thakur Fall 2020 Lets get started Character

CS502: Compiler Design Lexical Analysis Manas Thakur Fall 2020 Lets get started Character

CS502: Compiler Design Lexical Analysis Manas Thakur Fall 2020 Lets get started Character stream Machine-Independent Machine-Independent Lexical Analyzer Lexical Analyzer Code Optimizer Code Optimizer B a c k e n d Intermediate

146 views • 10 slides
Introduction to Machine Learning CMU-10701 20. Independent Component Analysis Barnabs Pczos

Introduction to Machine Learning CMU-10701 20. Independent Component Analysis Barnabs Pczos

Introduction to Machine Learning CMU-10701 20. Independent Component Analysis Barnabs Pczos Contents ICA model ICA applications ICA generalizations ICA theory 2 Independent Component Analysis 3 Independent Component

814 views • 47 slides
EXCHANGE POSITION - DEFINITION THE EXCHANGE POSITION, OR CURRENCY POSITION AS IT IS CALLED

EXCHANGE POSITION - DEFINITION THE EXCHANGE POSITION, OR CURRENCY POSITION AS IT IS CALLED

Chapter No. Page No. 25 432 International Finance EXCHANGE POSITION EXCHANGE POSITION - DEFINITION THE EXCHANGE POSITION, OR CURRENCY POSITION AS IT IS CALLED OF A BANK IS THE POSITION FROM ITS DAYS PURCHASES AND SALES, BOTH

304 views • 8 slides
Position Management across the UMass System Why Position Management? 2017 What is Position

Position Management across the UMass System Why Position Management? 2017 What is Position

Position Management across the UMass System Why Position Management? 2017 What is Position Management? Position Management is a campus driven strategic tool that provides transparency around positions and their respective funding. Position

638 views • 9 slides
Agenda Introduction to The Major Group Review the Independent Representative Position

Agenda Introduction to The Major Group Review the Independent Representative Position

Agenda Introduction to The Major Group Review the Independent Representative Position Review of the Military Spouse Training Programs Review processing of enrollments for the training programs Review TMG web site Social

540 views • 30 slides
AAMCs Liaison Committee on Medical Education The Independent Student Analysis The Independent

AAMCs Liaison Committee on Medical Education The Independent Student Analysis The Independent

UTCOMLS AAMCs Liaison Committee on Medical Education The Independent Student Analysis The Independent Student Analysis Committee Nicholas D. Henkel MD Ph.D. Candidate The University of Toledo // 1 The University of Toledo // 1

208 views • 19 slides
Serial chain test of new quad modules September 08, 2017 Aleksandra Dimitrievska , Katherine

Serial chain test of new quad modules September 08, 2017 Aleksandra Dimitrievska , Katherine

Serial chain test of new quad modules September 08, 2017 Aleksandra Dimitrievska , Katherine Dunne, Maurice Garcia-Sciveres, Timon Heim, Simone Pagan Griso Introduction Quad Module Design Data Previous Katies presentation: Acquisition

393 views • 13 slides
CM38 Napa Valley P J Smith on behalf of the MICE target team MICE Overview 2 Target

CM38 Napa Valley P J Smith on behalf of the MICE target team MICE Overview 2 Target

MICE Target Mechanism CM38 Napa Valley P J Smith on behalf of the MICE target team MICE Overview 2 Target Mechanism Running on ISIS: A summary of running on ISIS. Future Run Plans. Software Updates. Replacement of patch/broken fibres.

580 views • 21 slides
SiteHawk Transcom Instruments www.transcomwireless.com What Does Cable & Antenna Analyzer

SiteHawk Transcom Instruments www.transcomwireless.com What Does Cable & Antenna Analyzer

Handheld Cable & Antenna Analyzer SiteHawk Transcom Instruments www.transcomwireless.com What Does Cable & Antenna Analyzer Do? Tests the overall integrity of an antenna system installation Verifies antenna system components meet

752 views • 19 slides
PVMD Delft University of Technology Learning objective 1. Maximum Power Point Tracking 1.

PVMD Delft University of Technology Learning objective 1. Maximum Power Point Tracking 1.

Cables Ravi Vasudevan PVMD Delft University of Technology Learning objective 1. Maximum Power Point Tracking 1. Introduction to MPPT 2. Indirect Methods 3. Perturb and Observe 4. Incremental Conductance 5. Cost and Overview 2.

826 views • 18 slides
Policing Congestion Response in an Internetwork using Re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1

Policing Congestion Response in an Internetwork using Re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1

Policing Congestion Response in an Internetwork using Re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1 , Carla Di Cairano-Gilfedder 1 , Alessandro Salvatori 1,3 , Andrea Soppera 1 & Martin Koyabe 1 1 BT Research, 2 UCL, 3 Eurcom Based on

508 views • 17 slides
A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR

A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR

A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR Consulting Project origins Started in Feb. 2014 Annoyance at AV softwares opaque decisions Needed to automate repetitive tasks Overview: A

567 views • 21 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
More WordGames Introduction to Java Graphics Check out IntroToJavaGraphics from SVN Review of

More WordGames Introduction to Java Graphics Check out IntroToJavaGraphics from SVN Review of

More WordGames Introduction to Java Graphics Check out IntroToJavaGraphics from SVN Review of WordGames Time to work on the rest of WordGames Basics of Java graphics Follow along in your own Eclipse Youll need the examples

472 views • 11 slides

More recommend