QuietRIATT Rebuilding the Import Address Table Using Hooked DLL - - PowerPoint PPT Presentation

quietriatt
SMART_READER_LITE
LIVE PREVIEW

QuietRIATT Rebuilding the Import Address Table Using Hooked DLL - - PowerPoint PPT Presentation

Aug 14, 2023 569 likes •977 views

RIVERSIDE RESEARCH INSTITUTE QuietRIATT Rebuilding the Import Address Table Using Hooked DLL Calls Jason Raber - Team Lead, Reverse Engineer Brian Krumheuer Reverse Engineer Overview The Problem: An EXE without an IAT How

slide-1
SLIDE 1

RIVERSIDE RESEARCH INSTITUTE

QuietRIATT

Rebuilding the Import Address Table Using Hooked DLL Calls

Jason Raber - Team Lead, Reverse Engineer Brian Krumheuer – Reverse Engineer

slide-2
SLIDE 2

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-3
SLIDE 3

RIVERSIDE RESEARCH INSTITUTE

The Problem: An EXE without IAT

  • Some malware employ protections that

redirect the IAT , some completely destroy it

  • When ImpREC falls short, QuietRIATT to

the rescue!

  • Lengthy manual labor now takes seconds
  • Uses Detours to record DLL calls and

assist in rebuilding the IAT

slide-4
SLIDE 4

RIVERSIDE RESEARCH INSTITUTE

The Problem: An EXE without IAT

GetCurrentProcessId GetCurrentThreadId GetTickCount

Normal IAT

QueryPerformanceCounter IsDebuggerPresent … JMP xxxxxxxx JMP xxxxxxxx JMP xxxxxxxx

Redirected IAT - Jump Table

JMP xxxxxxxx JMP xxxxxxxx … GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter IsDebuggerPresent ???? ???? ???? ???? ???? …

Redirected IAT - Munge

slide-5
SLIDE 5

RIVERSIDE RESEARCH INSTITUTE

The Problem: An EXE without IAT

Run protected program Change EP to OEP Dump memory to file Use ImpREC to fix IAT

Removing Malware Wrapper-Style Protections

Did it work? Yes No You’re done! Fix IAT by hand Did it work? Yes No Subject to anti-debugging Time consuming Error prone

slide-6
SLIDE 6

RIVERSIDE RESEARCH INSTITUTE

The Problem: An EXE without IAT

Run protected program Change EP to OEP Dump memory to file Use ImpREC to fix IAT

Removing Malware Wrapper-Style Protections

Did it work? Yes No You’re done! Fix IAT by hand Did it work? Yes No Use QuietRIATT to fix IAT Did it work? Yes Allows automation of more cases Saves time No

slide-7
SLIDE 7

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-8
SLIDE 8

RIVERSIDE RESEARCH INSTITUTE

How QuietRIATT Works

1) Hook DLL calls using modified MS Detours 2) Detours ‘traceapi’ generates a log file of DLL calls 3) QuietRIATT annotates the IDAPro database 4) QuietRIATT generates a tree file with IAT info 5) Import tree file into ImpREC

slide-9
SLIDE 9

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-10
SLIDE 10

RIVERSIDE RESEARCH INSTITUTE

Why Detours

  • Wanted something like Linux ‘strace’

– Traces system calls

  • Detours – ‘traceapi’

– Similar to strace but traces DLL calls – Outputs parameters and return values – Helps see ‘real’ DLL calls from kernel32, user32, etc

  • This helps us when rebuilding IAT
slide-11
SLIDE 11

RIVERSIDE RESEARCH INSTITUTE

Detours

User App DLL Trampoline Hooked DLL func Process Space

Injected “JMP HookedDLL func” Disassembled code gets stored in Trampoline Preprocessing/Postprocessing Disassembled code executed and jmp back To targeted DLL function Optional – call real DLL routine

slide-12
SLIDE 12

RIVERSIDE RESEARCH INSTITUTE

Detours Macro

_win32.cpp is found in TRACEAPI found in detours under samples Macro Code:

Inject macro

slide-13
SLIDE 13

RIVERSIDE RESEARCH INSTITUTE

Detours in action

  • Kernel32 Sleep API call is rerouted to trampoline space
  • Return address is pushed on the stack

Prolog stuff Note: SP is assigned to BP to set stack frame Since BP as saved due to saving stack frame We can move down 4 bytes to ref the return address

ebp Return Address 0x64

Stack – Grows High to Low

Local variables EBP

slide-14
SLIDE 14

RIVERSIDE RESEARCH INSTITUTE

Running Traceapi

  • syelogd.exe – system event logging. Use this utility to set up a pipe
  • withdll.exe – load the detour traceapi.dll and detoured.dll into process sleep5.exe all done at runtime
slide-15
SLIDE 15

RIVERSIDE RESEARCH INSTITUTE

Detours – User Process

DLL call w/ Params Return Address Return Value

DLL calls made from within DLLs DLL calls made from user process

slide-16
SLIDE 16

RIVERSIDE RESEARCH INSTITUTE

Special Cases

In case ‘traceapi’ attach fails, don’t worry, the function is too small to trampoline. RET

slide-17
SLIDE 17

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-18
SLIDE 18

RIVERSIDE RESEARCH INSTITUTE

QuietRIATT

Quiet = Stealthy R = Riverside I = Import A = Address T = Table T = Tool

slide-19
SLIDE 19

RIVERSIDE RESEARCH INSTITUTE

QuietRIATT Steps

  • Preparation:

– Make DLL Function List

  • Plug-In:

– Read Detours output file – Find return address – Match ‘real’ call – Annotate IDA Pro – Create input file to ImpREC – Rebuild it

slide-20
SLIDE 20

RIVERSIDE RESEARCH INSTITUTE

DLL Function List

  • In order for QuietRIATT to know which DLL each function comes from, it is

necessary to disassemble each DLL beforehand and make a list of the

  • functions. This list is read into QuietRIATT during initialization. IDA

makes this easy.

  • This is machine specific, so it has to be done on the same machine where

the target program is run.

kernel32.dll export list from IDA disassembly

slide-21
SLIDE 21

RIVERSIDE RESEARCH INSTITUTE

Create Function List

  • Disassemble DLLs used in target application (e.g.

kernel32, user32, …)

  • Copy and paste export list into a text editor

QuietRIATT_liblist.txt Add DLL name to end (next to ordinal)

slide-22
SLIDE 22

RIVERSIDE RESEARCH INSTITUTE

QuietRIATT and the 6 Degrees of Abe Simpson

Detours output file: ImpREC tree file:

slide-23
SLIDE 23

RIVERSIDE RESEARCH INSTITUTE

Finding Return Address – 5 Byte Calls

slide-24
SLIDE 24

RIVERSIDE RESEARCH INSTITUTE

Finding Return Address – 2 Byte Calls

slide-25
SLIDE 25

RIVERSIDE RESEARCH INSTITUTE

Special cases

  • Unanalyzed Code
  • IAT Redirection
  • Jump Tables
  • Addr Not Found
  • Unknown Calls
slide-26
SLIDE 26

RIVERSIDE RESEARCH INSTITUTE

Special Cases - Unanalyzed Code Return Address in Unanalyzed Code

Detours Output IDA Disassembly IDA SDK Functions

slide-27
SLIDE 27

RIVERSIDE RESEARCH INSTITUTE

Special Cases – Unanalyzed Code

slide-28
SLIDE 28

RIVERSIDE RESEARCH INSTITUTE

Special Cases – IAT Redirection

Detours Output Call to a memory address that’s not in the IAT No data at the address, so check the xrefs We find an IAT entry being moved into the address

slide-29
SLIDE 29

RIVERSIDE RESEARCH INSTITUTE

Special Cases – IAT Redirection

Could add a check to see if the addr is in the IAT, and if not, make a recursive call.

slide-30
SLIDE 30

RIVERSIDE RESEARCH INSTITUTE

Special Cases

  • Jump Tables
slide-31
SLIDE 31

RIVERSIDE RESEARCH INSTITUTE

Special Cases – Addr Not Found

IDA Pro Message Window IDA Pro Disassembly Addr of GetClassNameA being moved into EBX. decode_prev_insn() won’t work past unanalyzed data. Call being made through EBX.

slide-32
SLIDE 32

RIVERSIDE RESEARCH INSTITUTE

Special Cases – Addr Not Found

IDA Pro Message Window IDA Pro Disassembly

slide-33
SLIDE 33

RIVERSIDE RESEARCH INSTITUTE

Special Cases – Unknown Calls

  • If not every call is used during execution (which is likely), QuietRIATT

won’t know what the call is, so defaults have to be chosen as placeholders.

  • When new functionality is discovered in the program, re-run Detours and

QuietRIATT and the new functions will be added.

support.h

slide-34
SLIDE 34

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-35
SLIDE 35

RIVERSIDE RESEARCH INSTITUTE

Demonstration

  • Sample “Hello World” with IAT removed
slide-36
SLIDE 36

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-37
SLIDE 37

RIVERSIDE RESEARCH INSTITUTE

Summary

  • Not an ImpREC replacement, QuietRIATT

fills a gap that ImpREC doesn’t cover

  • A stealthy solution
  • Can save many hours of tedious, error

prone manual labor

slide-38
SLIDE 38

RIVERSIDE RESEARCH INSTITUTE

Future Work

  • Add ability for QuietRIATT to fix binary

directly (no need for ImpREC).

  • In cases where IAT is dynamic, keep

internal list of entries

  • Feed QuietRIATT run trace from stealthy

debugger to fix case where “address not found”

slide-39
SLIDE 39

RIVERSIDE RESEARCH INSTITUTE

Overview

  • The Problem: An EXE without an IAT
  • How QuietRIATT Works
  • Detours
  • QuietRIATT
  • Demonstration
  • Summary
  • Contact Info / Q&A
slide-40
SLIDE 40

RIVERSIDE RESEARCH INSTITUTE

Contact Info / Q&A

Riverside Research Institute Software Security Team

http://www.rri-usa.org/isrsoftware.html For binary and source code, contact us at:

Jason Raber

Team Lead, Reverse Engineer 937-427-7085 jraber@rri-usa.org

Brian Krumheuer

Reverse Engineer 937-427-7087 bkrumheuer@rri-usa.org