Vous êtes sur la page 1sur 273

Basic Malware Analysis Using

HBGary Responder Professional 2.0

Introductions
Trainer
Class participant introductions

Name
Experience in Incident Response and Reverse Engineering
Why are you here?
What would you like to learn in this class?

Class Structure
This course is focused on Incident Response and
malware analysis using the HBGary Responder
Professional product. Each section of this course
features the following:

Lecture
Hands-on lab exercises
Quiz
Demonstrations and videos

Class Materials
Course DVD contains:
videos
slides
malware samples

Responder Professional with Digital DNA


Fully licensed version

Key

Demo video

Class exercise

A helpful analysis hint

Objectives
After completing this course, students will be able to:
Identify the role of physical memory in Incidence
Response
Explain Microsoft Windows Operating system internals
Install and use HBGary Responder Professional
Utilize a factors-based methodology for threat
assessment

Module 1

THE ROLE OF PHYSICAL MEMORY IN


INCIDENT RESPONSE

Memory Forensics is
Random Access Memory (RAM)
Contains the current state of the computer
Very far down into the weeds

Strings are not enough (1 of 2)


Find all ASCII and Unicode Strings

Old school (since 2002)


Sometimes answers "what?
Don't know when, who, where, or why?
Only physical search
Cannot tie the content to a process and user

Strings are not enough (1 of 2)


Produces HUGE amounts of data
Sometimes more than 1,000,000 ASCII strings!
No contextual information

Lots of good information, including:

Mostly on-screen messages


Open documents
Program names
Passwords
Network connection information

Why Memory Forensics?


Encryption Keys*
BitLocker, PGP Whole Disk Encryption, etc...

What was happening on the system at the time of the


image:
Running programs, open documents
Unpacked contents of packed programs
Network connections

What was really happening on the system:

Not the sanitized (lying) version from the OS


Hidden programs, rootkits, injected code
Destroying the Hacker Defense
What was running ten minutes before the knock and talk

Why Memory Forensics?

A more
complete
investigation

To execute, it must exist in RAM

Traditional Forensics & Security Software

Why Live Memory Forensics?


Today its easy!
Mission-critical systems
99.999999% availability

Anti-forensic techniques used by bad guys


Hax0rs
Cyber spies
Cybercriminals

Valuable information in RAM cannot be found on disk


Passwords, encryption keys
Network packets, screen shots
Private chat sessions, unencrypted data, unsaved documents, etc.

Why Offline Analysis?


No more operating system to be fooled
Rootkits and malware lie
Operating system cannot be trusted and cannot be used!

Everything is re-created from the bottom up


Physical layer
Replicates disk forensics approach

Can detect malware that anti-virus cannot


Can detect malware that host-based IDS/IPS cannot
Proactively verify the run-time state of the system

Useful Information in RAM

Processes and Drivers


Loaded Modules
Network Socket Info
Passwords
Encryption Keys
Decrypted files
Order of execution
Runtime State Information
Rootkits
Configuration Information

Logged in Users
NDIS buffers
Open Files
Unsaved Documents
Live Registry
Video Buffers screen
shots
BIOS Memory
VOIP Phone calls
Advanced Malware
Instant Messenger chat

Bad Guys Use Memory Tricks


Memory injection attacks never touch the disk
Public and commercial hacker tools have used these
techniques for over 3 years
Metasploit Framework (www.metasploit.com)
Canvas (www.immunitysec.com)
Core Impact (www.coresecurity.com)

No good software detection mechanism without


physical memory preservation and offline analysis
Remember - you cannot trust the operating system!

History of Memory Analysis


Relatively new
There are some imagers, but nothing solid for analysis

Freeware scene started in 2003


DFRWS community, Kornblum, Carvey, others

Academic scene Jan. 2008


The Princeton video Frozen Memory

Open source and academic projects

Perl scripts
Hex editors
Strings.exe, grep searches, manual carving
Volatility framework

Defeat the Trojan Defense


I didnt do it, the Trojan horse did!
the hacker controlling my PC did it

Used in the UK - 2003


Plausible deniability because law enforcement didnt image
physical memory
Law enforcement destroyed 4 GB of evidence
4GB is equivalent to 1,048,576 pages of paper (2,097 reams)

Goal: to prove a negative


No, your Honor, there was no Trojan or any other software
running on the defendants machine at the time in question
with the capabilities claimed by the defense

Live Memory Forensics Risks


RAM Collection software relies on the host OS
Can be subverted

Some software more invasive than others


Usually load about 10 modules from the operating system

Live Memory Forensics Risks


Rootkits
User mode
Can modify system commands (netstat, ipconfig)

Kernel mode
Can hide and modify low-level blocks of memory/disk
Can subvert software dumping of RAM
Thats why were working on ICEDUMP
Similar to the Princeton approach

Countermeasures to kernel-mode rootkits:


VMware snapshot files pause the processor
Hiberfil.sys contents of RAM are written to non-volatile storage
before the system is powered down

Counter-Measures
Pause the processor virtual machines
Existing file system memory images (made by
Windows)
Hibernation files
Crash dumps

Hibernation
Saves system state to disk for faster resume
Compresses physical memory and writes it to c:\hiberfil.sys
Space reserved when hibernation enabled
Not cleared, contains disk free space

No data if enabled but never used


Once used, always some data maintained
Compressed
Memory

Disk Data

Size of Physical Memory

Hibernation
Not enabled by default until Windows Vista
Now called Sleep

Hibernation
Header
Wiped upon successful restore

Free pages
Page tables
Compressed data

How To Vote via Texting

TIPS

1. Standard texting rates only (worst cast US $0.20)


2. We have no access to your phone number
3. Capitalization doesnt matter, but spaces and spelling do

Quiz
1. What information is found in RAM, but not on disk?
a) Passwords
b) Chat sessions
c) Saved documents

2. Strings provide which of the following information?


a) Program names
b) Checking account number
c) Passwords

Quiz
3. Which of the following is NOT a countermeasure to
kernel-mode rootkits?
a) Locking your computer screensaver
b) VMware snapshot files
c) Hiberfil.sys

Module 2

HARDWARE AND OPERATING


SYSTEM DESIGN AND LAYOUT

Computers
Desktops, PCs, Laptops

Hardware
Commodity PCs are built from similar, replaceable
components

Motherboard
Random Access Memory (RAM)
Hard disk drive
Peripherals (video card, keyboard, mouse)

Even Laptops?
Yes, even laptops. The components may be integrated
together and less replaceable, but they still adhere to
standardized designs and interfaces.

Diagram
Motherboard
Memory (RAM)

CPU

FrontSide Bus

NorthBridge

AGP or PCI Express

PCI Slots
IO

Serial/Parallel

Keyboard
Mouse

SouthBridge

USB

IDE/SATA

Hard Drive

Why use Memory? Hard Drives are


much larger
Memory is FAST
A read can take around 0.00000001 seconds

Hard drives are SLOW


A read can take around 0.01 seconds

It comes down to electrical (Memory) vs. mechanical


(Hard Drives)

Windows Concepts
The Windows OS is highly structured, and utilizes the
following concepts:

Kernel and User modes


Drivers
Processes
Threads
Services
Registry

Architecture Diagram
User Applications
User Applications
User Applications
User Applications

Executive

Base Kernel

Windows
API

Environment
Subsystems

Device Drivers
USER and GUI
support

System Support
Processes

HAL
Kernel mode

Services

User mode

CPU Privilege Level


Ring 0 Unrestricted
Ring 1, 2 Not used in
Windows
Ring 3 Restricted

Ring 0
Ring 1
Ring 2
Ring 3

Windows Kernel
Kernel components have
unrestricted access to
the entire system
(dangerous!)
The Windows Kernel is
Ring 0

Ring 0
Ring 1
Ring 2
Ring 3

Windows Kernel
Windows Executive handles memory, process, thread,
security, object, IO, and networking management
Hardware Abstraction Layer (HAL)
USER and GUI functionality
Device drivers provide extendable user and hardware
input/output (I/O)

What are Device Drivers?


Dynamic, loadable modules that run in kernel mode
and can provide hardware I/O support, and/or user I/O
translation.
Again, as with all kernel components, device drivers
have unrestricted access to the system (dangerous)!

Windows User mode


Restricted access to the system (Ring 3)
Must access system resources through the Windows API

Contains:

User applications
Support processes (logon)
Service processes
Environment subsystems

Ring 0
Ring 1
Ring 2
Ring 3

What are Processes?


Processes are containers for executing a program

Private virtual memory space


Unique identifier called a Process ID (PID)
At least one thread of execution
Security context

What is a Thread?
A Thread is a container for execution

CPU registers and state


Stacks
Private storage called TLS
Unique identifier called a thread ID (TID or client ID)
Security context

Services
User mode programs that provide functionality
independent of the current user
For example:
Task scheduler
Print spooler
Windows Update

Services
Services.exe
Svchost.exe
Others (see VMWareService.exe)

Registry
A system database that contains important system
information
For example:

Startup settings
Hardware configurations
Application configurations
Current user data

Physical Memory vs. Virtual Memory


Physical Memory refers to the hardware view of
memory
Only one view of physical memory

Virtual Memory refers to virtualized OS views of


memory
There can be many different virtual memory spaces

Memory
Memory (RAM)

Physical Memory

Operating System

Virtual Memory(s)

Why have Virtual Memory?


Can provide process memory isolation (security)
Allows more logical memory by increasing the
addressable space (each process gets its own 4GB of
virtual memory).
When combined with paging, can increase the total
available memory (more on this later).

Total Logical Memory


Sum of all Virtual Memory
Physical Memory

2 GB Memory (RAM)

OS

4GB

4GB

4GB

4GB

4GB

4GB

Virtual Memory
6 x 4GB = 24 GB of Logical
Memory

How 2GB becomes 24GB (or more)


The OS utilizes CPU features to create page directories
and page tables which can be used to divide physical
memory among multiple virtual memory spaces

Physical <-> Virtual


Page Directories and Page Tables

Physical Memory

2 GB

Virtual Memory for Process A


0 GB

4 GB

Virtual Memory for Process B


0 GB

4 GB

Virtual Memory for Process C


0 GB
0 GB

4 GB

What happens when all Physical


Memory is used?
Paging to the hard disk drive (SLOW!)
Pagefile.sys

0 GB

Page Directories and Page Tables

Physical Memory

2 GB

Virtual Memory for Process A


0 GB

4 GB

Virtual Memory for Process B


0 GB

4 GB

Virtual Memory for Process C


0 GB

Hard Drive

4 GB

Paging to Disk
When Physical Memory is getting full, the least used
pages of memory are written to disk
When those pages are needed again, they are read
back into Physical Memory and some other pages are
written to disk. This is called Swapping.
Swapping reduces system performance.

Memory Dump
To get a complete collection of memory you need to
collect two pieces:
Physical Memory
The on-disk pagefile

Unreferenced Memory
Unreferenced Memory is a feature of Windows
Memory Management that may leave empty sections
in a memory dump
When loading a binary from disk, the Windows Memory
Manager may decide to only read portions of the binary into
memory
The unread portions (unreferenced pages) of the binary are
tracked

Why not read everything?


Speed
Reduction of actual memory usage
Some binaries are very large but only a small section
may be commonly used

0 GB

Page Directories and Page Tables

Physical Memory

2 GB

Virtual Memory for Process A


0 GB

Virtual Memory for Process B


0 GB

Hard Drive

pagefile

4 GB

ANYFILE

4 GB

Virtual Memory Allocation


Programs can allocate virtual memory dynamically
The size can range from a single byte to several GBs (or
8192 GBs in x64 OS versions)

How is this tracked?


The Windows kernel uses a data structure known as
Virtual Address Descriptors (VADs) to track virtual
memory allocations
Responder combines this information with page table
data for each process, and displays it in the Memory
Map detail panel

0 GB

Page Directories and Page Tables

Physical Memory

2 GB

Virtual Memory for


Process A
0 GB

0x00C00000
0x00E00000

0x00CE0000
0x00E00000

0x00CD0000
0x00CDF000
PTE 0010 - 0015

0x00CE0000
0x00CF0000

VAD Tree

Hard Drive

4 GB

0x00D10000
0x00D20000

Memory Map

Memory Block
Individual Pages for this Block Unreferenced Pages

Block Length

4 GB

Virtual Memory Layout


Kernel Memory

The upper 2GB* of every


Virtual Memory space is
reserved for the
Windows Kernel to use.
It is not accessible to user
mode processes.

2 GB

0 GB

User Memory

Note: except with the rarely used /3GB switch

User Virtual Memory


2 GB

Process specific Windows system structures


Windows System DLLs

Windows and Application DLLs or Allocated Memory

DLLs or Allocated Memory

Application Binary

0 GB

Stack
Heap or Allocated Memory

Might be Heap
Stack

Responder provides a
complete picture of
contents in memory

Application
DLLs

System DLLs

Quiz
1. Device drivers have what level of system access?
a) Restricted to the device the driver is written is control
b) Unrestricted!
c) No access

2. Services provide functionality for which mode?


a) User-mode
b) Kernel-mode

Quiz
3. How do programs allocate virtual memory?
a) Statically
b) Dynamically

Module 3

INTRODUCTION TO RESPONDER
PROFESSIONAL

Architecture
User View
Digital DNA

API to access code and data flows


Reverse Engineering (RE) of all Code
API to access Memory Objects
OS Reconstruction
Physical RAM Acquisition

Creating a Physical Memory Snapshot


Project

File Project New


Five types of projects:
1.

Physical Memory Snapshot


Live memory analysis (all
running processes)

2.

Remote Memory Snapshot


Captures a physical memory
snapshot over TCP/IP on a
remote machine

3.

Live REcon session


Records malware behavior for
further analysis

4.

Static PE Import
Binary import and analysis
(static binaries from disk)

5.

Forensic Binary Journal


REcon output file import project

Machine details
Optional - Add details about the Case and Machine

Pattern Files
Add a text (.txt) file to
search for user-specified
patterns.
Supported pattern file
formats:
string the search is NOT
case sensitive
[hex] brackets
containing a hex pattern

Scanning process tasks


The physical memory snapshot scanning performs the
following tasks:

Validates the page table layout and size


Identifies PAE/Non-PAE
Identifies OS and service pack
Reconstructs Object Manager
Rebuilds EPROCESS blocks
Rebuilds the virtual address descriptor table (VAD tree)

Report Tab
The Report tab stores the human-readable results of an
analysis, and allows the user to quickly create report
items from interesting pieces of data, and to sort them
into groups or folders.

Report Panel
Case # - User supplied
number
Double-clicking any of
the Report folders or
Report items takes the
user to the item entry in
the Report summary

Report Summary
The Report Summary
contains details of the
items in the Report
Panel.
Items in the Report
Summary are designed
to be exported in html,
and can be printed.

Report Folders
Report folders can be added, edited and deleted by
right-clicking the Report folder

Report Items
Report items can be moved up/down, edited, deleted
and copied to the clipboard by right-clicking the Report
item

Detail Panels
To access a detail panel for an entry in the Report or
Object tabs, perform one of the two following steps:
1. Double-click the icon in the Object tab.
2. Click View Panels

Detail panels
Provide detailed information about the selected
category in the Object panel
Data can be searched and exported to the following
formats:
PDF
HTML
RTF

- XLS
- Image

Panel contents can be locked


Additional columns are available

- CSV
- Text

Details Panel Column Chooser

Right-click the header bar


(where the column labels are)
and select the Column
Chooser option

Details Panel Search

Click the Search icon to filter the


panels contents to only those entries
that match the search criteria

Details Panel Export

1. Click the Export icon

2. Enter a name for the file Click


Open

3. Locate the saved file, and


open it to view the information

Details Panel - Lock


1. Click the Lock icon to lock the Details panel

2. Double-click the All Open


Registry Keys folder again.
Since the Registry Panel is locked,
a new (unfiltered) Registry View
window is created.

Lock/unlock this window

Right-click Context-Sensitive Actions


Every panel has a right-click context menu
Right-click menu choices based on selected object(s)

Common options include:


Send to report creates an entry in the Report panel for the
selected item
Google Text Search uses the Google search engine to
find internet references to the selected item
Google Code Search uses the Google search engine to
find source code that uses the selected item (typically a
string or symbol)

Right-click Google Text Search

Right-click Google Code Search

MSDN Query

Objects Tab
Displays all harvested
objects
Processes, modules, drivers
Strings, symbols

Macroscopic view of
object data
Allows drill-down on most
objects

Context-sensitive rightclick menu


Status icons

Objects Tab
Project type
Top level folders
Leaf-node folders:
double-click these to see
details view of the folder
Expandable folders: singleclick these to expand contents
of the folder
Table: double-click this to
see contents of table.

Object Tab Icons

Package that has not been analyzed


Package that has been analyzed (disassembled
and scanned for suspicious behavior)
EXE that has not been analyzed
EXE that has been analyzed (disassembled and
scanned for suspicious behavior)

Snapshot Summary
The Snapshot Summary panel provides specific
information related to the case. The information is
user-supplied when the project is created, or is
generated during the static import process, and can be
edited or supplemented as the analysis progresses.

Interrupt Descriptor Table


Primary control table for the CPU, and is probably the
most important table in memory

All Modules Panel


Displays a summary list of modules, user-mode DLLs
dynamically linked to a process, as well as operating
system drivers.

All Open Files


Details the file handles open at the time of a physical
memory snapshot.

All Open Network Sockets Panel


Displays all open TCP and UDP connections at the time
of the physical memory snapshot.

All Open Registry Keys Panel


Displays all open registry keys and the process which
owns them.

Documents and Messages Panel


Responder scans the imported memory and attempts
to locate document fragments. These documents
include graphics files, HTML, executables, memory
mapped files, and more.

Drivers Panel
Device drivers are hardware-dependent, operatingsystem-specific, and they usually provide the interrupt
handling for hardware on the system.

Internet History Panel


A URL captured in the Internet History panel does not
necessarily indicate the URL was visited by a user.

Keys and Passwords Panel


Displays any keys and passwords found during analysis.
These keys and passwords can come from many
sources including users, administrators and malware.

Processes Panel
Displays information about all processes running at the
time the memory image was taken.

System Service Descriptor Tables Panel


Display the contents of the main table that controls
system calls for the operating system, and consists of
two panels:
System Call Table NTOSKRNL/HOOKED The primary
system SSDT. It resides in the windows kernel NTOSKRNL.exe
System Call Table WIN32K The USER32/GDI32 SSDT. This
SSDT resides in the driver win32k.sys

Pattern Matches Panel


Displays all of the user-specified pattern matches, and
the physical offsets within the binary file where the
pattern matched.
The pattern match file is added to the project during the
project creation

Importing and Analysis


A Binary in Responder is any executable, such as an
EXE, DLL, or device driver (SYS) associated with a
process
Binary analysis builds up a complete memory map of a
particular process, and is an important part of forensic
analysis.
Responder doesn't disassemble every module by
default.
When an analysis is requested of a module, the module is
disassembled, and suspicious information is extracted and
placed into the report

Analyzing Modules
To extract and analyze a
driver or process, rightclick the package and
choose Package
Analyze Binary, or you
can simply double-click
the package.

Module Post-analysis
Analysis creates two folders:
Function thunks
Global

Function Thunks and Global Folders


The Function Thunks and Global folders provide a lowlevel view of functions, and are available to explore
unnamed regions of code.

Strings
Strings, a data type storing a sequence of data values
expressed as a sequence of characters, provide clues to
origin and intention
Usually in the language of the developer
Typically use descriptive variable names

Symbols
The Symbols panel provides information about a
binary's capabilities (by the functions that it imports),
and its utility by other applications (by the functions
that it exports).

Memory Map Panel


The Memory Map panel displays the virtual address
ranges allocated in each specific process.
Memory mapped files are special regions of memory that
have been mapped to the contents of a file on disk.

Threads Panel
The Threads panel displays lists of OS threads.

Timeline Tab
(Responder Pro only)
Illustrates the data held in a REcon output file (.FBJ).
This data is organized into both a timeline and tracks.
Tracks can be viewed by process and thread, or by sample
group.

Canvas Tab
(Responder Pro only)
Visually renders
relationships and flow
Control flow
Data references

Behavioral representation
of the binary
Relationships are displayed
graphically
No need to pour over
disassembly language

Patterns can become


quickly evident

Canvas Tab Detail

Function head

Function end
Data reference

Canvas Icon Definitions


Entry point of a subroutine
Exit out of a function; return from a subroutine
idata instance (data, string)
Code block (neither entry nor exit)
Noncall transition
Data xref
Call
HTTP://www.yahoo.com

Report items (URLs)

Binary Tab
The Binary tab displays
the raw hexadecimal
bytes that represent any
specific binary. This view
can be very useful in
identifying the
boundaries between
code and data sections.

Digital DNA
(Responder Pro only)
The Digital DNA (DDNA) sequence appears as a series of
trait codes, that when concatenated together, describe
the behaviors of each software module residing in
memory. DDNA identifies each software module, and
ranks it by level of severity or threat.

DDNA Tab
HBGary DDNA technology evaluates binary behavioral
characteristics and automatically provides an easy to
understand description of suspicious traits
An excellent starting point for analyzing malware
Sort by severity and start analyzing from the top

DDNA Traits
Examine trait descriptions to gain a quick
understanding of a binarys functionality.

Script Tab
(Responder Pro only)
The Script Panel allows a
user to write C# scripts
that can automate
Responder features

Quiz
1. Which of the following is NOT a Responder project
type?
a) Physical Memory Snapshot
b) Logical Memory Snapshot
c) Static PE Import

2. Which of the following features is only available in


Responder Pro?
a) DDNA tab
b) Report tab
c) Objects tab

Quiz
3. Which two folders are created after a binary is
analyzed?
a) Strings
b) Symbols
c) Global

Lab Exercise Files


Livebins
In-memory image of a running executable
Responder can extract any module from a memory snapshot
These are saved to disk in livebin format

VMEMs
VMWare session capture of run-time data

Lab Exercise 1

Focus Creating a new Physical


Memory Snapshot project
Type Project creation
Description Creating a new project in
Responder
Time 45 minutes

Module 4

BASERULES.TXT AND MALWARE

Baserules.txt
What is the Baserules.txt file?
It is a malware identification file
It can Auto-magically analyze hits

Sometimes auto-magic is good, but sometimes its not


Searches for suspicious behaviors
Customizable by the end-user
Add in strings and pattern searches
Flagged binaries can be automatically extracted and disassembled for
further diagnosis

Baserules.txt

Suspicious Strings
API calls
Bytes
Assembly
*Wildcards
Example

Editing the Baserules.txt


<Type>:<Version>:<Weight>:<Text/Arg>:<Group>:<Desc
ription>
<Type>: The rule type
<Version>: Rule version, 1.0
<Weight>: 0 (benign) to 255 (critical): Severity of a match on
this rule
<Text/Arg>: Varies by rule type. Used by the rule to
determine a match. Some rule types may have multiple
arguments
<Group>: Group for this rule (KERNELMODE, USERMODE,
KEYBOARD, ALL, etc)
<Description>: Text description for this rule

Editing the Baserules.txt


Example Storm virus which spreads via email:
Trojan-Downloader.Win32.Small.dam
Trojan.Downloader-647
Trojan.DL.Tibs.Gen!Pac13

Known process names to search for:


FullClip.exe - GreetingCard.exe
GreetingPostcard.exe - MoreHere.exe FlashPostcard.exe

Dropper process
wincom32.exe

Editing the Baserules.txt

###################################
### Blacklisted Modules - Alert ###
###################################

# ADDED ENTRY Dropper for Storm eMail Worm


SuspiciousModule:1.0:100:wincom32.exe:KERNELMODE:SuspiciousModule
wincom32.exe, Dropper for Storm email worm
# ADDED ENTRY Executable for Storm eMail Worm
SuspiciousModule:1.0:100:fullclip.exe:USERMODE:SuspiciousModule fullclip.exe,
executable for Storm email worm
# ADDED ENTRY Executable for Storm eMail Worm
SuspiciousModule:1.0:100:greetingcard.exe:USERMODE:SuspiciousModule
greetingcard.exe, executable for Storm email worm

Lab Exercise 2

Focus Editing Baserules.txt file


Type Identifying Malware Threat
Factors
Description Edit baserules.txt file
Time 30 minutes

Module 5

INTRODUCTION TO MALWARE
THREAT FACTORS

Threat Factors Assessment Goals


The goal of threat assessment is to:
rapidly determine if a package is malicious, or warrants
deeper investigation
identify specific traits of the malware, out of potentially
hundreds of traits

Threat Factors
Threats can be broadly grouped into six behavioral
categories, or factors:

Development
Communication
Command and Control
Installation and Deployment
Information Security
Defensive

Development Factors

In what country was the malware created?


Was it professionally developed?
Are there multiple versions?
Is there a platform involved?
Is there a toolkit involved?
Are there multiple parts developed by different groups
or developers?

Communication Factors
Where does it connect to on the Internet?
Drop point
IP addresses or DNS names

Does it allow incoming connections?


Does it use encryption?
Does it use steganography? In other words, is it
concealed within another package?

Command and Control Factors


How is the malware controlled by its master?
Do commands come from a cutout site?
What commands does it support?

Sniffing, logging, file system?


Attack?
Poison Pill - Self-destruct?
Self-uninstall / silent modes?

Installation and Deployment Factors


Does it use the registry?
Does it drop any files?
Does it attempt to infect other machines on the
network?
Does it sleep and awaken later?

Information Security Factors


Identifies the risks associated with the binary

What does it steal?


Does it sniff keystrokes?
Can it destroy data?
Can it alter or inject data?
Does it download additional tools?

Defensive Factors
Does it:
have self-defense?
use stealth?
bypass parts of the operating system?
bypass virus scanners?

Computer Network Attack


Is it connecting to drive shares?
Does it create a large numbers of sockets (distributed
denial of service (DDOS))?
Is it port scanning?

Quiz
1. Which of the following is not considered malware
threat factor?
a) Communication
b) Information Security
c) Offensive

2. If malware destroys data, under which factor would


you identify it?
a) Development factor
b) Defensive factor
c) Information security factor

Lab Exercise 3

Focus Malware Threat Factors


Type Identifying Malware Threat
Factors
Description Perform analysis on .exe
modules
Time 25 minutes

Module 6

COMMON MALWARE BEHAVIOR

Communication
Malware is often designed to communicate over
networks for various reasons:

Signal initial infection


Receive commands
Send sensitive data
Scan internal networks
Infect other machines
DDoS other machines

Malware Comms Diagram

Attacker

Internet

Targets or
Victims

Relay Point or
Jump Point
Infected Website
Server

Open Network Sockets


Examine

Network Sockets
Look for:
active network
connections
unusual processes
communicating on the
network
unusual port numbers

Examine IP addresses
using
http://arin.net/whois

APIC
Asia Pacific Network Information
http://wq.apnic.net/apnic-bin/whois.pl

Internet History
Examine

Search
.cn
.ru
others

Check Report Tab


Examine suspicious modules

Hooking
What is Hooking?
Modifying important locations so that the Malware can
control OS functionality
Many different places can be hooked

Hooking Details (1 of 2)
Normal OS Function

Table of function pointers

Hooking Details (1 of 2)
Malware inserts itself between important functionality
to control OS behavior
Normal OS Function

Malware

Table of function pointers

IDT/SSDT Hooks
Low-level hooks that allow the malware to:
Hide itself (processes, files, registry keys)
Communicate covertly
Control the OS

Only hides from active user, not from Responder

User-Mode Hooks
Hooks of user-mode applications or DLLs that allow
malware to:
Hide itself (processes, files, registry keys)
Communicate covertly

Only hides from active user, not from Responder

Check the Report

Hidden Objects
Many objects can be hidden by malware. The most
common are:
Processes
Files
Registry Keys

Hidden Processes
By hooking low-level calls on certain Windows API
functions, malware can hide or remove itself from the
list of processes
Malware can also modify low-level OS data to remove
objects (instead of hooking)

Processes Panel
The processes panel identifies any processes that are
hidden. Responder uses a variety advanced of
techniques to locate hidden processes.

Hidden Drivers
By hooking specific functions or modifying low level
data, malware can hide drivers
Remember, drivers provide unrestricted access to the
system. Malware will often install a driver and then
hide it.

Drivers Panel
The drivers panel identifies any drivers that are being
hidden within the system. Responder uses a variety
advanced of techniques to locate hidden drivers.

Quiz
1. When using the Open Network Sockets panel, look for
which of the following?
a) Active network connections
b) Unusual port numbers
c) URLs

2. Hooking details can be viewed in which of the


following panels?
a) Open Network Sockets
b) IDT/SSDT
c) Internet History

Lab Exercise 4

Focus Common Malware Behavior


Type Identifying malware behavior
Description Perform analysis on hooked and
hidden processes and drivers
Time 20 minutes

Module 7

DIFFICULTY LEVELS OF REVERSE


ENGINEERING

Reverse Engineering Levels


The knowledge, experience and skill required to reverse
engineer (RE) software and malware threats can be
broken down into four levels:
Level I Recovery of a single string or symbol
Level II Single point reverse engineering of an API call
Level III Reverse engineering of a set of functions and
branches
Level IV Algorithm reconstruction and programming skills

Level I Reverse Engineering


Recovery of a single string or symbol
Responder provides automatic analysis of imported binaries
and identifies suspicious strings or symbols

Level II Reverse Engineering


Single point reverse engineering of an API call
Identifying arguments that are input to a function call
Google or MSDN to identify function parameter usage
View disassembly to identify what elements (registers, etc)
are being used as parameters
4
2

3
1

2 3 4

Level III Reverse Engineering


Reverse engineering of a set of functions and branches
Reverse engineering of an unknown function using
disassembly (Binary view)
What registers are being used?
What values are inputted/outputted?

Branches are conditional code that is executed if the


condition is satisfied
Single-branch conditions (if)
Two-way conditional branches (if else)
Multiple conditional branches (compiler adds alternate blocks
consisting of one or more logical checks)
Compound conditional branches (checks two or more conditions to
decide if it should enter a conditional code block)

Level IV Reverse Engineering


Algorithm reconstruction and programming skills
Utilizing RE Levels I III with larger chunks of disassembly
across multiple functions to get a picture of how the software
behaves

Example: How malware command and control


structure works
Disassembling multiple functions and data structures
Describe how those functions interact with one another

Module 8

INTRODUCTION TO API

What is an API?
An application programming interface (API) is:
the interface (calling conventions) by which an application
program accesses operating system and other services.
defined at source code level and provides a level of
abstraction between the application and the kernel (or other
privileged utilities) to ensure the portability of the code.

What is the Windows API?


The core set of application programming interfaces for
the Windows operating system
Provides all the functionality required to create
software on the Windows platform.
http://msdn.microsoft.com/enus/library/aa383749(VS.85).aspx

The Windows API allows restricted user mode


programs access to system resources

Windows API (1 of 2)
The Windows API can be grouped into the following
eight functionality categories:
Base Services: Access to system resources (kernel32.dll)
Advanced Services: Access to Windows registry,
shutdown/startup, and user accounts (advapi32.dll)
Graphics Device Interface: Output to monitors, printers, etc.
(gdi32.dll & kernel-mode win32k.sys)
User Interface: Functionality to create and manage windows,
buttons, scrollbars, mouse and keyboard input , etc
(comctl32.dll)

Windows API (2 of 2)
Common Dialog Box Library: Access for opening and saving
files, choosing color, font, etc (comdlg32.dll)
Common Control Library: Provides programs access to
operating system advanced controls such as status bars,
progress bars, toolbars and tabs (commctrl.dll)
Windows Shell: Application access to change and enhance
Windows shell (shell32.dll)
Network Services: Access to network capabilities (TCP/IP,
NETBIOS, Winsocket, etc)

API - in other words


Think of an API call as a trip to the DMV
Customers (applications, users, hardware drivers, network connections,
etc) request various services (graphics output, creating folders,
managing mouse input, access to memory resources, etc) that are
handled at specific counter locations (APIs) at the DMV.

New license
applications
API

License
renewal
API

Registration
renewal
API

DMV Kernel

Driving tests
API

Written tests
API

API Arguments
Arguments are inputs to the API
For example, an argument defines the location of the mouse
pointer in the API of the comctl32.dll
A registry entry can also be an API argument
For example, the Recent Documents list in many common programs
started as a registry entry, and is retrieved by the Windows API as an
argument when the program starts

How does an API work?


From a user mode program:
1. A call is made to an API function
2. The API function eventually calls an exported function of
NTDLL that provides the needed ability
3. The NTDLL function issues an interrupt (or SYSENTER
instruction) to pass control to kernel mode
4. The interrupt/SYSENTER handler, KiSystemService, is called
by the CPU
5. KiSystemService looks up and calls the requested service in
the System Service Descriptor Table (SSDT)

Note: there is also a Service Descriptor Table Shadow that handles


USER and GDI services

Windows API
Application

1. Calls WriteFile

Kernel32.DLL WriteFile

2. Calls NtWriteFile

NTDLL.DLL NtWriteFile

3. Issues a SYSENTER
instruction

NtosKrnl.exe KiSystemService

SSDT
0x84c0780

NtosKrnl.exe NtWriteFile

4. Looks up requested
service in the System
Service Descriptor Table
(SSDT)

User mode
Kernel mode

The SSDT is a table of


function pointers

6. Perform a write
7. Return to user mode caller

Google Search
Within Responder, an API can be searched through
using the Google Text Search, and Google Code
Search features.

MSDN API Lookup


Windows API functions found in Responder can be
quickly located in the Microsoft Developers Network
(MSDN) website using the Google Text Search
feature.

MSDN Description
The MSDN Library
includes how-to and
reference
documentation, sample
code and technical
articles for Microsoft
developer technologies
and products.
http://msdn.microsoft.com

Quiz
1. The Windows API allows which mode access to system
resources?
a) User-mode
b) Kernel-mode

2. The kernel32.dll API provides access to what?


a) System resources
b) Output to monitor
c) Opening and saving files

Module 9

DIRECTORIES, FILES AND


DOWNLOADS

Why Installation and Deployment (I&D)


factors matter
Knowing how it installs can help in:
Designing a cleanup script
Scanning for other infected machines
Detecting variants of the same malware

Objects of Interest

Files, file extensions, paths


.INI files
Find/Next type loops, wildcards (for example, *.*)
Command line parameters
Registry keys
TEMP directory
Checking for mutexes
Sometimes used so they do not infect twice

Directory and File Creation


Starts with these strings and symbols:
CreateDirectory
ExpandEnvironmentStrings
%ProgramFiles%
%SystemRoot%

File extensions
.exe
.dll
.sys

Starting points for Directory and File


Creation

CreateDirectory
GetSystemDirectory
CreateFile
DeleteFile
CopyFile
OpenFile
ExpandEnvironmentStrings
%PROGRAM FILES%
%SYSTEMROOT%
C:\
.EXE
*.*

\\ (double backslash)
MoveFile
\\TEMP
WINDOWS
SYSTEM32
cmd /c del
del %s
GetTempPath
.DLL
.SYS
.INI
.INF
.BAT

Directory Creation Commands

CreateDirectory, CreateDirectoryEx
mkdir, wmkdir, _tmkdir
_creat
system(mkdir )
system(md )

Environment Variables
ExpandEnvironmentString
GetEnvironmentVariable
getenv, putenv

Common environment variables

%ALLUSERSPROFILE%
%APPDATA%
%COMPUTERNAME%
%COMSPEC%
%HOMEDRIVE%
%HOMEPATH%
%PATH%
%PATHEXT%
%PROGRAMFILES%
%PROMPT%
%SYSTEMDRIVE%
%SYSTEMROOT%
%TEMP% and %TMP%
%USERNAME%
%USERPROFILE%
%WINDIR%
%DATE%
%TIME%
%CD%
%ERRORLEVEL%
%RANDOM%

C:\Documents and Settings\All Users


C:\Documents and Settings\{username}\Application Data
{computername}
C:\Windows\System32\cmd.exe
C:
\Documents and Settings\{username}
C:\Windows\System32\;C:\Windows\;C:\Windows\System32\Wbem
.COM; .EXE; .BAT; .CMD; .VBS; .VBE; .JS ; .WSF; .WSH
Directory containing program files, usually C:\Program Files
Code for current command prompt format. Code is usually $P$G
The drive containing the Windows XP root directory, usually C:
The Windows XP root directory, usually C:\Windows
C:\DOCUME~1\{username}\LOCALS~1\Temp
{username}
C:\Documents and Settings\{username}
C:\Windows
Current date in the format determined by the Date command
Current time in the format determined by the Time command
Current directory with its full path
Number defining exit status of a previous command or program
Random number between 0 and 32767

Special Folder Locations

SHGetSpecialFolderLocation
CSIDL_ADMINTOOLS (FOLDERID_AdminTools) The file system directory that is used
to store administrative tools for an individual user.
CSIDL_ALTSTARTUP (FOLDERID_Startup) The file system directory that corresponds
to the user's nonlocalized Startup program group.
CSIDL_APPDATA (FOLDERID_RoamingAppData) C:\Documents and
Settings\username\Application Data.
CSIDL_BITBUCKET (FOLDERID_RecycleBinFolder) The virtual folder that contains the
objects in the user's Recycle Bin.
CSIDL_CDBURN_AREA (FOLDERID_CDBurning) C:\Documents and
Settings\username\Local Settings\Application Data\Microsoft\CD Burning.
Use MSDN to lookup all the possible values, there is a long list

Shell32 API

SHELL32.DLL
SHGetPathFromIDList
SHBrowseForFolder
SHGetSpecialFolderLocation

Internet Downloads
The WININET.DLL API

InternetOpenFile
InternetReadFile
InternetOpenURL
InternetConnect

winsock API

socket
WSASocket
connect
WSAConnect

Addresses, URL, and web


requests

http://
www
.com
HTTP/1.0
Content-Type

Malware Boot Registry Keys


Registry API
RegCreateKey
RegOpenKey

Try searching
CurrentControlSet
CurrentVersion
SOFTWARE (all caps)

Common registry keys to survive reboot

HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SYSTEM\CurrentControlSet\Services\{Service Name}

Lab Exercise 5

Focus: Canvas Tab


Livebin: Parishilton.exe
Description: Students will familiarize
themselves with the features
and functions of the Canvas
Tab
Time: 15 minutes

Lab Exercise 6

Focus: Directories, Files and


Downloads

Livebin: inhold_toolbar.1.mapped
Description: Use graphing techniques to
quickly isolate installation
behavior of inhold.toolbar
Time: 25 minutes

Module 10

REGISTRY KEYS

Registry Key Creation


Start with these:

Search symbols for reg


RegOpenKey
RegCreateKey
CurrentControlSet
CurrentVersion
SOFTWARE (all caps)

Starting points for Registry


Modification

RegCreateKey
RegOpenKey
.REG
regedit
RegCloseKey
CreateService
DeleteService
OpenSCManager

ServiceMain
ServiceDll
StartService
CurrentControlSet
SOFTWARE
\\ (double backslash)
CurrentVersion

Malware Boot Registry Keys


Massive numbers of registry keys (too numerous to list
here)
See Autoruns
See MAP Plug-in

The Run Keys


HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore
r\Run
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore
r\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

User Init
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
The above key takes a comma delimited list of
programs to execute. Malware may install additional
programs, or even replace the existing userinit.exe with
a trojan version. The normal location for userinit.exe
will be something like
C:\WINDOWS\system32\userinit.exe (the windows
install directory will be system specific). Any strange
looking path or additional executables should be
examined in detail.

Services Creation
Creating a service via API calls simply creates registry
keys under the hood
CreateService

One alternative way to load a device driver is the


SystemLoadAndCallImage method
ZwSetSystemInformation api call

Services Registry Key


HKLM\SYSTEM\CurrentControlSet\Services\{Service Name}
For any given service, there may be a value called
ImagePath that indicates the path to the file that
implements the service. If the file in question ends in .sys,
there is a good chance that its a kernel mode driver. To be
sure, check the type value:
1 : Kernel mode driver
2 : File system driver
4 : Adapter Arguments
8: File system service
16: Win32 program that runs as it's own process
32: Win32 program that shares a process w/ other services
(think services.exe)

Services Start Value


The start value can tell you when the service is started:

0 : Boot, very early during startup


1 : System, after Boot, but still while booting Windows
2 : Automatic, after System, but still while booting Windows
3: Manual, doesn't run unless the user or another program
starts it
4: Disabled

Lab Exercise 7

Focus Registry Keys

Type Beizhu_2.vmem
Description Use graphing techniques to
quickly isolate the temporary
path used with runonce key
Time 25 minutes

Module 11

RECONSTRUCTING FORMAT
STRINGS OPERATIONS

Format strings
Format strings are important to understand because
you will encounter them so often.
What are they?

Basic format strings

%s a string (also %S)


%c a character
%d a number (also %i)
%x a number in hex (also %02x, %08X, etc)
%f a number in float
%l a number (long) (also %ul)
%% - a percent character
There are many variants of the above

Functions that use format strings


Function

Format String

printf

%s

sprintf

%c

fprintf

%f

snprintf

%i

swprintf

%d

wsprintf

%l

vsprintf

%lu

variants of the above

etc

Path Creation

GetSystemDirectory
Target: CreateRemoteThread livebin
Is used to place files in the windows/system32 directory
If, within a subroutine, grow up to see what kind of
arguments are passed in

Construction of a string under the Services key


means this file could be registered as a service.
Target: CreateRemoteThread livebin

Search registry for this

Creates a directory in the Program Files directory.


Target: inhold toolbar

Call setup
4
2

3
1

The arguments to a format


string are almost always
pushed directly before the
format string in disassembly
(reverse order)

1 2 3 4

Batch Files
%1, %2, %3, etc
Used to indicate arguments passed to a batch file
Look for .bat extension in strings

Using format strings as hints


It is very likely that esi+4 stores a pointer to the
nickname used in IRC channel

Lab Exercise 8

Focus Reconstructing Format


String Operations
Type VIRUS.vmem
Description Use graphing techniques to
quickly isolate the Installation
and Deployment Factors
associated with both a memory
image, and a packed piece of
malware.
Time 25 minutes

Module 12

DROPPERS &
MULTI-STAGE EXECUTION

What is a Dropper?
Malware is delivered in steps
Dropper is initial downloaded package
Can be a Trojan or embedded exploit

The dropper carries the malware in a payload


Once dropped, the dropper decompresses and
executes a secondary payload

Steps in Malware Deployment


Dropper
Embedded
Resource

Embedded Resource
Decompressed to
Disk

Embedded Resource
is Launched as an
EXE

Multi-Stage Execution
Child Process Spawning
CreateProcess
ShellExecute

Creating Files
WriteFile
CopyFile

Launching External Processes


Typical APIs used to launch processes
RunDLL32.exe
Shell32.dll
Control_RunDLL

Can be used to run a shell script


Command line shows the path to the file on disk

Starting points for Process Creation

CreateProcess
Rundll32.exe
cmd.exe
cmd /c
command.com /c %s

ShellExec
ShellExecute
ShellExecuteA
WinExec
Shell32.DLL
exec
execve
system

Cleanup using BAT files

@echo off
:%s
del %%1
if exist %%1
goto %s
rem %s"

Lab Exercise 9

Focus Droppers & Multi-stage


Execution

Type inhold_toolbar.1.mapped.live
bin
Description Recover ShellExecute
arguments used within
inhold toolbar
Time 25 minutes

Multi-Stage Execution
Resource Extraction
OpenResource

Use of temporary directory


GetTempDirectory

Consult execution history in Flypaper

Resource Extraction
Starting points for Resource
Extraction

Possible embedded kernel


drivers

FindResource
SizeOfResource

PsCreateSystemThread
\\DosDevices
.sys
drivers
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoCreateDevice
IoDeleteDevice
KeInitialize
SpinLock
ObReferenceObjectByHandle

Child Processes
All of the child processes
are available in the
memory snapshot.
Examine them all and
compare them to one
another.

Loaded Modules
Note how the copy of
the process has more
loaded modules

Compare Copies
Compare the secondary execution against the first one
Different number of loaded modules
The one with more modules implies that it has progressed
farther in the execution lifetime

Compare strings and symbols of both copies


There may be additional unpacking in the secondary copy

Unpacked Modules

RunDLL32
Executes a subroutine exported from a DLL
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>
Example:
RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0
void CALLBACK EntryPoint(
HWND hwnd,
HINSTANCE hinst,
LPSTR lpszCmdLine,
int nCmdShow);

Module 13

KEYLOGGING, PASSWORDS AND


DATA THEFT

Information Security Factors


Goal: Rapidly identify if the malware can steal
information

Passwords
Keystrokes
Login credentials
Intellectual property/secrets

What is Being Stolen?

File scans
Keystrokes
Usernames and passwords
Screen shots / screen scraping

Recently Used Passwords


Common Targets

GUIDs for Saved Passwords


Outlook
Internet Explorer
Pstore.dll

File Searching
Used for a variety of reasons

Locate intellectual property


Locate password files
Search out DLLs and executables
Find files to infect
Cleanup temporary files after installation

File Searching
Typical API Calls
FindFirst( )
FindNext( )

Strings
Wildcards
File Extensions

Target: soysauce

View Code

Keystroke Logging

Windows Message Hooking


Polling
Interrupt Hooking
IRP hooking
8042 Keyboard Controller
Port 60, 64

Lab Exercise 10

Focus Keylogging, Passwords and


Data Theft
Type keylogger.1.mapped.livebin
Description How is the malware sniffing
keystrokes?
Time 25 minutes

Lab Exercise 11

Focus Keylogging, Passwords and


Data Theft
Type FindFile.1.mapped.livebin
Description What DLL naming scheme is
being used by the malware?
Time 25 minutes

Module 14

SHELL EXTENSIONS

The Shell
Malware can install one or more DLLs on the system
that are tied into your shell, menus, mouseclicks,
actions, browsing almost anything you can imagine

Starting Points for Detecting Shell


Injection

Shell
ShellEx
Classes\Folder
Classes\CSLID
InProcServer32
shell\open
shell\open\command

exefile
batfile
comfile
ddeexec

Shell Column Handlers


HKCR\Software\Classes\Folder\Shellex\ColumnHandler
s\{GUID}
To find the actual program that is handling the column
extension, locate the GUID elsewhere in the registry. It
will likely be located under the Classes folder:
HKLM\SOFTWARE\Classes\CLSID\{GUID}

Check the InProcServer32 subkey to find a path to the


DLL that is implementing the column extension.

Shell Open Commands (1 of 2)


Malware can register itself as the handler for certain file
extension types, controlled from the HKEY_CLASSES_ROOT
(HKCR) folder and the HKLM\Software\Classes folder.
There are many file extension types under these folders,
but the following are well known hook points for malware:

HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\exefile\shell\open\command
HKLM\Software\Classes\batfile\shell\open\command
HKLM\Software\Classes\comfile\shell\open\command
HKLM\Software\Classes\exefile\shell\open\command

Shell Open Commands (2 of 2)


The default value for the command key should be "%1"
%*, but malware can modify the entry to contain
something like malware.exe %1 %*, causing the
malware program to execute if someone double-click
launches one of the infected file extensions.

Command and DDE Exec


HKCU\Software\Classes\<some registered
extension/path>\shell\<path>\ddeexec\
These keys have the same problems as described above
for Shell Open Commands. In addition, you may notice
a neighboring command key, which can also be altered
or infected by malware.
HKCU\Software\Classes\<some registered
extension/path>\shell\<path>\command\

Module 15

BROWSER EXTENSIONS

The Browser
Malware can install one or more DLLs that are tied into
your browser, browsing events, keylogging, user
interface, and more

Starting points for detecting Browser


Injection

\Internet Explorer
\Extensions
\Explorer Bars
\Script
\Exec
\Browser Helper Objects
InprocServer32
URLSearchHook
Implemented Categories\
{00021494-0000-0000-C000-000000000046}
{00021493-0000-0000-C000-000000000046}
{4D5C8C2A-D075-11d0-B416-00C04FB90376}
InitPropertyBag\Url

Browser Extensions (1 of 2)
This includes adding menus and shortcuts, additional
toolbars, explorer bars, and browser helper objects. A
simple way to add an additional menu item or button is
to register a GUID under the following key:
HKCU\Software\Microsoft\Internet
Explorer\Extensions\{GUID}
HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}

Browser Extensions (2 of 2)
You may also find subkeys that path to an executable or
script:
HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}\Script
HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}\Exec

The values stored under these keys may lead you to a


program that implements whatever command is
indicated by the menu item or button.

Browser Helper Objects (1 of 2)


The term BHO is used loosely in the security
community, and commonly describes any malware that
extends the browser even if the malware is not
specifically a BHO. Just remember that a BHO is just
one of many ways malware can inject into the browser.
A BHO is registered by adding a GUID to the following
registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo
rer
\Browser Helper Objects\{GUID}

Browser Helper Objects (2 of 2)


Similar to all the other GUID based extensions, the
GUID can be looked up elsewhere in the registry to
determine which DLL handles it. It is likely to be found
in HKCR\CLSID\{GUID}
And, as usual, the InprocServer32 key reveals which DLL
is used to implement the BHO.

Lab Exercise 12

Focus Incident Response

Type Infected machine


Description Search for indications of
compromise on a VMware
image
Time 30 minutes

Module 16

DLL AND THREAD INJECTION

Process Enumeration
For any process to write to another process, it needs a
handle to the target
To get a handle to a process, the process must be located
from the list of all processes

Process enumeration primarily occurs using


ToolHelp API
NtQuerySystemInformation( )
Undocumented API

DLL & Thread Injection


Look for ToolHelp library usage
This will be used to enumerate running processes when
finding one to inject into

Look for CreateRemoteThread


This is used to inject the code that will load the injected DLL

Look for EnableDebug or AdjustPriv


The process will need certain access rights to be able to
perform the injection

DLL Injection
Injected DLLs stand out clearly if they use:
Non-standard paths
Unusual or odd-sounding names

DLLs in Responder

Strings ending in .dll

All modules

Remote Threads
A remote thread is created in a second process, not
part of the first process
A remote thread is typically used to inject a DLL into
another process, but not always
A remote thread can also operate without a DLL
injection
This is a more advanced technique

Clear indication of process injection

Page Protections
In order to inject against another process, memory
protections will need to be unlocked
This is done via the VirtualQuery API

Use Google Text Search to get the API arguments

Starting points for DLL and Thread


Injection

CreateRemoteThread
OpenProcess
VirtualAlloc
WriteProcessMemory
WaitForSingleObject
explorer.exe
SeDebugPrivilege

CreateToolhelp32Snaps
hot
CreateEvent
Process32First
Process32Next
Module32First
Module32Next

Lab Exercise 13

Focus DLL & Thread Injection


Type DLL & Thread Injection
Description What is being injected into the
remote process?

Time 25 minutes