Upgrade to Pro — share decks privately, control downloads, hide ads and more …

pesieve_bluehat.pdf

hasherezade
February 07, 2019
Programming
4
1.9k

 pesieve_bluehat.pdf

Presented at BlueHatIL 2019: https://www.bluehatil.com/
Video: https://www.youtube.com/watch?v=fwo4XE2xgis

hasherezade

February 07, 2019
Tweet

More Decks by hasherezade

See All by hasherezade
Rhadamanthys and the 40 thieves - the nuts, bolts, and lineage of a multimodular stealer
hshrzd
0
110
Funky Malware Formats
hshrzd
3
22k
PE-sieve – Detecting Hooking and Code Implants
hshrzd
3
4.3k
WarCon 2018 - Building a Malwarestein. Adapting and repurposing existing malware into new projects
hshrzd
1
1.3k
Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine
hshrzd
1
33k
Wicked malware persistence methods
hshrzd
4
5.6k
Virus Bulletin 2016: Challenges and Approaches of Cracking Ransomware
hshrzd
2
2.6k
Security Case Study 2016: Petya - taking ransomware to the low level
hshrzd
0
820
Virus Bulletin 2015: Anonymizing VPN Services as a Botnet Monetization Strategy - Analyzing The Bunitu Botnet
hshrzd
0
730

Other Decks in Programming

See All in Programming
qmuntal/stateless のススメ
sgash708
0
120
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
9
4.1k
Macとオーディオ再生 2024/11/02
yusukeito
0
210
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
Kotlin2でdataクラスの copyメソッドを禁止する/Data class copy function to have the same visibility as constructor
eichisanden
1
140
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
480
カラム追加で増えるActiveRecordのメモリサイズ イメージできますか?
asayamakk
4
1.6k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
160
Realtime API 入門
riofujimon
0
110
Go言語でターミナルフレンドリーなAIコマンド、afaを作った/fukuokago20_afa
monochromegane
2
140
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
4
1.6k

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
Side Projects
sachag
452
42k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Documentation Writing (for coders)
carmenintech
65
4.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Teambox: Starting and Learning
jrom
132
8.7k
What's in a price? How to price your products and services
michaelherold
243
12k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k

Transcript

  1. PE-sieve AN OPENSOURCE SCANNER FOR HUNTING AND UNPACKING MALWARE

  2. #whoami •Malware intelligence Analyst, technical blogger at Malwarebytes •open source

    & free software developer (PE-bear, PE-sieve, and many others) •writer/solver of crackmes •wrote some ransomware decryptors •makes videos related to malware analysis •wrote a chapter to a book about RE HASHEREZADE.NET

  3. agenda 1. PE-sieve – brief history 2. Capabilities & usecases

    3. Various approaches to finding code implants 4. PE-sieve implementation details

  4. PE-sieve – brief history HOW IT ALL STARTED AND WHERE

    WE ARE TODAY

  5. Why I made PE-sieve? There is a sample that couldn’t

    be automatically unpacked/identified Part of my work is about unpacking unidentified samples... ursnif

  6. Why I made PE-sieve? • When I started, I used

    to unpack samples manually • Over the years, I learned a lot about how the malware unpacks itself in the memory, and saw the patterns

  7. Why I made PE-sieve? • I am originaly a programmer,

    so I put my experience into action by automating daily tasks

  8. Why I made PE-sieve? • I collected many small, simple

    tools for particular tasks (i.e. pe_unmapper, hook_finder) • Around Christmas 2017 I combined them, creating the first version of PE- sieve: a dynamic unpacker and patch finder Memory scanner Hook_finder Pe_unmapper

  9. Why I made PE-sieve? • I use it every day,

    and keep improving it • Other malware researchers also liked it...

  10. PE-sieve in other projects • PE-sieve is a light-weight component

    • Can be used as a standalone application, or as DLL • Became a base for my other projects: • Hollows Hunter (https://github.com/hasherezade/hollows_hunter) • MalUnpack (https://github.com/hasherezade/mal_unpack)

  11. PE-sieve in other projects • Adapted in LOKI scanner (https://github.com/Neo23x0/Loki)

    PE-sieve report

  12. PE-sieve in other projects • Adapted in tknk_scanner (https://github.com/nao- sec/tknk_scanner)

    Payloads extracted by PE-sieve (via Hollows Hunter)

  13. PE-sieve stole my job... • We save a lot of

    time from manual sample unpacking: • Almost all the dumped samples allow for a malware family identification • Majority of the dumped payloads are suitable for dynamic analysis of the next stage • (minority doesn’t run properly and still needs manual unpacking) ursnif

  14. Beyond unpacking... • finding what the implanted code is •

    reconstructing the corrupt parts of the payload • converting PE into a raw format • pointing out where the hooks/patches are installed ursnif

  15. Capabilities & usecases WHAT PROBLEMS CAN IT SOLVE? Can I

    help you?

  16. PE-sieve: capabilities • Works on a live system • Focus:

    speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter

  17. PE-sieve: capabilities Suspected... Detected!

  18. What does PE-sieve detect? • Inline hooks • Packed and

    self-modifying PE files • Replaced processes: i.e. Process Hollowing, Process Doppelgänging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes

  19. What PE-sieve is NOT? • Not an automated anti-malware scanner

    • It collects raw material and some indicators • but does not do automated classification • it is conceptually similar to GMER • Not a tool for analyzing memory dumps and process post-mortem analysis (try Volatility+plugins instead)

  20. Dumping modified and implanted modules Entry Point of svchost is

    patched to redirect to the implant

  21. Inline hooking detection Test case: a crackme with inline hooks

    The hooked/patched module is automatically dumped Report about patches

  22. Inline hooking detection • The TAG file, along with the

    dumped module, can be loaded to PE-bear or IDA and further analyzed

  23. Inline hooking detection Generated tags allow viewing the patches in

    their original context, and analyzing with typical tools

  24. Detecting partially erased headers Princess Locker overwrites headers of the

    implant with trash

  25. Detecting partially erased headers https://www.youtube.com/watch?v=dFJcGYUFB0s PE-sieve is still able to

    detect the remainings of the header and reconstruct the full PE

  26. Reconstructing erased imports PE-sieve with option /imp – recovering imports

    https://www.youtube.com/watch?v=YJjm5yT1rdM

  27. Use-Cases • Unpacking malware (selected sample), examining a single process:

    PE-sieve • Scanning a full system to detect hidden implants: HollowsHunter • Unpacking a big set of samples: MalUnpack (https://youtu.be/hoyHz9qSCY8)

  28. Demo #1 PE-sieve vs Process Doppelgänging https://youtu.be/4Brqslk3ni4

  29. Demo #2 PE-sieve vs Finfisher variant https://youtu.be/cQ-51Wn_Kco

  30. Various approaches of finding code implants SIMILARITIES AND DIFFERENCES WITH

    OTHER TOOLS

  31. Code implants • Malicious and non-malicious purposes: • Micro-patching applications

    without recompiling code • Packed executables • Self-modifying code • Hooking: userland rootkits, data interception, sandboxes

  32. Infecting a running process • Malware impersonates processes to run

    under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Manual PE loading (various variants, including Reflective DLL injection) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)

  33. Approach #1: monitoring and blocking API calls • Many AV

    products monitor called APIs to prevent installing malicious implants Blocked by AV

  34. Approach #1: monitoring and blocking API calls • Malware authors/offensive

    researchers try to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging

  35. Approach #1: monitoring and blocking API calls • What if

    some unknown API was used for injection? • What if we want to scan a system post-factum? • How to detect and implant without knowing how it was injected?

  36. Approach #2: search implants post-infection • Some applications use another

    approach: • search implants in the memory post-infection • Examples: • MalFind (a Volatility plugin) • RunPE detector • PE-sieve

  37. PE-sieve – implementation details OVERVIEW OF THE THE CODE &

    USED APPROACHES

  38. Just follow the artefacts... • No impersonation technique is perfect:

    they all leave some suspicious artefacts • See what was modified, see how the code area was mapped...

  39. Detection: inline hooking, self- modifying code • Code scan •

    Load the PE from the disk that corresponds to the module within the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc.) • Compare

  40. Code scan • Normalize and compare... After the difference is

    found, the offset and size are stored for further analysis... ec7c;CreateWindowExW->402551[400000+2551:KeygenMe V7.exe:0]

  41. Detection: impersonated process • Headers scan • Load the PE

    from the disk that corresponds to the module within the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB • Covers Process Hollowing, Process Doppelgänging...

  42. Headers scan • Header on disk vs header in memory

    View in memory (via Process Hacker) Corresponding file on the disk (via HxD)

  43. Detection: manually mapped PE • Working Set scan • Search

    executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts

  44. #1: Find the odd thing...

  45. #1: Find the odd thing... [-] PE in MEM_PRIVATE (vs

    typical: MEM_IMAGE) [-] RWX – very unusual protection Reflective DLL injection

  46. #2: Find the odd thing...

  47. #2: Find the odd thing... [-] PE in MEM_PRIVATE (vs

    typical: MEM_IMAGE) Process Hollowing or manually mapped PE

  48. #3: Find the odd thing...

  49. #3: Find the odd thing... [-] PE in MEM_MAPPED (vs

    typical: MEM_IMAGE) Kronos Loader

  50. #4: Find the odd thing...

  51. #4: Find the odd thing... [+] MEM_IMAGE -> OK [-]

    PE Image has no path! Process Doppelganging

  52. Summary

  53. PE-sieve: current status • Detecting anomalies • Dumping payloads from

    memory • Reconstructing corrupt payloads • Read more: • https://github.com/hasherezade/pe-sieve/wiki

  54. PE-sieve - TODO • IAT/EAT hooking detection • Classic DLL

    injection detection • Whitelisting known hooks • Bugs? Ideas? • https://github.com/hasherezade/pe-sieve/issues

  55. Thank you! Rate the talk: https://goo.gl/ xHa2U1