Programmer & malware analyst • Write technical articles about malware, crackmes etc • Author of some tools for malware analysis, i.e. PE-bear, PE-sieve, libPeConv • Contractor for Malwarebytes, but today I present my personal research • More: http://hasherezade.net
brief case study: Petya.A/Not Petya – probably the most famous Malwarestein in wild 3. Wrapping and modifying executables using libPeConv 4. Demo: meet my little Malwarestein... Happy Birthday, Petya/NotPetya!
From „ PetrWrap: the new Petya-based ransomware used in targeted attacks” https:// securelist.com/petrwrap-the- new-petya-based-ransomware- used-in-targeted- attacks/77762
Modifications display good technical knowledge of their author. • Patches are made in the way that serves exactly the purpose, showing that the author did reverse engineering on the sample and understood it.
• Used methods: • Same as in commodity malware: using sources, rewriting by reverse engineering, sophiasticated patching • Malware may incorporate legitimate applications, repurposed for malicious reasons • Elements of other, known malware can be used as red herring
and reimplementing techniques • Patching and hooking malware i.e. to intercept its communication with the CnC • ...and I have my own library, that allows me to wrap malware binaries, export functions of my choice and use them as my library https://www.youtube.com /watch?v=KMcSAlS9zGE https://www.youtub e.com/watch?v=yV4 jiidyFXw
a better wiper? • What if instead of xoring it with keystream, we just overwrite it with a keystream? • Minimal patch: just one byte 88 01 -> MOV [BX+DI], AL
understanding of the binary! • It is easy to destroy something, hard to keep track on changes and undo them • It is a simple and powerful technique, but it has its limitations: the size of the patch much be possibly small to fit in the space • Workarounds? • Injecting a DLL into a process, hooking and redirecting functions... • What if we want something simpler? And allowing for persistent changes? • Thinking of it I created my own library, libPeConv
custom loading of PE files • Features: • load a PE file from a buffer without dropping it on the disk. • export any function from the PE file, providing that you know its offset and API (HexRays decompiler is your friend) • Easily hook IAT of the loaded PE files • Replace selected functions in the loaded PE file by your custom functions
a malware of your interest – you only need to know the API and RVA 1. Find the function of your interest and its offset 2. Reconstruct the API 3. Load the EXE with libPeConv and export the function 4. Use it like your local function
a one, chosen call to a particular function... This time, not the function but the address of particular call was replaced The original function „BlueScreen” is untouched and can be called elsewhere.