Welcome to Cyber Harry. My name is Sean Pierce on the subject matter expert for introduction to Malware Analysis.
Today we're gonna be going over the basics of static analysis. Part five more on the basic model. Learn tricks.
Last time we're talking about office coated strings and I said I was gonna show unease E way toe deal with him. The hard way is to fully reverse engineer the code, really understand what's going on and then re implement it to write your own python or assembly code.
Ah, to do the same process to that strength
to those strings you want DF, you escape. And if you are rewriting the assembly code just for fun and I have done that before, you start to feel like you can just copy and paste most of it
and then you start thinking, Well, why can't I just run the code and you can? And that is the easy way to use the native code in the malware to do Ah, the d a few station because they have to do it right anyways. And it's unlikely that they have some super tricky code doing something crazy. Um,
during the d a few vacation of some string.
So we're gonna look at this.
So last time we were here,
we were looking at this decrypt string function that we had named, uh, we don't know for sure if it's doing that, but it looks pretty obvious that it is. And we started. Look at this. And we said, Okay, maybe it's not really encryption sharing encryption. It's more like some kind of encoding.
But whatever it is, it's off your skating these strings so that we can easily see it.
Ah, we could right click and run our little strings command and whatever these are going to be,
uh, won't show up. So
that's why malware authors do it
to where we last had R V M.
we can see Ah, the baht builder is right here. But we're interested in this buying air, and I haven't modified the pioneering anyway.
And, uh, I'm just gonna right click here and say Extract all easy book 2.0,
ah, 1.1 is still pretty popular to point out, has some improvements, but a lot of plug ins still work with todo
or excuse me a lot of blood and still work with 1.1.
So we're just going to start executing
before I execute. I always check the network sayings to make sure it's
Disconnected? But host only network can't go. I can't go anywhere. So I'm gonna drag and drop this, uh, sample
and Ali will begin executing. It will load up the libraries, which is what? That loading waas.
And it will, uh, analyze them just like it analyzed this bit of code.
And I'm gonna make this a little more readable
default appearances Terminal six
Christmas tree. I liketo
pay attention to initial charms,
Didn't really help much.
I want to make it more readable for people.
Slow screen resolution.
that's easier to read.
Even if we are a little scrunched up.
So Ali debug is de bugger.
It will execute one instruction at a time on well, by default brake on
the module that you've loaded a k a. The module. It's in the p e file.
and that's where it is right now.
this memory address here, that's the memory where this execute, Herbal said. I prefer to be loaded at this address,
and that's ink encoded in the P E Header the container for the E X e file. And Ida
also looks at that and also tries to do. Ah, it's addressing in a similar manner so we can use that to our advantage. We press space here and we can get ah Maur older type of ah
view where it's just a linear view off.
go here where we see this parameter of this office skated string being pushed
and we see its at this address. It's in that
and we conflict back overto Ali.
So in the end, where, of course,
just pace that address. It's a zero acts because it's a hex address and jump straight there.
Now we want the code execute and to this location.
F two will just point. We'll just put a software very point there, and I've mentioned him before. I've mentioned that it's actually an ent
it goes Well, as soon as I hit. Have to hear it went into that
address and changed out the instruction.
Ah, some malware will look for this
attempt to do something strange
if it found ah, break point there.
So a better way to do it
is by using hardware breakpoints.
We can say hardware breakpoint
So hardware break points are a bit difference in that,
Uh, there is no changing of the instruction, so the malware can't
see that the code has changed it all because it hasn't. But instead,
this 13 14 53 a zero address was put inside the CPU and the, uh ha ladybug
said, whenever this address is executed to stop the program right there and hand control back over to me,
it's sort of like the three software break point, except
we're not actually changing the code,
so it's a bit better. The catch is, there's only four hardware break points in the CPU.
It can only hold like four addresses.
There's actually like,
I think eight debug registers, but I think we can only use four of them at a time.
and my program will run to this. And it stopped here.
You may be wondering what's going on down here. It says it's analyzing this and that. Well,
You can put back overto outta here. Remember up here
to resolve all the functions down here. Had to load in several libraries, so loaded when I net got the address. Tow, anti deal. Oh, because anti deals always loaded into every single process.
Uh, I don't think it's possible not
tohave it in there, um, alert. And this this this stuffs and whatever those two,
whatever the dependency deals were to those deals. And so, as soon as they were loaded in on Lee started toe analyze them just in case. We want to jump into one of those deals.
But the end result is
the break point trigger, and it stopped at this location,
we can see that it's going to push, push,
do ah, move and then a call.
with what unnamed decrypt and Ida
Uh, it was clean up from last function. See how much easier it is to read And Ali,
that ah, educated elite would be
I like to do dynamic analysis with Ali and then stack analysis, uh, with Ida
we can do a push. And then over on the lower right hand side, we have this
and it's going the opposite direction.
I mean, it's not going the opposite direction, but the top of the stack is the top of this window. So
the lower memory address is up here.
If that makes any sense,
quite make sense? It's okay. Just play with it a bit more and get the hang of it. But it is important, as we saw with the beginning of this execute herbal, it
manipulated the stack to use a return function or a return instruction to jump to its real main code,
as opposed to just a jumper call instruction as, ah, an effort to fool this assemblers. But I know and all they catch that pretty fast.
Some older malware anyways, So we saw that Ah, it's about to push another argument onto the stack. And if we flipped back overto Ida,
we see that this, uh,
is referenced a few other places that is pushed in as a primer here,
and it's moving the address. It's moved into any axe here. And
yes, I hear another e X here in some different functions. And
so we we could dive into those and trying to figure out what exactly is going on here
or where this thing came from.
But I'm willing to bet since there's two things going into this decryption function
and it doesn't look like E. X,
uh is messed with a modified or stored anywhere else. I would say this is an input and this is actually an output.
So it's handing in an address
where right now it's full of all zeros
and later is probably going to be filled with the decrypted address. I don't know for sure, but with
Ali we can find out.
I like to right click
and say, follow and dump
and I wanna say immediate constant. So it looks at
the constant in this instruction and says, Okay, that's an address, and I say just go to that address
and we could try to figure out where exactly it ifs where exactly it is either in the text section or the resource section or
if it's in the heap or whatever. But right now, it doesn't really matter to me.
I just want to see what happens. So I'm gonna say step over, was gonna do that move.
and then now we're on the call instruction. I'm just gonna say, step over again. If I want to say, step in, we could actually go through the decryption process.
so we see here that we just stepped over and boom out pops
and we can even see up here. The Ali has,
looked at that reference again
and said, Okay, this is now changes. Now some now on asking string.
So we now know that this string was a few skated and it was easily just DF You skated. We don't know the algorithm, and but we don't really care. Uh,
we have this, which is
And we can take that
It's a little trickier. With this goes. Sometimes you just want to copy the hex. Sometimes you just want to copy the memory address sometimes. Just want to copy the string
that didn't really work. So
I'm just gonna open up. Ida,
you can say this string.
to rename the string.
Following out of convention, we start a nasty string with a
version slash consul slash name space.
Uh, that's not gonna really.
Those characters are probably illegal with Ida naming
place of slashes with underscores.
And so that's a registry key. Something to say.
It's gonna complain. That's a bit long, and it's got toe make the columns, but longer
there's some illegal character.
The bad character is, I don't know, maybe a Spain's
So we can continue this process. Um,
we can see that passes in another parameter because it's calling the same function is probably do the same thing. And there's another registry key that has just come out
we could do the same thing. There's another registered or not registered key. It's ah, path it looks like some file
I could do that. Another word of the coal Another ask a string of salt. We concede here in the same memory space, memory location that these
all the strings were allocated next to each other.
This function is not supported by Windows nine X. So that's interesting.
So if we were a good Ah,
this, if we were fully reversing this malware and we knew we were gonna spend the whole day on it
you know, record everything. You take down
everything and really documented because documenting is the key to
really understanding how it works, even if it's documenting something that, uh you don't think is very important because you've gone through the trouble of finding that out, and it could become helpful later.
And bookmarks are also very useful. But I haven't
put him here yet. So this function
zero accident to the MP
Okay, so that's the easy way of going about
play with Ida a lot And you seem to be doing this a lot.
Uh, that I would suggest
put out by fire. I I believe
because they do a lot of reverse engineering
basically uses the debugging component of Ida. And when you select a function,
you can just say, run this function with these parameters and it'll automatically decrypt something for you. And of course, this is dangerous if you're running real Mauer in her system. But most decryption functions
do just that. Just decryption, because ah Mauer author had to make this and he had to make it
modular and functional for him to keep track of or her to be keep track of
logically separating out functionality. So it's uncommon that a decryption function would do anything else but decryption. But it is possible,
so I would err on the side of caution. And if you want to, you can run Ida inside your debunker or inside of'em and just
So that's it for this video. Once again, we were dealing with off you skated strings
and instead of reverse engineering the code, we can use the hybrid analysis you leveraging both static and dynamic,
DF you skate strings and aid in our analysis. Further,
are you? I would check into where else? That zero x dead dot bnp file was being referenced. And see if that is a mechanism. I wish them our author usedto
avoid infecting themselves.
Sometimes that is the case.
Uh, our authors usually keep
something in their code to keep from infecting themselves. Be a registry key or
something else. Ah, file, name, process. Name
a machine name. So this these are indicators of
not compromise, but authorship
because mom or authors will frequently use the same
file names over and over again across different malware families. So thanks for watching.
Next class will be covering
more stack analysis where we will be going through and enumerating the capabilities of the Mount where I hope to see you then