Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll cover some basic malware tricks and dive deeper into the string obfuscation concept. You'll learn both the easy as well as the hard way for string obfuscation. The hard way includes fully reverse engineering the code, re-implementing it, and then applying the same process to the strings. While the easy way uses the native code and executes it. We'll demonstrate a hybrid method, combining both static as well as dynamic analysis for de-obfuscation of strings.

Video Transcription

00:04
Welcome to Cyber Harry. My name is Sean Pierce on the subject matter expert for introduction to Malware Analysis.
00:09
Today we're gonna be going over the basics of static analysis. Part five more on the basic model. Learn tricks.
00:18
Last time we're talking about office coated strings and I said I was gonna show unease E way toe deal with him. The hard way is to fully reverse engineer the code, really understand what's going on and then re implement it to write your own python or assembly code.
00:36
Ah, to do the same process to that strength
00:39
to those strings you want DF, you escape. And if you are rewriting the assembly code just for fun and I have done that before, you start to feel like you can just copy and paste most of it
00:53
and then you start thinking, Well, why can't I just run the code and you can? And that is the easy way to use the native code in the malware to do Ah, the d a few station because they have to do it right anyways. And it's unlikely that they have some super tricky code doing something crazy. Um,
01:12
during the d a few vacation of some string.
01:15
So we're gonna look at this.
01:19
So last time we were here,
01:22
we were looking at this decrypt string function that we had named, uh, we don't know for sure if it's doing that, but it looks pretty obvious that it is. And we started. Look at this. And we said, Okay, maybe it's not really encryption sharing encryption. It's more like some kind of encoding.
01:41
But whatever it is, it's off your skating these strings so that we can easily see it.
01:46
Ah, we could right click and run our little strings command and whatever these are going to be,
01:53
uh, won't show up. So
01:56
that's why malware authors do it
01:59
so
02:00
we can jump over
02:01
to where we last had R V M.
02:04
And
02:05
we can see Ah, the baht builder is right here. But we're interested in this buying air, and I haven't modified the pioneering anyway.
02:15
And, uh, I'm just gonna right click here and say Extract all easy book 2.0,
02:22
ah, 1.1 is still pretty popular to point out, has some improvements, but a lot of plug ins still work with todo
02:30
or excuse me a lot of blood and still work with 1.1.
02:32
So we're just going to start executing
02:37
before I execute. I always check the network sayings to make sure it's
02:40
not connected.
02:43
Disconnected? But host only network can't go. I can't go anywhere. So I'm gonna drag and drop this, uh, sample
02:52
onto Ali
02:53
and Ali will begin executing. It will load up the libraries, which is what? That loading waas.
03:00
And it will, uh, analyze them just like it analyzed this bit of code.
03:07
And I'm gonna make this a little more readable
03:10
options.
03:13
The, uh,
03:15
default appearances Terminal six
03:21
and
03:23
code highlighting
03:25
Christmas tree. I liketo
03:28
pay attention to initial charms,
03:32
jumps and calls.
03:36
Let's try that out.
03:38
Didn't really help much.
03:40
I want to make it more readable for people.
03:45
Slow screen resolution.
03:46
I won't.
03:52
Six
03:53
change.
03:57
Okay,
03:58
that's easier to read.
04:01
Even if we are a little scrunched up.
04:08
So Ali debug is de bugger.
04:11
It will execute one instruction at a time on well, by default brake on
04:18
the module that you've loaded a k a. The module. It's in the p e file.
04:24
Um,
04:25
and that's where it is right now.
04:27
And
04:29
we can see that
04:30
this memory address here, that's the memory where this execute, Herbal said. I prefer to be loaded at this address,
04:41
and that's ink encoded in the P E Header the container for the E X e file. And Ida
04:50
also looks at that and also tries to do. Ah, it's addressing in a similar manner so we can use that to our advantage. We press space here and we can get ah Maur older type of ah
05:05
view where it's just a linear view off.
05:10
Um, the code
05:12
and we can
05:13
go here where we see this parameter of this office skated string being pushed
05:18
and we see its at this address. It's in that
05:23
dot text section
05:24
and we conflict back overto Ali.
05:29
Where is Ali?
05:30
So in the end, where, of course,
05:32
Aiken hit control G
05:35
for a go,
05:38
and I can say
05:40
just pace that address. It's a zero acts because it's a hex address and jump straight there.
05:46
Now we want the code execute and to this location.
05:49
So most of time
05:51
F two will just point. We'll just put a software very point there, and I've mentioned him before. I've mentioned that it's actually an ent
06:00
three or a hex C c
06:04
Where, uh,
06:06
it goes Well, as soon as I hit. Have to hear it went into that
06:12
address and changed out the instruction.
06:15
Ah, some malware will look for this
06:18
and, uh,
06:20
attempt to do something strange
06:23
if it found ah, break point there.
06:26
So a better way to do it
06:29
is by using hardware breakpoints.
06:31
So we can do that
06:33
here.
06:35
We
06:38
so find it
06:47
breakpoint.
06:50
We can say hardware breakpoint
06:54
upon execution.
06:58
So hardware break points are a bit difference in that,
07:02
Uh, there is no changing of the instruction, so the malware can't
07:11
see that the code has changed it all because it hasn't. But instead,
07:15
this address,
07:17
uh,
07:18
this 13 14 53 a zero address was put inside the CPU and the, uh ha ladybug
07:29
said, whenever this address is executed to stop the program right there and hand control back over to me,
07:35
it's sort of like the three software break point, except
07:39
we're not actually changing the code,
07:42
so it's a bit better. The catch is, there's only four hardware break points in the CPU.
07:48
It can only hold like four addresses.
07:50
There's actually like,
07:53
I think eight debug registers, but I think we can only use four of them at a time.
07:58
So I'm hit, run
08:00
and my program will run to this. And it stopped here.
08:03
You may be wondering what's going on down here. It says it's analyzing this and that. Well,
08:09
you'll remember.
08:11
You can put back overto outta here. Remember up here
08:16
to resolve all the functions down here. Had to load in several libraries, so loaded when I net got the address. Tow, anti deal. Oh, because anti deals always loaded into every single process.
08:28
Uh, I don't think it's possible not
08:31
tohave it in there, um, alert. And this this this stuffs and whatever those two,
08:37
whatever the dependency deals were to those deals. And so, as soon as they were loaded in on Lee started toe analyze them just in case. We want to jump into one of those deals.
08:50
But the end result is
08:52
the break point trigger, and it stopped at this location,
08:58
and
08:58
with Ali
09:00
we can see that it's going to push, push,
09:03
do ah, move and then a call.
09:07
And that coal
09:11
is
09:11
with what unnamed decrypt and Ida
09:18
so we see up?
09:20
Reg Key Delete.
09:22
Uh, it was clean up from last function. See how much easier it is to read And Ali,
09:26
that ah, educated elite would be
09:30
in there. So
09:31
I like to do dynamic analysis with Ali and then stack analysis, uh, with Ida
09:37
so
09:39
we can do a push. And then over on the lower right hand side, we have this
09:43
stack window
09:46
and it's going the opposite direction.
09:48
I mean, it's not going the opposite direction, but the top of the stack is the top of this window. So
09:54
the lower memory address is up here.
09:58
If that makes any sense,
10:00
what if it doesn't
10:01
quite make sense? It's okay. Just play with it a bit more and get the hang of it. But it is important, as we saw with the beginning of this execute herbal, it
10:09
manipulated the stack to use a return function or a return instruction to jump to its real main code,
10:20
as opposed to just a jumper call instruction as, ah, an effort to fool this assemblers. But I know and all they catch that pretty fast.
10:30
Some older malware anyways, So we saw that Ah, it's about to push another argument onto the stack. And if we flipped back overto Ida,
10:43
we see that this, uh,
10:46
is referenced a few other places that is pushed in as a primer here,
10:52
and it's moving the address. It's moved into any axe here. And
10:56
yes, I hear another e X here in some different functions. And
11:01
so we we could dive into those and trying to figure out what exactly is going on here
11:07
or where this thing came from.
11:09
But I'm willing to bet since there's two things going into this decryption function
11:18
and it doesn't look like E. X,
11:20
uh is messed with a modified or stored anywhere else. I would say this is an input and this is actually an output.
11:28
So it's handing in an address
11:33
where right now it's full of all zeros
11:37
and later is probably going to be filled with the decrypted address. I don't know for sure, but with
11:43
Ali we can find out.
11:45
So
11:46
I like to right click
11:48
and say, follow and dump
11:52
right here,
11:54
and I wanna say immediate constant. So it looks at
11:58
the constant in this instruction and says, Okay, that's an address, and I say just go to that address
12:09
and we could try to figure out where exactly it ifs where exactly it is either in the text section or the resource section or
12:16
if it's in the heap or whatever. But right now, it doesn't really matter to me.
12:22
I just want to see what happens. So I'm gonna say step over, was gonna do that move.
12:26
Um,
12:28
and then now we're on the call instruction. I'm just gonna say, step over again. If I want to say, step in, we could actually go through the decryption process.
12:37
But
12:37
so we see here that we just stepped over and boom out pops
12:45
this string
12:46
and we can even see up here. The Ali has,
12:50
uh,
12:50
looked at that reference again
12:54
and said, Okay, this is now changes. Now some now on asking string.
12:58
So we now know that this string was a few skated and it was easily just DF You skated. We don't know the algorithm, and but we don't really care. Uh,
13:09
we have this, which is
13:11
what we wanted.
13:13
And we can take that
13:18
I'm too sensitive.
13:20
Copy
13:24
somewhere.
13:33
It's a little trickier. With this goes. Sometimes you just want to copy the hex. Sometimes you just want to copy the memory address sometimes. Just want to copy the string
13:46
binary copy.
13:48
I'm gonna
13:48
try that.
13:52
No pad
13:56
that didn't really work. So
13:58
I'm just gonna open up. Ida,
14:01
you can say this string.
14:09
We can hit n
14:09
to rename the string.
14:13
Following out of convention, we start a nasty string with a
14:16
software
14:20
S O F T
14:24
software, Microsoft
14:26
Windows and T slash
14:30
current
14:31
version slash consul slash name space.
14:39
Uh, that's not gonna really.
14:43
Those characters are probably illegal with Ida naming
14:46
place of slashes with underscores.
14:58
And so that's a registry key. Something to say.
15:01
Reg Key.
15:07
It's gonna complain. That's a bit long, and it's got toe make the columns, but longer
15:13
there's some illegal character.
15:16
The bad character is, I don't know, maybe a Spain's
15:30
I don't know.
15:35
There it is.
15:37
So we can continue this process. Um,
15:41
we can see that passes in another parameter because it's calling the same function is probably do the same thing. And there's another registry key that has just come out
15:50
and
15:52
we could do the same thing. There's another registered or not registered key. It's ah, path it looks like some file
15:58
zero x dead dot bnp
16:03
I could do that. Another word of the coal Another ask a string of salt. We concede here in the same memory space, memory location that these
16:17
all the strings were allocated next to each other.
16:23
This function is not supported by Windows nine X. So that's interesting.
16:29
So if we were a good Ah,
16:32
if we were doing
16:33
this, if we were fully reversing this malware and we knew we were gonna spend the whole day on it
16:41
uh, I would say,
16:42
you know, record everything. You take down
16:45
everything and really documented because documenting is the key to
16:55
really understanding how it works, even if it's documenting something that, uh you don't think is very important because you've gone through the trouble of finding that out, and it could become helpful later.
17:11
And bookmarks are also very useful. But I haven't
17:15
put him here yet. So this function
17:18
or it was ah,
17:19
dead
17:21
zero accident to the MP
17:30
pasts. See
17:33
Rex
17:33
dead,
17:37
that be
17:38
and P
17:40
probably look
17:44
uppercase.
17:53
Okay, so that's the easy way of going about
17:59
decrypting strings.
18:00
And
18:03
if you
18:03
play with Ida a lot And you seem to be doing this a lot.
18:07
Uh, that I would suggest
18:11
a plug in
18:12
put out by fire. I I believe
18:15
because they do a lot of reverse engineering
18:18
and it
18:21
basically uses the debugging component of Ida. And when you select a function,
18:27
you can just say, run this function with these parameters and it'll automatically decrypt something for you. And of course, this is dangerous if you're running real Mauer in her system. But most decryption functions
18:38
do just that. Just decryption, because ah Mauer author had to make this and he had to make it
18:44
modular and functional for him to keep track of or her to be keep track of
18:52
logically separating out functionality. So it's uncommon that a decryption function would do anything else but decryption. But it is possible,
19:00
so I would err on the side of caution. And if you want to, you can run Ida inside your debunker or inside of'em and just
19:11
no,
19:11
be cautious.
19:14
So that's it for this video. Once again, we were dealing with off you skated strings
19:18
and instead of reverse engineering the code, we can use the hybrid analysis you leveraging both static and dynamic,
19:26
uh, techniques to
19:30
very quickly
19:30
DF you skate strings and aid in our analysis. Further,
19:36
Uh,
19:37
are you? I would check into where else? That zero x dead dot bnp file was being referenced. And see if that is a mechanism. I wish them our author usedto
19:48
avoid infecting themselves.
19:51
Sometimes that is the case.
19:53
Uh, our authors usually keep
19:56
something in their code to keep from infecting themselves. Be a registry key or
20:03
something else. Ah, file, name, process. Name
20:07
a machine name. So this these are indicators of
20:14
not compromise, but authorship
20:15
because mom or authors will frequently use the same
20:19
file names over and over again across different malware families. So thanks for watching.
20:26
Next class will be covering
20:29
more stack analysis where we will be going through and enumerating the capabilities of the Mount where I hope to see you then

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor