A Survey of Obfuscations in Prevalent Packer Tools

Size: px

Start display at page:

Download "A Survey of Obfuscations in Prevalent Packer Tools"

Domenic Lindsey
5 years ago
Views:

1 A Survey of Obfuscations in Prevalent Packer Tools Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin March 26,

2 Types of program analysis Source code Friendly binary Uncooperative binary Hostile binary loop CFG Function Basic block mov eax, *[ebp+8] leave ret 2

3 Analysis building blocks Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the code 6. Trace code s execution Tools Toolkit: o Interactive debuggers Defensive-mode Dyninst o Automated Interactive debuggers testing o Combinatorial testing o Automated testing Code-coverage test generation o Combinatorial testing o Fault localization o Code-coverage test generation o Backwards slicing o Fault localization Correlation of statement o Backwards slicing executions and test failures o Correlation of statement executions and test failures o Taint analysis o Vulnerability analysis o Vulnerability analysis Symbolic evaluation o Taint analysis o Symbolic evaluation 3

4 Analysis building blocks Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the code 6. Trace code s execution Toolkit: Defensive-mode Dyninst o Interactive debuggers o Automated testing o Combinatorial testing o Code-coverage test generation o Fault localization o Backwards slicing o Correlation of statement executions and test failures o Vulnerability analysis o Taint analysis o Symbolic evaluation 4

5 Binary packing tools Fast, Small, Good Open source crossplatform Open Antireverse source engineer- crossplatforing Packer Malware market share* OVERALL 75%-80% UPX 9.45% PolyEnE 6.21% PECompact 2.59% Upack 2.08% npack 1.74% ASPack 1.29% FSG 1.26% Nspack 0.89% ASProtect 0.43% Armadillo 0.37% Yoda s Prot. 0.33% WinUpack 0.17% MEW 0.13% * Packer (r)evolution. Panda A Survey Research, of Prevalent Two-month Obfuscations average Feb-March

6 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Code packing b. Code overwriting 6

7 Code packing Code packing Storm Worm Aspack Entry Point 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a e e9 c0 3d 73 e0 1c e a c0 d8 45 6a be d e 4b 80 fe af c c 1c b6 88 f a 32 d8 f5 6a 07 d0 b b 21 fe af c0 0c 73 b6 1c f a f5 d8 07 6a b6 d b 0c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e c0 73 1c 88 8e c c e 7

8 Code overwriting Code packing Code overwriting 1B - 8KB Entry Point Storm Worm Aspack Entry Point malware Upack 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a e e9 c0 3d 73 e0 1c e a c0 d8 45 6a be d e 4b 80 fe af c c 1c b6 88 f a 32 d8 f5 6a 07 d0 b b 21 fe af c0 0c 73 b6 1c f a f5 d8 07 6a b6 d b 0c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e c0 73 1c 88 8e c c e 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 79 5e c0 73 1c a d8 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e d9 83 a1 37 1b 2f b c 22 8e 63 8

9 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Unresolvable control flow b. Call-stack tampering c. Signals and exceptions d. Ambiguous code & data e. Disassembler fuzzing 9

10 Unresolvable control flow invalid target non-standard indirect non-standard return call jmp eax call ptr[eax] push eax ret Invalid Region??? 10

11 Call-stack tampering Storm Worm Address 40d a 0b 0c 0d Bytes e e9 eb 04 5d c3 CALL JMP 40d00a 459dd4f7 JMP POP INC PUSH RET 40d00e ebp ebp ebp 11

12 Exception-based control flow Popov, Debray, Andrews. Usenix Danekhar access violation handler mov *[ebp],eax mov 402d8a,edx mov edx,*[eax+b8] xor eax,eax mov ecx,*[eax] push eax... Exception State eip eip d8a... Operating System 12

13 Ambiguous code and data o Bytes after call instructions o Junk after exception-raising instruction o In-place decryption of unpacked code Yoda s Protector 13

14 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Missing call/ret instructions b. Extra call/ret instructions c. Overlapping functions d. Overlapping basic blocks 14

15 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Missing call/ret instructions b. Extra call/ret instructions c. Overlapping functions d. Overlapping basic blocks 15

16 Extra call/ret instructions call <targ> mov edi,esi pop ebp push <targ> ret jmp <targ> call <targ> pop ebp call <targ> jmp <targ2> pop esi 17

17 Overlapping functions Function Function Function 18

18 Overlapping functions Function Function Function Optional preamble Shared teardown code 19

19 0x x45401b 0x45401e Overlapping blocks Address Bytes b8 eb 07 b9 eb 0f 90 eb 08 fd eb 0b Block 1 mov eax, ebb907eb seto bl or ch,bh jmp 45402e Block 2 jmp 45402c Block 3 jmp

20 Overlapping blocks Address a 1b 1c 1d 1e 1f Bytes e e9 eb 04 5d c3 Block 1 mov eax, ebb907eb seto bl or ch,bh jmp 45402e Block 2 Block 3 jmp 45402c jmp

21 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Obfuscated constants b. ABI violations c. Do-nothing code 22

22 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Self-checksumming b. Stolen bytes c. Anti-unpacking 23

23 Self-checksumming process Bootstrap code checksum routine xor eax, eax Payload code add eax, ptr[ebx] add 4, ebx cmp ebx, 0x41000 jne.loop cmp eax,.chksum jne.fail Binary file pass fail 24

24 Stolen bytes Import Address Table.loadlibrary call ptr [IAT-entry] kernel32.dll loadlibrary malware.exe mov edi, edi push ebp mov ebp, esp cmp ptr[ebp+8],0 Import Address Table malware.asprotect.exe.loadlibrary mov edi, edi push ebp mov ebp, esp cmp ptr[ebp+8],0 call buffer.stolen kernel32.dll loadlibrary kernel32.dll.stolen kernel32.dll mov edi, edi push ebp mov ebp, esp cmp ptr[ebp+8],0 buffer 25

25 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution a. Stolen bytes b. Non-standard API calls c. Anti-debugging 27

26 Outline Analysis steps 1. Extract code bytes 2. Disassemble 3. Identify functions 4. Build comprehension tools 5. Patch/modify the binary 6. Trace code s execution 30

27 Adapting Dyninst for Malware Analysis tool Mutator program binary 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 CFG be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b Control flow analyzer Dyninst Data flow analyzer Instrumenter Malware Analysis and Instrumentation 31

28 Adapting Dyninst for Malware printf( ) Analysis tool Code snippets gettarget(insn) counter++ if (pred) callback( ) Mutator program binary 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 CFG be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b SR- Dyninst static-dynamic analysis Sensitivity Control flow analyzer Data flow analyzer Resistant Instrumenter Instrumenter Instrumenter 32

Agenda. Motivation Generic unpacking Typical problems Results

Agenda. Motivation Generic unpacking Typical problems Results Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic