|
|
|
|
#1
05-10-2004, 17:08
|
|||
|
|||
|
Dynamic File Analyser for Hostile Code
Hi Guys,
You've all heard about static file analysis, where a program checks out the API calls made by an application (without running it). This is often used to determine if the file is some kind of trojan. Also is there much available to do dynamic analysis. Well i was wondering what software is available to do this. (And not crap like the API snoop type utilities) I'm talking about something a little more hard-core and job-specific. (kinda like the emulation an anti-virus uses to sandbox a virus while it analysises it) Thanks RedBull 
|
|
#2
05-10-2004, 18:25
|
|||
|
|||
|
I think we can use IDAPro to disassemly the hostile code and use some IDA x86 emulation plugins to simulate run it. Those plugins can find on Wasm site and have source code (Thank Volodya). I will try to play with them.
Regards
|
|
#3
05-16-2004, 20:51
|
||||
|
||||
|
Quote:
You can do this live analisys by using: 1 - remote debugging using sice capabilities (or using latest IDA Pro if you have it) on a dedicated machine - hxxp://www.datarescue.com/idabase/remotedebugging/index.htm 2 - bringing up a "virtual network" using VMware like done here - hxxp://www.zeltser.com/sans/gcih-practical/revmalw.html With this solutions you also have the possibility to run the monitoring tools from sysinternals and gather more infos. Hope this helps, Polaris
|
|
#4
05-17-2004, 11:07
|
|||
|
|||
|
Thank for your informations, Polaris.
I known and have read some articles on Universitas Virtualis Bibliotheca Server (hxxp://bib.universitas-virtualis.org/) about Reverse Engineering the virus and hostile code. Some titles are: - Reverse Engineering Hostile Code (pdf file) - Reverse Engineering Malware (pdf file) - Alien Autopsy: Reverse Engineering Win32 Trojans on Linux (pdf file) However, all methods request to run the virus or hostile code on a machine or virtual machine (VMWare...), and if we have some mistake or carelessness ??? I am wonder, how some AntiVirus softwares know the virus? Do they statically scan the signature in the virus code or simulating run the virus code. Almost virus uses PE packing programs to pack them. Regards
|
|
#5
05-17-2004, 22:10
|
|||
|
|||
|
Thanks guys.
I have read that document before and I guess it is too early for these types of programs to be publiclly available. (Especially not source code) hxxp://www.luna.co.uk/~elverex/ hxxp://www.cleanscape.net/programming-solutions/code-analysis/index.html hxxp://www.darpa.mil/ato/programs/dqw.htm hxxp://suif.stanford.edu/research/analysis.html The links above show that this kind of technology is very much in its infancy. TQN : Anti virus software uses three methods to find viruses. 1. Signature of the known virus 2. Heuristic rule defining what a potentially bad peice of code looks like. 3. Emulation of the virus code. Now 1 and 2 have been fairly well documented but part 3 is the most interesting. The anti-virus program sets up a "sandbox" or an area in memory to load the program (according to the PE header) and then proceeds to emulate the code. The code can be emulated at three basic levels 1. Actual code emulation of every instruction (with software emulating the registers) - this is very slow 2. Emulation of simple instructions and real live "handover" to the cpu to execute then and then return the values of the flags and registers 3. Tracing of code - This is where a breakpoint is placed between each instruction and the code is actually executed and jsut monitored by the main program - Very fast The only thing is the faster the code emulates, the less safe it is. It is not acceptable to have a virus which can infect a machine just by scanning for it! (pity heheheh) ok so the emulator sets up fake API addresses in the sandbox and sets up other areas of memory to the correct constants. [ Imagine if under some circumstances FS:[0030] was different each time the program was scanned. Then you could detect the emulator and randomly stop the program from running. ] Now the emulator "runs" the code. It marks down any calls to API's and the values held on the stack (and the values of address the pointers point to as well). (Things like file seeks, MAPI accesses, lots of calls to MapViewOfFile() etc) The same thing applies to calls made under Ring-0 (where applicable). It also can mark areas of memory that are always changing <-- asm --> mov ecx, (Length / 4) mov edi, DecryptThis push edi pop esi @looper: LodSd xor eax , key stosd loop @looper @DecryptThis: Db "Encrypted Bytes",0 <-- end asm --> So ignoring the fact that this little loop "looks" like an encryption routine, it also behaves like one... It modifies all the bytes from @DecryptThis onwards for a length of Length bytes (length / 4 dwords).. it also modifies a lot of bytes in a small instruction space and the loop executes less or the same amount of times of bytes that needs to be decrypted ..... So the sandbox engine will flag this code as very suspicous. Other things like searches for "NAVAPSVC.EXE" and other such process names in memory can trigger flags. It will also flag known code fragments (which perform common tasks) as suspicious.... But mostly modern AV emulators and heuristics is all about program flow and full dynamic analysis.... I refer you to a paper I wrote many years ago (back in the DOS days) .. the methods are useless now. [ just 'scuse the rubble site ] hxxp://www.geocities.com/prozos/protbav.txt There are still ways to defeat emulators. Benny (I Think) from 29A published a small doccie on "Defeating the perfect emulator"... He basically says you get a random number from the system (From an area of memory that only changes once every re-boot) and then run a conidtional branch based on that number. <-- asm --> call getTheNumber ; maybe it returns a number between 1 and 1000 cmp eax,100 jbe @RunTheVirus @okDone Call SetupReturnToOEP jmp OEP @RunTheVirus: Decrypt and do your shit jmp @OkDone <-- end asm --> Now the benifit is that the virus emulator might not take the branch leading to the decryption of the virus. Also the actual branch could be buiried deep within quite a few conditionals to create a really large "tree" of jmp to have to be followed. This is the only way to defeat Finite Discreet Automation Analysis. (The analyser will eventually (or should eventually) run out of different paths it can analise at once) Hmm ... l8rz lads  RedBull
|
|
#6
05-18-2004, 00:58
|
||||
|
||||
|
Quote:
By running a worm/virus on a machine to be sacrificed, you can do whatever you want. Byez, Polaris
|
|
#7
05-18-2004, 08:29
|
|||
|
|||
|
and what would you say about this
hxxp://www.woodmann.net/bart/files/shaker.zip does it look like a virus code (asm obfuscator's output) ?any ideas to improve it?
|
|
#8
07-20-2004, 23:14
|
|||
|
|||
|
I would love to get my claws on this software
hxxps://www.rootkit.com/gal_open.php?id=462 Please check it out and let me know if you have seen it before or know it or anything. I think this is a private build as I cant find it anywhere!!!
|
 |
|
|
Hybrid Mode
