Issuu on Google+

Fundamentals of Network Intrusion Analysis Malicious Code Analysis Lab 1 Introduction to Malware Analysis

1


Lab Overview •  Lab 1–Introduction to Malware Analysis –  Goals and difficulties –  Portable Executable (PE) structure –  Basic static analysis –  Basic dynamic analysis

•  Lab 2–Disassembly •  Lab 3–Debugging and Advanced Techniques

2


Objectives •  Introduction to binary analysis –  Understand different objectives of malware analysis –  Understand the structure of a portable executable (PE) file –  Learn to do basic malware analysis using simple tools

3


Relevance to Intrusion Analysis •  Why study binary analysis? –  Hacker tools are usually captured as binary code (no source code) –  Analysis is necessary to understand •  What a tool does •  How a tool works •  The sophistication level of the coder

4


Goals of Malware Analysis

5


Different Degrees of Analysis

Source Code Pseudo-Source Code Basic Functionality 6


Basic Functionality •  •  •  •  • 

Determine OS/platform/processor Consider context Observe code as it runs Compare to malware repositories Look at size, libraries, strings

7


Details of Functionality •  Use a disassembler to statically study the assembly code •  Use a debugger to study the code dynamically

8


Analysis Difficulties •  Binary is large •  Symbol table is stripped •  Code is obfuscated – compressed or password protected •  Code was optimized during compilation

9


Example – Raw Binary ... ¿ÿòÀ ° &` °  ÿþÝ’ `ÿþè’ ` ° Ð Ò @ Ð&` ÐJ@ €¢ z € °  ÿþÐ’ ¿ìÒ ¿ì° Çàè ã¿€Ô €Š @ € ° Ò @ Aϐ ?Ò À ’ @ € ...

10


Example – Hex Dump ... 9D D0 10 40 92 D0

E3 07 80 00 02 07

BF A0 00 43 3F BF

88 44 0C 19 FF EC

F0 80 01 01 D2 B0

27 A2 00 00 27 10

A0 20 00 00 A0 00

44 00 00 00 44 08

81 C7 E0 08 81 E8 00 00

90 14 D0 D0 10 10

10 80 07 27 BF 80

20 00 BF BF FF 00

01 04 EC EC F2 02

D0 01 D2 D0 01 01

27 00 07 07 00 00

BF 00 A0 A0 00 00

EC 00 44 44 00 00

...

11


Example – Disassembly ... loc_10B0C: lduw [%fp+arg_44], %o0 cmp %o0, 0 bg loc_10B24 nop ba loc_10B4C nop loc_10B24: lduw [%fp+var_14], %o0 lduw [%fp+arg_44], %o1 call __umul

stw %o0, [%fp+var_14] lduw [%fp+arg_44], %o0 add %o0, -1, %o1 stw %o1, [%fp+arg_44] ba loc_10B0C nop loc_10B4C: lduw [%fp+var_14], %o0 mov %o0, %i0 ba locret_10B5C nop

...

12


Example – Source Code int factorial(int num){ int fact=1; while(num>0){ fact = fact * num; num--; } return(fact); } 13


PE Structure

14


Portable Executable Format •  The Portable Executable (PE) format is the standard executable format for Windows executables. It is supposed to be portable across all 32-bit Microsoft operating systems. •  The analogous file format for Linux is the Executable and Linking Format (ELF).

15


PE Structure

16


PE Sections •  Import Info – Functions imported from various DLLs •  Export Info – Functions exported (if this PE is a DLL) •  Resource Info – Storage of Windows resources (Icons, Menus, Dialog Boxes) •  Debug Info – If debug info is included 17


PE Segments •  read-only: code and ro data •  read/write: rw data –  All the loadable sections are packed into the appropriate segments so the system can map the file.

18


Types of Malware Analysis •  Two broad categories of analysis –  Static Analysis (not running code) –  Dynamic Analysis (running the code)

•  More advanced techniques, such as disassembly and debugging, will be discussed in the next two sections. •  Here we begin with basic analysis techniques. 19


Goals of Malware Analysis

20


Considerations in Tool Choice •  Processor –  SPARC, Intel

•  Working environment –  NT, Linux, Solaris

•  Underlying source code –  C, Java

21


Basic Tools - Overview •  Dynamic –  Wireshark –  Process Monitor –  RegSnap

–  OllyDbg –  LordPE –  ImportRec

•  Static –  IDA Pro –  PEView –  MSDN Library –  Strings utility –  Framework and Repository for Exploit Experimentation (FREE) 22


Dynamic Analysis

23


Running Code •  Get the code going on a machine and then use basic tools to observe behavior: –  Capture packets with Wireshark –  Use Process Monitor –  Use Regsnap

24


The “mons” •  Process Monitor is a monitoring tool that shows Registry, file system, network and process/thread activity in real-time. •  ListDLLs lists all DLLs currently loaded, including where they are loaded and their version numbers.

25


The “mons” II •  Handle –  a command line-utility that shows what files are opened by which processes.

•  Process Explorer –  shows files, registry keys, and other objects PROCESSES have loaded.

•  Fport –  shows which running processes are bound to a port and the absolute path of the calling program. 26


Static Analysis

27


Tools - PEView •  Breaks down EXE headers for Microsoft’s Portable Executable (PE) format •  Displays imported and exported functions

28


Tools - PEView •  Utility dissects the various PE headers •  GUI Interface allows easy browsing of all PE Sections •  Easy to identify imported DLLs and functions used by EXE •  Some imported DLLs can give clues about the functionality of the EXE 29


Tools - Strings •  Strings is simple, but can give interesting information very quickly. strings [-a] [-number] binary –  finds printable strings in an object or binary file

30


References Exploiting Software : How to Break Code by Greg Hoglund and Gary McGraw. •  Address: http://www.amazon.com/exec/obidos/tg/detail/-/ 0201786958/qid=1078153522/sr=1-1/ ref=sr_1_1/002-9174925-9433636?v=glance&s=books

31


lol