How to write malware

and learn how to fight it!

Antonio ‘s4tan’ Parata
 Disclaimer

This presentation is not intended to teach to the bad

guys how to write malware. There are already too
many “education purpose projects” in GitHub, we
don’t need another one :)

The goal of the presentation is to show how to

analyze malicious code by considering how a
malware author think.

But remember… CODING IS NOT A CRIME!

 Disclaimer

This presentation is not intended to teach the bad

guys how to write malware. There are already too
many “education purpose projects” in GitHub, we
don’t need another one :)

The goal of the presentation is to show how to

analyze malicious code by considering how a
malware author think.
whoami.exe
We have more Cyber-Security guru on LinkedIn than IPv4 addresses
whoami.exe

01 Fourth time attendee at HackInBo (three as speaker)

02 Senior Security Researcher CrowdStrike

03 Owasp Italy Board since 2006

04 Phrack Author
http://www.phrack.org/papers/dotnet_instrumentation.html

05 Passionate F# developer
https://github.com/sponsors/enkomio
whoami.exe

Taipan Web Vulnerability Scanner - https://taipansec.com

Cyber-Crime

■ We are not talking about amateur malware (skiddies writing a .NET RAT and posting it on
HackForums)
■ Professional cyber-criminal are very well organized:
○ They have a dedicated GIT repository
○ A testing botnet
○ A customer support platform (typically in form of Jabber chat)
○ A crypto service to evade AVs
○ They use a bulletproof hosting provider for their botnet
○ VPN service to hide his/her real IP
○ A distribution network (SPAM)
○ A mule network (monetization)
How to write a malware and make money

● Ransomware
● ATM Malware
● PoS Scraper
● Banking Trojan
● Credentials Stealer
Reversing AES

Pretty easy if S-Box is not obfuscated, just use FindCrypt(2) IDA plugin to identify the code that
use the S-Box
 Reversing RSA

■ No hard coded constants but...

■ From Wikipedia:
○ the most commonly chosen value for e is
216 + 1 = 65,537
■ So, if you find very weird math operations
involving:
○ Two numbers
○ One of them is very big
○ The other number is 65537 (0x10001)
■ Maybe you found an RSA encryption routine!
 Reverse Engineering

What means being a reverser?

■ Be able to code
■ Knowledge about OS
■ Knowledge about computer architecture
■ Be able to read machine code
Reversing like a PRO

00406936 | 64:A1 30000000 | mov eax,dword ptr fs:[30] Move to EAX the value of FS[30]

0040693C | 8B40 0C | mov eax,dword ptr ds:[eax+C] Move to EAX the value at address EAX+C

0040693F | 8B40 0C | mov eax,dword ptr ds:[eax+C] Move to EAX the value at address EAX+C

00406942 | 8B00 | mov eax,dword ptr ds:[eax] Move to EAX the value at address EAX

00406944 | 8B00 | mov eax,dword ptr ds:[eax] Move to EAX the value at address EAX

00406946 | 8B40 18 | mov eax,dword ptr ds:[eax+18] Move to EAX the value at address EAX + 18
return
00406949 | C3 | ret

C0ngratz u r now an 31337 hax0r!!1

Reversing like a PRO cat

00406936 | 64:A1 30000000 | mov eax,dword ptr fs:[30] Move to EAX the PEB address from TEB

0040693C | 8B40 0C | mov eax,dword ptr ds:[eax+C] Move to EAX the Ldr address

0040693F | 8B40 0C | mov eax,dword ptr ds:[eax+C] Move to EAX the InLoadOrderModuleList address

00406942 | 8B00 | mov eax,dword ptr ds:[eax] Move to EAX the FLink from LIST_ENTRY

00406944 | 8B00 | mov eax,dword ptr ds:[eax] Move to EAX the FLink from LIST_ENTRY

00406946 | 8B40 18 | mov eax,dword ptr ds:[eax+18] Move to EAX the DllBase of the library
Return the DllBase
00406949 | C3 | ret
Program name
This function resolves the base address of Kernel32. If you think that it’s done in order ntdll.dll
to walk the EAT (Export Address Table) and to resolve the desider function address…
... kernel32.dll
you are right! (more soon...)
 One more Reversing exercise

2
3

4
5
6

Any idea?
 Decompiler FTW!
© Rolf Rolles: Automation Techniques in C++ Reverse Engineering

■ Decompilers (like Hex-Rays,

Ghidra, ILSpy, ...) are able to
translate machine-code in
pseudo code like C or C#.
■ This make the RCE task way
easier!
■ Unfortunately bad guys
know this and they use
obfuscators or other
anti-analysis tricks to avoid
decompilation
.NET decompilers
 Breaking .NET decompilers

// pointer to this argument, this value is expected by instance methods

// remove the push of the this argument and add a jump in order to avoid the call
 Breaking .NET decompilers

I did this test some time ago, the decompilers may have fixed this problem in the meantime
Anti-analysis - IDA Hex-Rays decompiler
Anti-analysis - IDA Hex-Rays decompiler
Anti-analysis - IDA Hex-Rays decompiler

???
Anti-analysis - IDA Hex-Rays decompiler

Let’s give IDA some love

and re-define the data
as code and create a
function
Anti-analysis - IDA Hex-Rays decompiler
 Anti-analysis - IDA Hex-Rays decompiler

* This problem is well know to IDA devs: https://www.hex-rays.com/products/decompiler/manual/failures.shtml#06

VM based obfuscation

■ One of the most difficult task in Reverse Engineering is to understand how the underline
computer architecture works (instruction set, calling convention, memory layout,
compiler characteristics, used Libs, …)
■ We are very used to INTEL arch on Windows OS, but what about a new unknown
architecture? This is the basic concept of VM base protection
■ A personal experiment, Sacara: https://github.com/enkomio/sacara
VM based obfuscation

Example: decrypt a buffer

Src: https://github.com/enkomio/sacara/blob/master/Src/Examples/LoadEncryptedAssembly/Encryption.cs

/* do XOR and save the result on the stack */

push key_char
push buffer_char
xor

+ Encrypted Opcode
VS xor eax, ebx
+ Anti-tampering
+ ...
 Reverse Engineering != Reading Assembly

■ Doing Reverse Engineering doesn’t always imply to read

Assembly
■ Sometimes it is easier to just try to get rid of the data by
looking for patterns
■ Some interesting links:
○ https://www.canyoucrackit.co.uk/codeexplained.html
○ http://blog.pi3.com.pl/?p=213
■ If you want a more fresh challenge and you like more
NSA, here is another one:
○ https://codebreaker.ltsnet.net/challenge
 Reverse Engineering != Reading Assembly

■ A real world case ■ Initial bytes

○ File containing information about compromised
computers
○ Malware written in C++, the code that read and
update the file wasn’t easy to understand and
difficult to trigger
○ File seems to be in plain text (no encryption)
Reverse Engineering != Reading Assembly
Reverse Engineering != Reading Assembly
Reverse Engineering != Reading Assembly
Sojobo a B2R2 emulator

■ Sojobo emulates the B2R2 IR in order to provide an

environment where you can emulate the execution of a
binary. You can download it from:
https://github.com/enkomio/Sojobo
■ At the current state it supports:
○ Intel architecture X86 32 bit
○ Window Process
○ A limited API set
■ Tengu is a command line debugger like tool based on Sojobo
○ Same command switches as windbg
○ It allows to save snapshot
○ It emulates main Windows functions
Sojobo a B2R2 emulator

// emulate a malware and take snapshot at a given address

let sandbox = new Win32Sandbox()
let snapshotManager = new SnapshotManager(sandbox)
sandbox.Load(malwareFile)

// setup handlers
sandbox.BeforeEmulation.Add(fun proc ->
if 0x401061 = proc.ProgramCounter.As<Int32>() then
snapshotManager.TakeSnaphot()
)

// run the sample

sandbox.Run()
 Case Study: KPOT v2

■ KPOT v2 is an information stealer malware sold on underground forums

■ A description about the malware is provided by the author

* Source: https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal
KPOT function resolution algorithm

Steps to resolve a function pointer:

1. Walk TEB->PEB->Ldr to get the base address for Kernel and ntdll. Resolve LoadLibraryA by
walking Kernel32 EAT. Use LoadLibraryA to load the desired DLLs
2. Store the DLL base address and other info in a structure composed by the following items:
<base address, number of functions to lookup, function array>
3. Parse PE and walk EAT. For each exported function compute the
MurmurHash hash and search for this value in the above array. If found store the pointer.
Goal: We want to know which are the
functions that are resolved by the malware
■ Sample SHA-256 :
67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
■ By knowing which are the used functions we can have a better picture of the malware
functionalities. Let’s emulate the previous steps in Sojobo.
Goal: We want to know which are the
functions that are resolved by the malware

At Step 1 we have the biggest problem. We need to have a valid PEB structure to correctly
emulate the execution. The Ldr field is one of the most difficult to represent since it contains a
linked list via LIST_ENTRY structure.

At lower level it is easy to manage LIST_ENTRY, but how to represent it at a high level language
like F#? Possible solution:

■ LIST_ENTRY can point to any kind of data, it is a nice use case for using inheritance!
○ We can’t do this if we consider LIST_ENTRY like a struct. Struct cannot be inherited by definition.
■ Then consider LIST_ENTRY as a class
○ We can’t do this, since it is treated like a structure (it occupy 8 bytes in x86, since it has 2 pointers).
If we define it like a class we will have a pointer during serialization (4 bytes and not 8).
■ Treat it as a struct and consider the pointed object like a generic Object class
○ Goodbye deserialization → Impossible to know during deserialization which Object type
we have to create
■ ...
Goal: We want to know which are the
functions that are resolved by the malware

■ Writing Binary Analysis tools it’s not an easy task :)

Conclusion

■ Effective malware can be very complex

■ Effective anti-analysis techniques can slower the reverse engineering process
○ Anti-VM
○ Anti-Debugging
○ VM based protection
■ Some implementation choices can further slow the analysis
○ Usage of rarely used compression algorithms
○ Usage of external lib for crypto instead of relying on Windows Crypto API
■ There are many tools that can help to analyze malware, not only debuggers and
disassemblers :)
○ In order to be proficient with them is necessary to have some basic/medium knowledge about
reverse engineering
Thank you!

Twitter: s4tan

GitHub: https://github.com/sponsors/enkomio

Contact: [email protected]