Tuesday, October 30, 2018

Command and Control traffic in Assembly, Malware Reversing

This article from FireEye

describes 4 different types of C2 traffic you might see in assembly such as

Sockets
socket()
connect()
bind()
listen()
send()
recv()
sendto()
recvfrom()

WinInet
InternetOpen()
InternetConnect()
InternetOpenURL()
HttpOpenRequest()
InternetReadFile()
InternetWriteFile()
URLMon
URLDownloadToFile()
URLDownloadToCacheFile()
URLOpenStream()
URLOpenPullStream()

Controlling Internet Explorer with COM
CoInitialize()
CoCreateInstance()
Navigate()
Navigate2()
get_Document()


So an attacker can choose any one of these groups to do their bidding.
The functions that "Send"  data could be used to exfiltrate data or to ask the Command and Control server for the next instruction.
The functions that "Received" data could be used to download a new payload/more malware, or to get the next instruction from the Command and Control server.

Posted by at No comments:
Labels: , , ,

\\\\.\\PhysicalDrive0 and CreateFileA , MBR overwriting

If you see malware performing this action in windows assembly

push ...
push ...
push ...
push ...
push ...
push ...
push offset FileName ; "\\\\.\\PhysicalDrive0"
call ds:CreateFileA

It may be trying to open the entire C drive as 1 large file and write to it which can be catastrophic

For example if you see this followed up with this code

push 0
push ...
push ...
push ...
push ...
call ds:WriteFile

Where the offset is 0, that means it's trying to overwrite your MBR (master boot record)


------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own

https://www.youtube.com/watch?v=b0WQwCQGjv4
Posted by at No comments:
Labels: , , ,

GetMessageW , waiting for WM_QUIT or termination

In assembly if you see pseudo code in windows similar to this

top:
   call GetMessageW
   test eax, eax
   jg listenForMore

   call DoActionAfterTerminated
   exit

   listenForMore:
     call ds:TranslateMessage
     call ds:DispatchMessageW
     jmp top

exit:



Then it's listening for a message from a window.
GetMessageW returns 0 with the program gets shutdown
So as soon as the program is shut down it's going to perform whatever is at DoActionAfterTerminated


------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own

https://www.youtube.com/watch?v=b0WQwCQGjv4
Posted by at No comments:
Labels: ,

CreateThread for Monitoring

If you see this assembly call in windows

push ...
push ...
push ...
push offset sub_xxxx
push ...
push ...
call ds:CreateThread


It's launching another thread that will run in parallel to the current one.
That new thread will run whatever code is at sub_xxxx

For example, this could be a "monitoring" thread that watches and makes sure the malware itself keeps running and if it notices the malware getting terminated it could spawn another instance of itself



------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own

https://www.youtube.com/watch?v=b0WQwCQGjv4
Posted by at No comments:
Labels:

Counting Processes and Watching for one to Die

This pseudo code may try to count the # of processes with a given name and if one of them is terminated, then the code will do something.
For example in Malware Hunter's beginner youtube video the MEMZ malware counts processes, and if it sees you terminating one if it's own, then it will BSOD (blue screen of death)

Pseudo c code monitoring if my process is running
top:
   currentcount=0
   lastcount=0

   foreach(process in RunningProcesses)
        if(process == YOURS)
              currentcount++

   if(currentcount >= lastcount)
       lastcount = currentcount
       goto top
   else
       call YouTerminatedOneOfMine()


In this psuedo assembly code, it might look something like this
     xor ebx, ebx  ; set current to 0
     mov [ebp+localvar], ebx   ; save last count as 0 initially

     call ds:GetCurrentProcess  ; open a handle to the process
     call GetProcessImageFileNameA  ; get current proccess name (my process)

     topOfLoop:
       call CreateToolhelp32Snapshot   ; get list of all processes
       call Process32FirstW   ; get the first process
       call ds:OpenProcess   ; open a handle to the process
       call GetProcessImageFileNameA   ;  get the name of the process
       call ds:lstrcmpA  ; compare my process name to the current process
       test eax, eax
       jz foundIt

     foundIt:
        inc ebx ; increment my counter cause I found one

     call Process32NextW ; get the next process in the list
     test eax, eax
     jnz topOfLoop  ; if there are more go to top of loop
   
     cmp ebx, [ebp+localvar]
     jge exit ; if nothing was terminated then exit

     call YouTerminatedOneOfMine ; call the function that handles somebody killing a process

     exit:




------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own

https://www.youtube.com/watch?v=b0WQwCQGjv4
Posted by at No comments:

NtRaiseHardError , BSOD (Blue Screen of Death)

If you ever see windows assembly code like this where it's adjusting privileges and then calling the undocumented function to Raise a Hard Error, that is potentially malware trying to generate a BSOD (Blue Screen of Death)


push offset LibFileName ; "ntdll"
call ds:LoadLibraryA
mov edi, eax

push offset ProcName ; "RtlAdjustPrivilege"
push edi ; "ntdll"
call ds:GetProcAddress

push offset aNtraiseharderr ; "NtRaiseHardError"
push edi ; "ntdll"
call ds:GetProcAddress

push ....
push ....
push ....
push ....
call ....


--------------

As referenced here
https://undocumented.ntinternals.net/


NtRaiseHardError(



  IN NTSTATUS             ErrorStatus,
  IN ULONG                NumberOfParameters,
  IN PUNICODE_STRING      UnicodeStringParameterMask OPTIONAL,
  IN PVOID                *Parameters,
  IN HARDERROR_RESPONSE_OPTION ResponseOption,
  OUT PHARDERROR_RESPONSE Response );









------



FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own







https://www.youtube.com/watch?v=b0WQwCQGjv4












Posted by



at





No comments:
  


















Labels:

















          

        

          

        

Tuesday, October 23, 2018


          

        









MalwareTech IDA Python Cheat Sheet










MalwareTech posted an amazing video for beginner reversing here on youtube



https://youtube.com/watch?v=w_rQJ7u-lpk



My favorite part was the Python debugging portion which I learned a ton from

Here is his cheatsheet he shared, it's amazing, thank you MalwareTech!



https://www.malwaretech.com/Cheatsheet.rtf







Refresh Debugger Memory

RefreshDebuggerMemory()

needed to make sure the debugger memory is up to date when a script breakpoint
is hit (debugger memory is only refreshed when application is paused)



Get the value of a register by name

GetRegValue(str) 

Str                   =  register name 







Read a dword from memory

Dword(address)

address         = start address of dword







Read an array of bytes from memory

GetManyBytes(address, length)

address         = start address of bytes
to read

length            = number of bytes







Read a string from memory

GetString(address, length, type)

address         =  start address of string

length            =  length of string (or -1 to read until null
terminator)

type                =  ASCSTR_C for ASCII and ASCSTR_UNICODE for
Unicode







Add Breakpoint

AddBpt(address)

address         = address to set breakpoint







Set Conditional Breakpoint

SetBptCnd(address, condition)

address         = address for breakpoint

condition      = condition string (or
python function)












Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)