Category: Security

Part 1-1: Basic Static Techniques

Table of Contents

  • Antivirus Scanning: A Useful First Step
  • Hashing: A Fingerprint for Malware
  • Finding Strings
  • Packed and Obfuscated Malware
    • Packing Files
    • Detecting Packers with PEiD
  • Portable Executable File Format
  • Linked Libraries and Functions
    • Static, Runtime, and Dynamic
    • Exploring Dynamically Linked Function siwth Dependency Walker
    • Imported Functions
    • Exported Functions
  • Static Analysis in Practice
    • PotenialKeylogger.exe
    • PackedProgram.exe
  • The PE File Headers and Sections
    • Examining PE Filew with PEview
    • Viewing the Resource Section with Resource Hacker
    • Using Oter PE File Tools
    • PE Header Summary
  • Software Linked In This Chapter
  • Appendix to look out for in Book
    • A: List of useful functions
    • B: List of useful programs

*************************************************************************************

  • Antivirus Scanning: A Useful First Step
    • Antivirus programs rely on signatures from previously known malware and behavioral and pattern-matching analysis (heuristics) to identify suspicious files

 

  • Hashing: A fingerprint for Malware
    • Run it through a hashing program and then each program programs a unique hash/fingerprint
    • This hash can then be used to identify an executable without running it.  If the hash is the same as the known malware ten it is suspicious

 

  • Finding Strings
    • Microsoft implementation of Unicode strings is different from Unicode standards for the rest of the notes any mention of Unicode strings refer to the Microsoft implementation
    • NULL terminated strings
      • ASCII uses 1 byte per character
      • Unicode uses 2 bytes per character
    • Screenshot from 2017-06-25 01-07-37These are hex values
    • Screenshot from 2017-06-25 01-09-35
    • String searches search for the NULL terminator and then print the stuff preceding it as a string
      • This does  not always produce legitimate strings
    • If a piece of malware uses strings it can shed light on what is imported or any error messages that might show up

 

  • Packed and Obfuscated Malware
    • Obfuscated programs: Execution is hidden
    • Packed programs: Subset of obfuscated programs where the program is compressed and cannot be analyzed
    • Packed/obfuscated programs often include at least functions LoadLibrary and GetProcAddress
      • These are used to load and gain access to more functions
    • Packing Files
      • Screenshot from 2017-06-25 01-17-29.png
      • The wrapper program is used to decompress and then run the unpacked file
    • Detecting Packers with PEiD
      • PEiD can be used to detect the type of packer or compiler used
      • Screenshot from 2017-06-25 01-22-47
        • The circled part shows the UPX as the packer
        • If you use PEiD plug ins a lot of the plugins will auto run the program make sure to set up a safe environment to do so

 

  • Portable Executable File Format
    • Portable Executable (PE) format is used by Windows executable,s object code and DLLs
    • PE files have a header that contain information about the code, type of application, required library functions and space requirements

 

  • Linked Libraries and Functions
    • Code libraries can be connected to the main executable by linking
    • Linking imports is done so library functions can be used
    • #Static, Runtime, and Dynamic Linking
      • #Static Linking: Common in UNIX and Linux programs.  Least commonly used in malware/Windows.
        • All linked code is copied into the executable making it a lot larger than needed if only a few functions are actually needed
      • #Runtime Linking: Commonly used in malware, especially when packed or obfuscated
        • Connect to libraries only when that function is needed, not at the start of the program dynamically linked programs do so at the start
        • The following Windows functions allow programmers to import linked functions not listed in a program’s file header
          • LoadLibrary, GetProcAddress most common
            • Allows access to any function in any library on the system, therefore static analysis of which functions are imported will fail
          • LdrGetProcAddress, LdrLoadDll
      • #Dynamically Linking: The most common
        • When dynamically linked, host OS searches for necessary libraries when program is loaded
        • When the program calls the linked library function that function executes WITHIN the library (?)
      • PE File header stores information about every library loaded and every function used shedding light on what this program may do
    • #Exploring Dynamically Linked Functions with Dependency Walker
      • Dependency Walker: http://www.dependencywalker.com/
      • Lists only dynamically linked functions in an executable
      • Screenshot from 2017-06-25 01-55-48
        • 1:  Name of executable analyzed
        • 2: Shows program and DLLs imported
        • 3: Lists imported functions from the selected DLL
        • 4: Lists all functions that can be imported from the selected DLL
          • Ordinal Column: instead of importing by function name they can be imported by ordinal thus the name of the function never appears in the original executable
        • 5, 6: Will show any additional DLLs to be imported if the program was run and any errors
      • Common DLLs ***
        • Kernel32.dll: Core functionality such as memory, file, and hardware manipulation
        • Advapi32.dll: Access to advanced core Windows components such as Service Manager and Registry
        • User32.dll: Contains user interface components
        • Gdi32.dll: Contains functions for displaying/manipulating graphics
        • Ntdll.dll: Interface to the Windows kernel.  Often indirectly imported from Kernel32.dll.  If it is explicitly imported unusual functionality such as manipulating processes will use this dll.
        • WSock32.dll and Ws2_32.dll: Networking DLLs often used to connect to the internet
        • Wininet.dll: Contains higher level networking functions that implement various protocols such as FTP, HTTP, and NTP
    • #Imported Functions
      • PE file header includes information about imports as well
      • Refer to the Windows API for more information (MSDN)
    • #Exported Functions
      • DLLs and EXEs can export functions to interact with other programs and code
      • DLLs can implement functions and export them for use by an executable that can import and use them
      • EXEs are not designed to export functions thus if one sees one deem it suspicious
      • In order to run a program as a service you must define a “ServiceMain” function
        • If this is seen then the malware is to be run as a service

 

  • Static Analysis in Practice
    • #PotentialKeylogger.exe: An Unpacked Executable
      • Screenshot from 2017-06-25 02-20-20.png
        • List of imported functions from various DLLs
        • Because there are so many imports shown in dependency walker it can be concluded that the executable is NOT packed
      • Kernel32.dll: Functions such as OpenProcess, GetCurrentProcess, GetProcessHeap imply that the program will manipulate processes, ReadFile, CreateFile imply file manipulation
      • User32.dll: Functions such as ShowWindow imply that the program has a GUI.  SetWindowsHookEx is often used by keyloggers to grab keystrokes. RegisterHotkey notifies another program when a key combination is pressed.
      • GDI32.dll: Graphics related dll
      • Advapi32.dll: Uses registry in some way.  The string “Software\Microsoft\Windows\CurrentVersion\Run” implies that the program is automatically started on boot
      • Shell32.dll: Implies that this program can launch other programs
    • #PackedProgram.exe: A Dead End
      • Screenshot from 2017-06-25 02-34-28.png
        • Functions imported by PackedProgram.exe viewed in dependency walker
      • The fact that there are so little programs imported implies the the program is packed and static analysis fails via function imports fails here

 

  • The PE File Headers and Sections
    • PE file headers has several sections namely the .text, .rdata, .data, and .rsrc sections
    • Often the programmer has little control over the names of these sections
    • In addition to this section names can vary over different compilers
      • To determine which section is which the PE header contains information on how a section is used
    • Sections of  a PE File for a Windows Executable
      • .text: Contains executable code
      • .rdata: Holds read-only data that is globally accessible within the program
      • .data: Stores global data accessed throughout the program
      • .idata: Sometimes present and stores the import function information; if this section is not present, the import function information is in the .rdata section
      • .edata: Sometimes stores export function information; if this section is not present, the export function information is in the .rdata section
      • .pdata: Only in 64 bit executables and stores exception-handling informaiton
      • .rsrc: Stores resources needed for the executable
      • .reloc: Contains information for relocation of library files
    • #Examining PE Files with PEview
      • Screenshot from 2017-06-25 03-03-53
        • 1: Displays the main part of the PE header
          • IMAGE_DOS_HEADER and MS-DOS Stub Program are historical and offer nothing
          • IMAGE_NT_HEADERS shows the NT headers shows NT headers and is always the same
        • 2: Contains information about the currently highlighted entry
          • IMAGE_FILE_HEADER is highlighted and the section 2 contains basic information about the file
        • 3: Time date stamp shows when this executable was compiled
          • This value can be changed and Delphi programs all use June 19, 1992
        • IMAGE_OPTIONAL_HEADER contains other information
        • Names are often not controlled by people
      • Screenshot from 2017-06-25 03-10-38
        • 1: Shows the size of the section after loading
        • 2: Shows the size of the section is on disk
      • Section sizes can be used to check whether the program is packed
        • If the virtual size >> raw size then it is implied that it is compressed
      • The .data section virtual and raw size often is vastly different this is common for Windows executable
        • Pay more attention to the .text section instead or misnamed or extra weird sections
    • #Viewing the Resource Sections with Resource Hooker
      • Resource Hacker: Can be used to browse the .rsrc section
      • This will allow one to see strings, icons and menus
      • Screenshot from 2017-06-25 03-19-10
        • 1: Shows all resources
          • Icon, lists images
          • Menu, shows all menus that appear in various windows
          • Dialog section contains the program’s dialog menus
          • String Table section stores strings
          • Version info contains version number and often company name and copyright statement
        • 2: Dialog selected is graphically shown here
        • Often the resource section contains drivers or embedded programs executed before they run the main executable
          • Resource Hacker allows you to extract these files for individual analysis
    • #Using Other PE Files Tools
    • #PE Header Summary
      • Screenshot from 2017-06-25 03-25-48.png

0: Malware Analysis Primer

Table of Contents

  • The Goals of Malware Analysis
  • Malware Analysis Techniques
  • Types of Malware

*************************************************************************************

  • The Goals of Malware Analysis
    • Develop signatures to detect malware infections
    • Signatures: The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses.
      • Host-based Signatures: Used to detect malicious code on victim computers
        • Used to identify files created or modified by malware or changes to registry
        • Malware indicators focus on what the malware does to a system
      • Network Signatures: Used to detect malicious code by monitoring network traffic
        • Can be detected without malware analysis
        • Often more effective

 

  • Malware Analysis Techniques
    • Basic Static Analysis
      • Examine executable without viewing the actual instructions
    • Basic Dynamic Analysis
      • Run the malware and observe the behavior
      • Must run in a safe environment
    • Advanced Static Analysis
      • Disassemble the malware and looking at the instructions to understand what a program does
    • Advanced Dynamic Analysis
      • Uses a debugger to examine the internal state of a running malicious executable
      • Probably the most useful way to obtain information

 

  • Types of Malware
    • Backdoor
      • Malicious code self installed allowing the attacker to directly access computer such as executing commands or grabbing files
    • Botnet
      • Allows attacker access to the system but usually limited access
      • Also all the systems in the botnet execute the same exact instruction such as DDoS commands
    • Downloader
      • Exists only to download other malicious code
      • Often the first thing that occurs on a computer that gets infected by malware
    • Information-stealing malware
      • Grab info and send to attacker these can be sniffers or keyloggers or programs of the sort
    • Launcher
      • Program used to launch other malicious programs
      • Often launches at elevated privileges
    • Rootkit
      • Malicious code designed to conceal the existence of other code
      • Rootkits are usually paired with other malware like backdoors
    • Scareware
      • Basically ads that are designed to scare people
    • Spam-sending malware
      • Infects a computer and sends spam through things like email
    • Worm/virus
      • Malicious code that can copy itself and infect additional computers

Nebula: Level00

About

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

Source code

There is no source code available for this level

 

Solution

As hinted use the command “find” to find an executable with the correct permissions.  The command that can be used to do this is as follows.

$ find / -perm /u=s -user flag00

Here find tries to find any executable inside the root directory with permissions for the user (u) to set (s) upon execution (-perm /u=s) we then specify the user (-user flag00).  However this creates an output which we cannot completely scroll through therefore we need to somehow truncate it to only show the things we want.

capture

These “Permission denied” lies are from outputs to stderr where stdin=0, stdout=1, stderr=2.  Therefore adding a redirection flag at the end we can send the error output to somewhere.

$ find / -perm /u=s -user flag00 2>somewhere

However upon trying to send it to a file such as asdf.txt, you get permission denied.  We can send it to a special file /dev/null which has a file size of 0 no matter what.  Anything you write to it will be deleted and thus we are “writing something without writing anything”.  (there are others such as /dev/full and /dev/zero)  This gives us…

$ find / -perm /u=s -user flag00 2>/dev/null

capture

We can see that there are two candidates for an executable.  However we can’t see the actual directory in which they are stored in.  However..just typing the directory directly into the terminal will still execute it.  If we wanted to double check we would always use ls -al to check the permission flags but this will do

$ /rofs/bin/.../flag00

capture

References:

http://askubuntu.com/questions/12098/what-does-outputting-to-dev-null-accomplish-in-bash-scripts

https://linux.die.net/man/1/chmod

https://linux.die.net/man/1/find

https://linux.die.net/man/1/find

http://www.aboutlinux.info/2006/01/inputoutput-redirection-made-simple-in.html