Where Am I? |Malware Analysis From Malware Development Part 2.
“Where Am I”, Payload said. Where can Malware Writers put the shellcode? And where can Malware Analysts find the payload?
ِAsalamu-Alikum السلام عليكم ورحمة الله وبركاته
In Part 1, We revised a little bit about PE Headers and now we going into detail information for writing and analyzing our code.
“Where Am I” “How Can Be Am I”?
1. The first place can Red Team Operators and Malware Writers put their payload in the main function as a local value.
Here is a simple code for it in figure 1:
int main()
{
// 4 byte payload
unsigned char payload[] = {0x90, 0x90, 0x90, 0x90}; // NOP instruction
unsigned int payload_len = 4;
return 0;
}Let’s see in IDA what we can see if we compile this code:
IDA Pro defined it easy as a main function, also the variables as they name because I used Code Blocks.
Here you can see, you can find the main function in the Text section. So analysts can find your payload in the Text section easily.
Let’s see another code:
Here you can reverse the words in every variable to get the full payload as written in the C code, but in the real world, Hackers don’t save their payload as a PLAINTEXT. AV can catch the payload easily statically and analysts also. We will know how they store payloads and how can they obfuscate them.
And here in figure(4) The Hacker uses the payload for decryption with the secret key by Windows Cryptography APIs.
This example will be explained in detail in Part 3 In Sha’Allah.
2. In The second place can Red Team Operators and Malware Writers store their payload is defining it as a global variable to use in every place in the code.
Just move it before the main function call as in figure(5):
And here for Disassembling it:
It doesn’t exist in the text section now but if we clicked on the payload variable we will see it:
It’s in Data Section and defined as an array of 90 with size 4 and the same for its length.
This technique is used a lot in every malware for storing important data and this article just explains you difference between local variables and global variables in Assembly.
Let’s see the last section and this section it’s highly important for Malware Analysts, A lot of droppers use the technique which we will cover a lot in their Code. Be opened eyes.
3. The third place that can Red Team Operators and Malware Writers store their payload by using Resources.
Always MDSN can help you, and for resources, you can save your payload in a file such as .ico for example then use it as a resource.
How?
1. Make a file header for a resource name: resource.h for example and the name is a number, not a string because resource developers love optimization.[ Integeres use space less than strings ].
#define FAVICON_ICO 1002. Make a resource file for defining the resource type: resource.rc for example which defines the type of the resource we defined. paylodo.ico is your payload.
#include "resource.h"
FAVICON_ICO RCDATA paylodo.icoWe use RCDATA type because it uses for binary files as executable and here are the resource data types:
So Malware Analysts if they see this resource data type in your program, will know your trick:”).
3. Include the resource header in your C code we defined our resource name in a different file because we will use it in the Resource Compiler(RC).
#include "resource.h"4. Extract the payload from the resource section, because after compiling your code besides your resource, it will be in the resource section.
HGLOBAL resHandle = NULL;
HRSRC res;
// Extract payload from resources section
res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
resHandle = LoadResource(NULL, res);
payload = (char *) LockResource(resHandle);
payload_len = SizeofResource(NULL, res);We use FindResource API for searching about a specific resource name in a resource section.
res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);We type casting it by MAKEINTRESOURCE to convert the FAVICON_ICO resource name from Integer to a resource type. Then the return value will be an HRSRC type [ Just see in the MDSN ].
Then use LoadResource API to Load the resource into memory and take a handle in HGLOBAL type.
resHandle = LoadResource(NULL, res);Point to the address of the payload by LockResource API with the handle of LoadResource API as an argument.
char * payload;
payload = (char *) LockResource(resHandle);Take the length of the payload by getting the size of the resource by SizeofResource API.
unsigned int payload_len;
payload_len = SizeofResource(NULL, res);And now we are ready for using our payload and its length in any place of our main function.
How can We compile our code to be in the resource section?
First: by using Resource Compiler [RC] by giving it the resource file we defined:
rc resource.rc
Second: take the output from RC and give it to the cvtres command [ Windows Resource To COFF Object Converter ] to convert our resource file type to COFF type for PE headers.
cvtres /MACHINE:x64 /OUT:resource.o resource.res
Third: Pass the resource.o to your preferred compiler by its linker.
Let’s see How can Malware Analyst Identify our resource [ Highly recommended for beginners ].
Don’t worry it’s the same if you find __imp_ before the API
So the IDA Pro is defined our code as:
// This is analyzing code and not real
hResInfo = FindResource(0, 100, 10);
hResData = LoadResource(0, hResInfo);
dwSize+4 = LockResource(hResData);
hResInfo = SizeofResource(0, hResInfo);If you didn’t understand this, Study Malware Analysis :) This series is the second stage of your studying.
Let’s Go to the MDSN:
It said the 0x10 data type of FindResource API is:
RT_RCDATA
MAKEINTRESOURCE(10)
Application-defined resource (raw data).And based on MDSN here:
The first argument for FindResource API is NULL if you want to search for the current module.
The second argument must be MAKEINTRESOURCE(ID) to convert the integer to resource type.
To reduce the amount of memory required for a resource, an application should refer to it by integer identifier instead of by name. [MDSN].
The third argument is the resource type and we defined it easily.
The return value of its Type is HRSRC.
So our code before analyzing is:
hResInfo = FindResource(0, 100, 10);And after analysis it will be:
HRSRC hResInfo = FindResource(NULL, MAKEINTRESOURCE(100), RT_RCDATA);Let’s see the LoadResource API from MDSN:
The first argument will be NULL and the second will be our HRSRC handle. The return value is HGLOBAL.
so, This is our code before analyzing
hResData = LoadResource(0, hResInfo);After analysis will be:
HGLOBAL hResData = LoadResource(NULL, hResInfo);This NOTE for learning purpose Only:
Yes, MDSN is our friend for analyzing Windows APIs. So if you want to write highly obfuscated Malware, Don’t use documented APIs, static calling APIs, payload as a plaintext, arguments as a plaintext, or simple bypassing techniques.
So from this article, What Can I do for evading my code from Analysts?
- We prefer plaintext strings, generic packers, public algorithms, deobfuscating and decrypting the malware using debuggers, and we love the resource section very much because we use the Resource Hacker tool [ yes, I know I didn’t explain it, you can use this tool to find the resource statically ].
- API Dynamic Calling with your obfuscated Algorithm is the solution for evading AV.
- Anti-Disassembling Anti-Debugging Anti-VM is your friend but doesn’t use published techniques because we know all techniques published.
- Use C++ not C and search for a C++ developer that can translate your C code into C++ Code. [ هسبلك ميت ربع لو عملت كدا يبودي ].
- Wait for the third part In Sha’ Allah.
And just this is our first article for this serious and I will write all malware analysis techniques to develop targeted malware in your Red Teaming Customer.
To Be Continue…يتبع
