Malware Dynamic Analysis Part-3

The document discusses DLL injection techniques used by malware to maneuver and execute malicious code on victim machines. It describes how malware uses the Windows API functions OpenProcess, VirtualAllocEx, WriteProcessMemory, GetModuleHandle, GetProcAddress, and CreateRemoteThread to inject a malicious DLL into another process's address space and force it to load by creating a remote thread. This allows the malware to run arbitrary code under the context of the target process to bypass security defenses.

Uploaded by

Mazhar Waqar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

88 views52 pages

Malware Dynamic Analysis Part-3

Uploaded by

Mazhar Waqar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

Malware Dynamic Analysis

Part 3
Veronica Kovah
vkovah.ost at gmail

http://opensecuritytraining.info/MalwareDynamicAnalysis.html

See notes for citation 1

All materials is licensed under a Creative
Commons “Share Alike” license
http://creativecommons.org/licenses/by-sa/3.0/

See notes for citation 2

Where are we at?
• Part 3: Maneuvering techniques
– (How malware strategically positions itself to
access critical resources)
– DLL/code injection
– DLL search order hijacking...
• Part 4: Malware functionality
– Keylogging, Phone home, Security degrading, Self-
destruction, etc.

See notes for citation 3

Maneuvering
• DLL injection
• Direct code injection
• DLL search order hijacking
• Asynchronous Procedure Call (APC) injection
• IAT/EAT hooking
• Inline hooking

See notes for citation 4

DLL/code Injection
• Load a malicious
DLL/code into one or
more processes
• Run malicious code on
behalf of a legitimate
process
• Bypass host-based
security software
– HIDS, Personal Firewall

See notes for citation 5

DLL Injection Methods (1)
• AppInit_DLLs
– HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Windows\AppInit_DLLs is set to a
space or comma separated list of DLLs to load into
processes that load user32.dll
– On Windows Vista and newer you also have to set
a few other values in that path like
LoadAppInit_DLLs = 1 and
RequireSignedAppInit_DLLs = 0

See notes for citation 6

Observing Parite's Maneuvering
• Using Regshot on the victim VM
1) Start Regshot (MalwareClass/tools/v5_regshot_1.8.3...)
2) Click 1st shot button→Shot
3) Run parite/malware.exe
4) Click 2nd shot button→Shot
5) Click Compare button
Q1. Which DLL is used for maneuvering?
Q2. Where is it maneuvering?
Q3. Open question:
Any theories why it’s maneuvering to there?
See notes for citation 7
Answers for Parite Lab
A1. “fmsiopcps.dll” is added to
HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Windows\AppInit_DLLs
A2. All Windows applications, which use
user32.dll

See notes for citation 8

Application Programming Interface (API)
• “Specifies a software component in terms of its
operations, their inputs and outputs and underling
types”
http://en.wikipedia.org/wiki/Application_programming_interface

• char strncpy(char dest, const char *src, size_t n);

– 3 inputs:
• dest: destination string
• src: source string
• n: number of characters to copy from source string
– 1 output: returns a pointer to the destination string

See notes for citation 9

DLL Injection Methods (2)
• CreateRemoteThread Windows API
– Manipulate a victim process to call LoadLibrary with
the malicious DLL name
– Malicious code is located in DllMain, which is called
once a DLL is loaded into memory
– A common API call pattern:
• OpenProcess→VirtualAllocEx→
WriteProcessMemory→GetModuleHandle→
GetProcAddress→CreateRemoteThread
• Also, a direct code injection method
See notes for citation 10
OpenProcess→VirtualAllocEx→ WriteProcessMemory→
GetModuleHandle→ GetProcAddress→CreateRemoteThread

HANDLE WINAPI OpenProcess(

_In_ DWORD dwDesiredAccess,
_In_ BOOL bInheritHandle,
_In_ DWORD dwProcessId
);
• dwProcessId [in]
– The identifier of the local process to be opened...
• Return value
– If the function succeeds, the return value is an open
handle to the specified process…

See notes for citation 11

OpenProcess→VirtualAllocEx→ WriteProcessMemory→
GetModuleHandle→ GetProcAddress→CreateRemoteThread

LPVOID WINAPI VirtualAllocEx(

_In_ HANDLE hProcess,
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
• hProcess [in]
– The handle to a process. The function allocates memory within the virtual address
space of this process...
• dwSize [in]
– The size of the region of memory to allocate, in bytes...
• Return value
– If the function succeeds, the return value is the base address of the allocated region of
pages...

See notes for citation 12

OpenProcess→VirtualAllocEx→ WriteProcessMemory→
GetModuleHandle→ GetProcAddress→CreateRemoteThread
BOOL WINAPI WriteProcessMemory(
_In_ HANDLE hProcess,
_In_ LPVOID lpBaseAddress,
_In_ LPCVOID lpBuffer,
_In_ SIZE_T nSize,
_Out_ SIZE_T *lpNumberOfBytesWritten
• hProcess [in] );
– A handle to the process memory to be modified…
• lpBaseAddress [in]
– A pointer to the base address in the specified process to which data is written…
• lpBuffer [in]
– A pointer to the buffer that contains data to be written in the address space of the
specified process.
• nSize [in]
– The number of bytes to be written to the specified process.

See notes for citation 13

OpenProcess→VirtualAllocEx→ WriteProcessMemory→
GetModuleHandle→ GetProcAddress→CreateRemoteThread

HMODULE WINAPI GetModuleHandle(

_In_opt_ LPCTSTR lpModuleName
);

• pModuleName [in, optional]

– The name of the loaded module (either a .dll or .exe file)…
• Return value
– If the function succeeds, the return value is a handle to the
specified module…

See notes for citation 14

OpenProcess→VirtualAllocEx→ WriteProcessMemory→
GetModuleHandle→ GetProcAddress→CreateRemoteThread

FARPROC WINAPI GetProcAddress(

_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);

• hModule [in]
– A handle to the DLL module that contains the function or variable…
• lpProcName [in]
– The function or variable name, or the function's ordinal value...
• Return value
– If the function succeeds, the return value is the address of the
exported function or variable...

See notes for citation 15

OpenProcess→VirtualAllocEx→ WriteProcessMemory→
GetModuleHandle→ GetProcAddress→CreateRemoteThread
HANDLE WINAPI CreateRemoteThread(
_In_ HANDLE hProcess,
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_ LPDWORD lpThreadId
• hProcess [in] );
– A handle to the process in which the thread is to be created...
• lpStartAddress [in]
– A pointer to the application-defined function of type
LPTHREAD_START_ROUTINE to be executed by the thread and
represents the starting address of the thread in the remote process...
• lpParameter [in]
– A pointer to a variable to be passed to the thread function.
See notes for citation 16
CreateRemoteThread() cont.
• lpStartAddress’s type is LPTHREAD_START_ROUTINE, which
is defined as
typedef DWORD (__stdcall *LPTHREAD_START_ROUTINE) (
[in] LPVOID lpThreadParameter
);
• You can’t put any function as lpStartAddress. It has
to be one which matches the above prototype.
• One (popular) example is
HMODULE WINAPI LoadLibrary(
_In_ LPCTSTR lpFileName
);
See notes for citation 17
DLL Injection API Call Example