Implementing your own generic unpacker - HITB ... - HITB GSEC

Implementing your own generic unpacker HITB Singapore 2015 Julien Lenoir - [email protected] October 14, 2015

Implementing your own generic unpacker

Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

2


Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

3


Context Why did we do this? For malware classification purposes No opensource implementation matching our constraints

Constraints Work on bare metal as well as on any virtualization solution (VMware, VirtualBox, etc.) Rebuild a valid PE for static analysis. Runnable PE for dynamic analysis is even better Prevent malware from detecting unpacking process

October 14, 2015

4


Generic unpacking is not new

Existing tools Renovo (2007) Omniunpack (2007) Justin (2008) MutantX-S (2013) Packer Attacker (2015)

Our work Own implementation of MutantX-S engine which is based on Justin

October 14, 2015

5


Targets simple packers

Our tool targets packers that fully unpack original code before executing it

Works on Popular COTS packers (Aspack, Pecompact, etc.) Homemade packers

Does not work on Virtualizers (Armadillo, VMProtect) Packers that interleave unpacking layers and original code

October 14, 2015

6


What is a simple packer?

1. decompress/decrypt

Packer code

Packed Executable (compressed or encrypted)

Packer entrypoint 2. jumps to

October 14, 2015

7

Original program entrypoint



1. Uncompress/decrypt

Packer code



October 14, 2015

8

Unpacked Executable




1. decompress/decrypt

Packer code



October 14, 2015

9

Unpacked Executable



Find the holy OEP Goal Find the original entry point (OEP)

General idea Program is run in an instrumented Windows environment Dynamic code generation is monitored at page level

3 steps Step 1: program is run once to trace both WRITE and EXECUTE on memory Step 2: apply an algorithm to this trace to determine OEP Step 3: program is run once again until OEP is reached, then dumped

October 14, 2015

10


step 1: program execution Decompress layer 1

Packer code

Write L1 Timeline

October 14, 2015

11


step 1: program execution Uncompress layer 1

Packer code

Layer 1

Write L1 Timeline

October 14, 2015

12


step 1: program execution Execute layer 1

Packer code

Layer 1

Write Exec L1 L1 Timeline

October 14, 2015

13


step 1: program execution Uncompress layer 2

Packer code

Layer 1

Layer 2

Write Exec Write L1 L1 L2 Timeline

October 14, 2015

14


step 1: program execution Execute layer 2

Packer code

Layer 1

Layer 2

Write Exec Write Exec L1 L1 L2 L2 Timeline

October 14, 2015

15


step 1: program execution Unpack programdata

Packer code

Layer 1

Program data

Layer 2

Write Exec Write Exec Write L1 L1 L2 L2 D1 Timeline

October 14, 2015

16


step 1: program execution Unpack programcode

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write L1 L1 L2 C1 L2 D1 Timeline

October 14, 2015

17


step 1: program execution Execute programcode

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write Exec L1 L1 L2 C1 L2 D1 C1 Timeline

October 14, 2015

18


step 1: program execution Programwrites in its data

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write Exec Write L1 L1 L2 C1 L2 D1 C1 D2 Timeline

October 14, 2015

19


step 1: program execution Programexecutes subfunction

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write Exec Write Exec L1 L1 L2 C1 L2 D1 C1 D2 C2 Timeline

October 14, 2015

20


step 1: program execution Process terminates

Packer code

Layer 1

Program data

Layer 2

Write Exec Write Exec Write Write Exec Write Exec L1 L1 L2 C1 L2 D1 C1 D2 C2

Program Code

The end Timeline

October 14, 2015

21


step 2: OEP identification Apply algorithm on excution trace

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write Exec Write Exec L1 L1 L2 C1 L2 D1 C1 D2 C2 OEP

October 14, 2015

22

Timeline


step 2: OEP identification Filter out written only pages and executed only pages

Packer code

Layer 1

Program data

Layer 2

Program Code


October 14, 2015

23

Timeline


step 2: OEP identification Keep pages that are executed and written

Packer code

Layer 1

Program data

Layer 2

Program Code


October 14, 2015

24

Timeline


step 2: OEP identification Find the last written page

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write Exec Write Exec L1 L1 L2 L2 D1 C1 D2 C2 C1 OEP

October 14, 2015

25

Timeline


step 2: OEP identification OEP is at first executed address after last write

Packer code

Layer 1

Program data

Layer 2

Program Code

Write Exec Write Exec Write Write Exec Write Exec L1 L1 L2 L2 D1 D2 C2 C1 C1 OEP

October 14, 2015

26

Timeline


Tracking memory access How? By changing memory access rights Write or execute access on memory page generates exceptions We catch those exceptions to monitor program behavior No page can be both executable and writable

In details Sets all pages to executable prior to execution Run the process On write attempt change page protection from executable to writable On execute attempt change page protection from writable to executable Do it until process terminates or a given time elapses October 14, 2015

27


Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

28


Main design choices Our machinery runs inside the OS

Advantage Compatible with any virtualization solution

Disadvantages A malware can detect virtualization: out of scope Targeted malware can detect our unpacker (driver name, etc.) Supported OS: Windows 7 32 bits in PAE mode

Limitations Old system but it is enough for userland programs No support of 64 bit samples October 14, 2015

29


Keep track of unpacking

We don’t want the packer to Allocate memory both writable and executable Change its memory protection Generate dynamically code without our knowledge

Hooking memory system calls NtAllocateVirtualMemory NtProtectVirtualMemory ...

October 14, 2015

30


Userland exception path 1. Processor transfers execution to the kernel #PF handler.

KiTrap0E

Page fault handler

MmAccessFault

Memory manager fault handler

Memory management fault? yes

no KiDispatchException

Kernel exception dispatcher

Handled by debugger? no yes

Userland Exception? yes

no

Specific processing Kernel land User land

vectored exception handlers

Resumed execution October 14, 2015

31

SEH handlers


Userland exception path 2. Handles memory management faults. Like physical page in page file (swap).

KiTrap0E

Page fault handler

MmAccessFault







no




32

SEH handlers


Userland exception path 3. Sort userland and kernel land exceptions. Forward exceptions to debuggers.

KiTrap0E

Page fault handler

MmAccessFault







no




33

SEH handlers


Userland exception path 4. Exception transfered to first registered handlers in userland process. Visible by all threads.

KiTrap0E

Page fault handler

MmAccessFault







no




34

SEH handlers


Userland exception path 5. Thread specific exception handlers (try / catch).

KiTrap0E

Page fault handler

MmAccessFault







no




35

SEH handlers


Architecture: first attempt Catching exceptions at userland level

Advantage

KiTrap0E

Page fault handler

MmAccessFault


Memory management fault?

Easy to implement

yes


Disadvantage


Handled by debugger? no

Need to have code inside target process yes


Kernel land

Mem syscalls hooked

User land vectored exception handlers

Resumed execution

October 14, 2015

36

SEH handlers


Problem: self modifying page

Case Encountered in mpress packed executables

What happens: Some memory pages are meant to be RWX Those pages are self modifying We enter an infinite loop

October 14, 2015

37


What happens

EIP at 401009 EAX is 0

PAGE 401000 EXECUTABLE 401007 401008 >401009 40100E 401011 ... 401234

October 14, 2015

38

NOP NOP MOV EAX,401234 XOR BYTE PTR DS : [ EAX] , 4 2 NOP db

0


What happens

EIP at 40100E EAX is 401234

PAGE 401000 EXECUTABLE 401007 401008 401009 >40100E 401011 ... 401234

October 14, 2015

39


0


What happens



Exception (type 1 write) Invalid write access on address 401234

October 14, 2015

40


0


What happens


PAGE 401000 WRITABLE

Exception (type 1 write) Invalid write access on address 401234 Swap page protection

401007 401008 401009 >40100E 401011 ... 401234

October 14, 2015

41


0


What happens


PAGE 401000 WRITABLE 401007 401008 401009 >40100E 401011 ... 401234

Exception (type 1 write) Invalid write access on address 401234 Swap page protection Resume process execution at 40100E

October 14, 2015

42


0


What happens


PAGE 401000 WRITABLE 401007 401008 401009 >40100E 401011 ... 401234

Exception (type 1 write) Invalid write access on address 401234 Swap page protection Resume process execution at 40100E Exception (type 8 execute) Invalid execute access on address 40100E

October 14, 2015

43


0


What happens



Exception (type 1 write) Invalid write access on address 401234 Swap page protection Resume process execution at 40100E Exception (type 8 execute) Invalid execute access on address 40100E Swap page protection

October 14, 2015

44


0


What happens EIP at 40100E EAX is 401234


Exception (type 1 write) Invalid write access on address 401234 Swap page protection Resume process execution at 40100E Exception (type 8 execute) Invalid execute access on address 40100E Swap page protection Resume process execution at 40100E ... Infinite loop

October 14, 2015

45


0


Architecture update: catch single-step exceptions In two steps

KiTrap0E

1. Access violation :

KiTrap01


MmAccessFault

Set page writable and executable


Activate single-step

no Kernel exception dispatcher

KiDispatchException

Resume process execution



no

Kernel land

Mem syscalls hooked


Resumed execution

October 14, 2015

46

Specific processing

SEH handlers


Architecture update: catch single-step exceptions In two steps

KiTrap0E


KiTrap01


MmAccessFault

Set page writable and executable


Activate single-step


KiDispatchException

Resume process execution


2. Int01 Trap (single-step) :

yes

Restore page protection to executable

yes

no

Kernel land


Resume process execution Resumed execution

47

Specific processing Mem syscalls hooked

User land

Remove single-step

October 14, 2015

Userland Exception?

SEH handlers


Problem: syscall sanitization

Case Encountered in a binary packed with NSPack 2.4

What happens: packer calls NtProtectVirtualMemory during its unpacking process This syscall has output arguments Argument address is executable but not writable Syscall fails and so does unpacking

October 14, 2015

48


What happens System call input sanitization is exception based: NTSTATUS N t P r o t e c t V i r t u a l M e m o r y ( . . . , i n t ∗ pOldAccess ) { try { ProbeForWrite ( pOldAccess , s i z e o f ( i n t ) ) ; MiProtectVirutalMemory ( . . . } except { r e t u r n ERROR_NO_ACCESS; }

, pOldAccess ) ;

}

ProbeForWrite actually writes the whole buffer to ensure it is writable If not writable, exception is generated and caught by the system call October 14, 2015

49


What happens Exception goes through

KiTrap0E

KiTrap01

Page Fault Hander MmAccessFault

Memory management fault handler




yes

System call registered SEH




It never reaches userland, we cannot handle it!


no

Catched by syscall SEH

yes Kernel land

Mem syscalls hooked


Resumed execution

October 14, 2015

50

SEH handlers


What happens Exception goes through

KiTrap0E

KiTrap01

Page Fault Hander MmAccessFault

Memory management fault handler




yes

System call registered SEH


It never reaches userland, we cannot handle it!


Catching exceptions in userland is not a good idea

no

Catched by syscall SEH

yes Kernel land

Mem syscalls hooked


Resumed execution

October 14, 2015



51

SEH handlers


Architecture update: catch exceptions in kernel In two steps

KiTrap0E


KiTrap01


MmAccessFault

Temporary set the page as writable


Activate single step


KiDispatchException

Resume kernel execution



no

Kernel land

Mem syscalls hooked


Resumed execution

October 14, 2015

52

Specific processing

SEH handlers


Architecture update: catch exceptions in kernel In two steps

KiTrap0E


KiTrap01


MmAccessFault

Temporary set the page as writable


Activate single step


KiDispatchException

Resume kernel execution


2. Int01 Trap (single-step) :

yes

Restore page protection to executable

yes

no

Kernel land


Resume kernel execution Resumed execution

53

Specific processing Mem syscalls hooked

User land

Remove single-step

October 14, 2015

Userland Exception?

SEH handlers


Another tricky case V i r t u a l P r o t e c t ( memory_address , RWX) ; V i r t u a l Q u e r y ( address ,& P a g e P r o t e c t i o n ) ; i f ( P a g e P r o t e c t i o n == RWX) { goto con tin ue_ unp ack i n g ; } else { goto e r r o r ; }

Hooking of memory system calls is not sufficient We need to maintain a packer view of the process memory

October 14, 2015

54


Another tricky case V i r t u a l P r o t e c t ( memory_address , RWX) ; V i r t u a l Q u e r y ( address ,& P a g e P r o t e c t i o n ) ; i f ( P a g e P r o t e c t i o n == RWX) { goto con tin ue_ unp ack i n g ; } else { goto e r r o r ; }

Hooking of memory system calls is not sufficient We need to maintain a "packer view" of the process memory Were does the OS store information related to memory?

October 14, 2015

55


In physical memory

64 bits PTE entry in PAE mode

Present PTE :

Non present PTE :

1 bit for present

1 bit for present

2 bits for memory protection: combination of R,W,E

63 ignored (free) bits

3 ignored (free) bits

October 14, 2015

56


In physical memory

Windows memory manager stores information in both invalid and valid PTEs

Examples of invalid PTEs Demand zero: demand paging Page File: physical page is in paging file Prototype PTE: shared memory

In valid PTEs Information related to copy-on-write mechanisms

October 14, 2015

57


In kernel virtual memory

Two memory structures involved:

Virtual Address Descriptors The view of the process memory virtual address space Binary tree where every node is a memory region Information related to memory regions

Working set list entries Global array containing protection of every memory page

October 14, 2015

58


Example of VirtualQuery VirtualQuery

NtQueryVirtualMemory

Query info about @1234 Process virtual memory Kernel virtual memory

VAD Tree Retrieves region attributes

Queries protect of @1234

Node @1234

@1234 RW WSLE Physical memory @1234 : RW

Page Table

October 14, 2015

59


Unsynchronizing memory structures VirtualQuery

NtQueryVirtualMemory

Query info about @1234 Process virtual memory Kernel virtual memory

VAD Tree Retrieves region attributes

Queries protect of @1234

Node @1234

@1234 RW WSLE Physical memory @1234 : RX

Page Table

October 14, 2015

60


Unsynchronizing memory structures

Good points No need for a packer view any more No need to mess with complex kernel memory structures

Beware of resynchronization Happens on memory system calls When memory manager handles page faults (demand paging, etc.)

October 14, 2015

61


Architecture: final Hook in two places:

KiTrap0E

Memory manager fault handler for page faults

KiTrap01


MmAccessFault Memory management fault? yes

Kernel exceptions dispatcher for single-step exceptions


KiDispatchException Handled by debugger? no yes


no

Kernel land

Mem syscalls hooked


Resumed execution

October 14, 2015

62

Specific processing

SEH handlers


Global architecture exceptions

Driver

collect

Kernel land User land 2. send pid

5. retrieve exceptions

3. change memory protection

Monitored process 6. dump

1. create suspended 4. resume

Python script

0

Dump and IAT rebuild is done with Scylla library

October 14, 2015

63


Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

64


Loader issue

Issue Unpacking algorithm can be disturbed by the unpacked process startup

By the DLL loader if The process loads libraries dynamically on startup (after OEP) Those libraries are rebased

October 14, 2015

65


Userland library loader

All DLLs have a standard entrypoint Dllmain called during library loading

Loader does Ensure the DLL is not already loaded Map the DLL in memory, possibly rebased at randomized address Patch relocations if DLL is rebased Set appropriate protection on PE sections Executes DLL entrypoint (DllMain)

October 14, 2015

66


Loader at work Module base

PE header RWX

Code section RWX

Data section RWX

1. Protects sections

October 14, 2015

67



PE header RWX

Module base

PE header RWX

Code section RWX

Code section RWX

Data section RWX

Data section RWX


October 14, 2015

2. Patch relocations

68



PE header RWX

Module base

Module base

PE header RWX

PE header R

Code section RWX

Code section RWX

Code section RX

Data section RWX

Data section RWX

Data section RW


October 14, 2015



69



PE header RWX

Module base

Module base

PE header RWX

PE header R

Module base

PE header R

Dllmain Code section RWX

Code section RWX

Code section RX

Code section RX

Data section RWX

Data section RWX

Data section RW

Data section RW


October 14, 2015



70

4. Calls Dllmain


Loader artifact Unpacked program loads a library dynamically Loader patch relocations

Packer code

Program Code

Real OEP

Program Code

Write reloc Wrong OEP

October 14, 2015

71

Timeline


Loader artifact Unpacked program loads a library dynamically Loader calls Dllmain

Packer code

Program Code

Real OEP

Program Code

Write Exec reloc dllmain Wrong OEP

October 14, 2015

72

Timeline


Loader artifact Invalid OEP computation Loader calls Dllmain

Packer code

Program Code

Program Code

Real OEP

Write Exec reloc dllmain Wrong OEP

October 14, 2015

73

Timeline


Tune algorithm

Unpacking executable Filter out exceptions induced by the loader during loading

Loader information Is loader at work Which DLL is being loaded Which thread of the process is loading the DLL

October 14, 2015

74


Tune algorithm

Unpacking DLLs Keep only exceptions induced by the loader during loading process

Packed DLLs Packer code execute in Dllmain Packer jumps to DLL OEP: real Dllmain We can determine DLL OEP and dump the unpacked DLLs !

October 14, 2015

75


Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

76


Demo time!

October 14, 2015

77


Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

78


No that easy to test

Packers Many different packers Not always easy to get

Packed samples What is exactly the version of packer used ? What are the options enables when packing sample

October 14, 2015

79


During design Methodology : Using packers (default options) Using sorted packed samples (Tutz4you) Packer UPX (3.91) MPRESS (2.19) PeCompact (2.X) NsPack (2.4 to 3.7) Aspack (2.2) Asprotect Armadillo VMProtect

October 14, 2015

Dump with valid OEP Yes Yes Yes Yes Yes Yes No No

80

Working PE Yes No Yes/No Yes Yes No No No


On random virustotal samples Methodology : Request many packed samples from virus total Keep 20 for each packer samples randomly Manual anlysis to ensure OEP is valid Packer UPX Aspack NSpack PeCompact Upack fsg exe32pack

October 14, 2015

Valid PE 13 12 15 14 15 10 6

Valid OEP found 12 (~90%) 9 (~75%) 9 (~60%) 10 (~91%) 13 (~86%) 7 (~70%) 4 (~66%)

81

Unpacked PE runs 2(~15%) 3(~25%) 5(~30%) 4(~29%) 4 (~26%) 2(~20%) 0(~0%)


Outline

1

Introduction

2

Test driven design

3

Fine tune algorithm

4

Demo

5

Results

6

Conclusion

October 14, 2015

82


Good point Easy and automatable unpacking of simple packers

What should we improve? Add heuristics to improve end of unpacking detection Support of Windows 7 64 bits? Support of Windows 10?

Code available at https://bitbucket.org/iwseclabs/gunpack.git

Maybe you can Make your own generic unpacker! October 14, 2015

83


Thank you for listening !

Any questions ?

October 14, 2015

84

Implementing your own generic unpacker - HITB ... - HITB GSEC

Implementing your own generic unpacker - HITB ... - HITB GSEC

Suggest Documents

Implementing Your Own Generic Unpacker.pdf - HITB GSEC

Advanced SOHO Router Exploitation.pdf - HITB GSEC

Adam Donenfeld & Yaniv Mordekhay - HITB GSEC

Adam Donenfeld & Yaniv Mordekhay - HITB GSEC

Adam Donenfeld & Yaniv Mordekhay - HITB GSEC [PDF]

VoIP Wars - Destroying Jar Jar Lync.pdf - HITB GSEC

Wen Xu @ Keen Team HITB GSEC 2015 [PDF]

VoIP Wars - Destroying Jar Jar Lync.pdf - HITB GSEC

Current State of Android Privilege Escalation - HITB GSEC [PDF]

VoIP Wars - Destroying Jar Jar Lync.pdf - HITB GSEC

Hacking Cookies in Modern Web Applications and ... - HITB GSEC

Cesar Cerrudo and Lucas Apa - Hacking Robots Before ... - HITB GSEC

Current State of Android Privilege Escalation - HITB GSEC [PDF]

Wen Xu @ Keen Team HITB GSEC 2015 [PDF]

ReDECTed - HITB Haxpo [PDF]

Conference Agenda - HITB Security Conference

Conference Agenda - HITB Security Conference

svforth - HITB Magazine - Hack In The Box

Detecting Hardware Keyloggers - HITB Security Conference

BEyOND FuzziNg - HITB Magazine - Hack In The Box

HITB LAB: Identifying Threats in Raw Data Events: A Practical ...

Perf - From Profiling to Kernel Exploiting.pdf - HITB Security Conference

Chinese Malware Factory - HITB Magazine - Hack In The Box

HITB LAB: Identifying Threats in Raw Data Events: A Practical ...