This is a short blog. Here are some of the techniques that have been developed as I programmed software and from reverse-engineered software, Some of these are Windows-specific.
Tricky calls, Look out for tricky jumps via TLS, SEH, RET, CALL, etc. An example is using PUSH to add an address to the stack and then use RET to pop the address of the stack and jump to the given address. Utility functions, If there isn’t an test after an call it most likely not of interest as the function called not does have an return value and most likely an utility function. Decryption function, If the same function is called multiple times there high possibility it a decryption function Syscalls, Instead of using ntdll.dll to make syscalls, they are instead directly called by using the syscall ID of the call we want to execute. Debugging self-changing code, When you set breakpoints in a debugger you are setting software breakpoints, the way this work is by changing a piece of code to CC will indicate that the debugger needs to stop here. The problem with this method when working with a self-changing sample is that the breakpoint (CC) will be overwritten either by the packer, decryption function or similar functions. This is why it important to set hardware break (you can set a maximum of 4 hardware breakpoints)
Decoding of encrypted data
You can decode data in a debugger by setting a breakpoint after the decoding function and examining results. On Windows, you can identify for decryption function by API to CryptDecrypt. Another option is to use xorsearch. It will try an look for strings that are encrypted with a simple XOR key.
| arg | description |
|---|---|
| -i | Case-insensitive search |
| -s | Generate a file that decodes all bytes in the file using the discovered key- |
This will go through the sample and try to xor substring and report if they have “http:” part of it
xorsearch -i -s sample.bin http:
Another tool is brxor it will deobfuscate XOR-encoded strings that in the English dictionary. Will go through the sample and save it to a file.
brxor.py sample.bin > sample_brxor.txt
There are many other similar tools to try:
- xorBruteForcer.py: http://eternal-todo.com/var/scripts/xorbruteforcer
- NoMoreXOR.py: https://github.com/hiddenillusion/NoMoreXOR
- xortool: https://github.com/hellman/xortool
- unXOR: https://github.com/tomchop/unxor
- Kahu tools: http://www.kahusecurity.com/tools
Self-defending malware
As Malware authors gets better. They are started to introduce self-defending capabilities. Such as detecting virtualization, and looking for analysis tools such as a debugger, network monitor, etc.
If the malware detects that it is being analysed it might terminate itself and in some cases, it will even delete itself from the system.
making it harder for us to perform analysis specially with sandbox and dynamic analysis.
One way of dealing with this is to execute the sample while attached to a debugged and identify where in the code the sample tries to detect for analysis. e.g. IsDebuggerpresent
And patching the instruction either by reversing the jump so that it only runs if there is a debugger present or filling it with nop making the sample never take the jump. After patching the sample it removes the capability of detecting analysis. Malware samples rarely only have a single detection function. Some Samples have multiple, making this process very time-consuming.
If you are using xdbg to debug your sample. ScyllaHide can be used It is an Anti-Anti-Debug, it works hiding the presence of a debugger. It comes with multiple options that can be used to hide the debugger from the malware. The more option you enable the more unstable the program can become.
Virtualization detection is another important factor for the malware author.
Some of the common techniques are to check hardware characteristics, it is common for malware especially sandbox to only have a single core or the screen resolution to be very small, and then there is the up time of the system, as sandbox has a very low up time.
Another is checking the application and services installed on the system. There are many ways for malware can detect if it in a virtual or physical environment