Professional Documents
Culture Documents
Recon23 Code Detection
Recon23 Code Detection
Tim Blazytko
Twitter @mr_phrazer
HOME synthesis.to
Envelope tim@blazytko.to
About Tim
1
Setting the Scene
2
Question-Circle Large Binary
Analysis Challenges
4
Analysis Challenges
vulnerability discovery
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Analysis Challenges
4
Where to start?
Common Approaches
• function symbols
6
Common Approaches
• function symbols
validate_serial()
6
Common Approaches
• function symbols
• meaningful strings
6
Common Approaches
• function symbols
• meaningful strings
“https://evildomain.com”
6
Common Approaches
• function symbols
• meaningful strings
6
Common Approaches
• function symbols
• meaningful strings
GetAsyncKeyboardState
• interesting API functions
6
Common Approaches
• function symbols
• meaningful strings
6
ARROW-RIGHT Code Detection Heuristics
Code Detection Heuristics
8
Code Detection Heuristics
8
Code Detection Heuristics
8
Code Detection Heuristics
• architecture-agnostic
8
Code Detection Heuristics
8
Code Detection Heuristics
• architecture-agnostic
• efficient to compute
8
Code Detection Heuristics
• efficient to compute
8
How?
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
complex code
• basic block/function size
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Code Complexity and Statistical Analysis
Interesting code is
• (artificially) complex
• frequently executed
• uncommon
10
Detection Heuristics
Heuristics
1. large basic blocks
2. complex functions
3. frequently called functions
4. state machines
5. uncommon instruction sequences
11
Detection Heuristics
Heuristics
1. large basic blocks
2. complex functions
3. frequently called functions
4. state machines
5. uncommon instruction sequences
11
Detection Heuristics
Heuristics
1. large basic blocks
2. complex functions
3. frequently called functions
4. state machines
Clear separation between functions
5. uncommon instruction sequences
11
Detection Heuristics
Heuristics
1. large basic blocks
2. complex functions
3. frequently called functions
4. state machines
5. uncommon instruction sequences
11
Detection Heuristics
Heuristics
1. large basic blocks
2. complex functions
3. frequently called functions
4. state machines
Know what to use & when
5. uncommon instruction sequences
11
Large Basic Blocks
Large Basic Blocks
14
Large Basic Blocks
14
Large Basic Blocks
14
Large Basic Blocks
#instructions
#basic blocks
14
Complex Straight-Line Code
• unrolled loops
• cryptographic implementations
• initialization routines
• arithmetic obfuscation
15
Example: Anti-Cheat I
1,456
198
68
63
59
55
52
51
49
46
16
Example: Anti-Cheat I
1,456
198
68
63
59
55
52
51
49
46
16
Example: Anti-Cheat I
1,456
198
68
63
arithmetic and virtualization-based obfuscation59
55
52
51
49
46
16
Example: ntoskrnl.exe (Windows Kernel)
SepInitSystemDacls 491
SymCryptSha256AppendBlocks_ul1 236
HalpRestoreHvEnlightenment 147
MiInitializeDummyPages 133
HalpBlkInitializeProcessorState 103
17
Example: ntoskrnl.exe (Windows Kernel)
SepInitSystemDacls 491
SymCryptSha256AppendBlocks_ul1 236
HalpRestoreHvEnlightenment 147
MiInitializeDummyPages 133
HalpBlkInitializeProcessorState 103
17
Example: ntoskrnl.exe (Windows Kernel)
SepInitSystemDacls 491
initialization routines
SymCryptSha256AppendBlocks_ul1
HalpRestoreHvEnlightenment
236
147
MiInitializeDummyPages 133
HalpBlkInitializeProcessorState 103
17
Example: ntoskrnl.exe (Windows Kernel)
SepInitSystemDacls 491
SymCryptSha256AppendBlocks_ul1 236
HalpRestoreHvEnlightenment 147
MiInitializeDummyPages 133
HalpBlkInitializeProcessorState 103
17
Example: ntoskrnl.exe (Windows Kernel)
SepInitSystemDacls 491
cryptographic implementations
SymCryptSha256AppendBlocks_ul1
HalpRestoreHvEnlightenment
236
147
MiInitializeDummyPages 133
HalpBlkInitializeProcessorState 103
17
Complex Functions
Complex Functions
20
Complex Functions
• file parsing
• obfuscation
20
Complex Functions
• file parsing
• obfuscation
20
Cyclomatic Complexity
21
Cyclomatic Complexity
B C
• 4 basic blocks
• 4 edges
21
Cyclomatic Complexity
B C
• 4 basic blocks
• 4 edges
cyclomatic complexity: 2
21
Example: ntoskrnl.exe (Windows Kernel)
2,964
2,371
1,506
718
642
435
414
318
281
274
22
Example: ntoskrnl.exe (Windows Kernel)
2,964
2,371
1,506
718
642
435
414
318
281
274
22
Example: ntoskrnl.exe (Windows Kernel)
2,964
2,371
1,506
718
related to PatchGuard (anti-tamper protection)
642
435
414
318
281
274
22
Frequently Called Functions
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef call 0xdeadbeef
Frequently Called Functions
25
Frequently Called Functions
25
Frequently Called Functions
25
Frequently Called Functions
• can sometimes also detect string decryption & hash functions in malware
25
Frequently Called API Functions
• memory management
• data movement
• string operations
26
Example: XOR DDoS (Malware)
free 293
memcpy 191
strlen 184
memset 174
__libc_malloc 151
__lll_unlock_wake_private 148
__lll_lock_wait_private 122
ptmalloc_init 114
__strtol_internal 99
strcmp 93
27
Example: XOR DDoS (Malware)
free 293
memcpy 191
strlen 184
memset 174
__libc_malloc 151
__lll_unlock_wake_private 148
__lll_lock_wait_private 122
ptmalloc_init 114
__strtol_internal 99
strcmp 93
27
Example: XOR DDoS (Malware)
free 293
memcpy 191
strlen 184
memset 174
frequently called API functions
__libc_malloc 151
__lll_unlock_wake_private 148
__lll_lock_wait_private 122
ptmalloc_init 114
__strtol_internal 99
strcmp 93
27
Example: PlugX (Malware)
Most called functions (from unique callers) and their number of calls:
crc32 1253
LoadLibraryA 1253
__seterrormode 320
28
Example: PlugX (Malware)
Most called functions (from unique callers) and their number of calls:
crc32 1253
LoadLibraryA 1253
__seterrormode 320
28
Example: PlugX (Malware)
Most called functions (from unique callers) and their number of calls:
hash-based
crc32
import
LoadLibraryA
1253
1253
hiding
__seterrormode 320
28
Example: PlugX (Malware)
Most called functions (from unique callers) and their number of calls:
crc32 1253
LoadLibraryA 1253
__seterrormode 320
28
Example: PlugX (Malware)
Most called functions (from unique callers) and their number of calls:
potential crc32
clustering 1253
LoadLibraryA
of functions
1253
__seterrormode 320
28
Identification of State Machines
State Machine Heuristic
30
State Machines
31
State Machines
while(true) {
switch(state) {
case state_0: ...
case state_1: ...
...
case state_n: ...
}
}
31
State Machines
while(true) {
switch(state) {
case state_0: ...
case state_1: ...
...
case state_n: ...
}
}
31
Complex State Machines
• data encoding/decoding
32
State Machine Heuristic
} Controller
Controlled Blocks
33
State Machine Heuristic
} Controller
Controlled Blocks
#controlled blocks
#blocks in the function
33
Examples
PlugX (Malware)
• C&C communication & command dispatching
34
Examples
PlugX (Malware)
• C&C communication & command dispatching
ls
• recursive directory traversal
34
Examples
PlugX (Malware)
• C&C communication & command dispatching
ls
• recursive directory traversal
gcc
• file parsing and tokenizing
34
Uncommon Instruction Sequences
Observation
Statistical Analysis of Assembly Code
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
prologues and epilogues
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
function calls
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Common Instruction Sequences
push rbp
mov rbp, rsp
push rbx
push rax
mov rbx, qword [rdi+0x30]
mov edi, dword [rdi+0x38]
call _strerror
data movement
lea rdi, [0x7bc6]
mov rsi, rbx
mov rdx, rax
xor eax, eax
call _warnx
mov byte [0x8678], 0x1
add rsp, 0x8
pop rbx
pop rbp
retn 39
Uncommon Instruction Sequences
• cryptographic implementations
• obfuscated code
40
Statistical Analysis
41
Statistical Analysis
41
Statistical Analysis
41
Example: ci.dll (Windows Kernel Module)
Functions with the most uncommon instruction sequences (in descending order):
MinCryptIsFileRevoked
__security_check_cookie
SymCryptFdefMaskedCopyAsm
SymCryptSha256AppendBlocks_shani
SymCryptFdefRawMulMulx1024
SymCryptParallelSha256AppendBlocks_ymm
SymCryptParallelSha256AppendBlocks_xmm
SymCryptModElementIsZero
SymCryptFdefMontgomeryReduceMulx1024
CipIsSigningLevelRuntimeCustomizable
SymCryptFdefMontgomeryReduceMulx
Gvd5e6c0
42
Example: ci.dll (Windows Kernel Module)
Functions with the most uncommon instruction sequences (in descending order):
MinCryptIsFileRevoked
__security_check_cookie
SymCryptFdefMaskedCopyAsm
SymCryptSha256AppendBlocks_shani
SymCryptFdefRawMulMulx1024
SymCryptParallelSha256AppendBlocks_ymm
SymCryptParallelSha256AppendBlocks_xmm
SymCryptModElementIsZero
SymCryptFdefMontgomeryReduceMulx1024
CipIsSigningLevelRuntimeCustomizable
SymCryptFdefMontgomeryReduceMulx
Gvd5e6c0
42
Example: ci.dll (Windows Kernel Module)
Functions with the most uncommon instruction sequences (in descending order):
MinCryptIsFileRevoked
__security_check_cookie
SymCryptFdefMaskedCopyAsm
SymCryptSha256AppendBlocks_shani
SymCryptFdefRawMulMulx1024
cryptographic implementations
SymCryptParallelSha256AppendBlocks_ymm
SymCryptParallelSha256AppendBlocks_xmm
SymCryptModElementIsZero
SymCryptFdefMontgomeryReduceMulx1024
CipIsSigningLevelRuntimeCustomizable
SymCryptFdefMontgomeryReduceMulx
Gvd5e6c0
42
Example: ci.dll (Windows Kernel Module)
Functions with the most uncommon instruction sequences (in descending order):
MinCryptIsFileRevoked
__security_check_cookie
SymCryptFdefMaskedCopyAsm
SymCryptSha256AppendBlocks_shani
SymCryptFdefRawMulMulx1024
SymCryptParallelSha256AppendBlocks_ymm
SymCryptParallelSha256AppendBlocks_xmm
SymCryptModElementIsZero
SymCryptFdefMontgomeryReduceMulx1024
CipIsSigningLevelRuntimeCustomizable
SymCryptFdefMontgomeryReduceMulx
Gvd5e6c0
42
Example: ci.dll (Windows Kernel Module)
Functions with the most uncommon instruction sequences (in descending order):
MinCryptIsFileRevoked
__security_check_cookie
SymCryptFdefMaskedCopyAsm
SymCryptSha256AppendBlocks_shani
SymCryptFdefRawMulMulx1024
virtualization-based obfuscation
SymCryptParallelSha256AppendBlocks_ymm
SymCryptParallelSha256AppendBlocks_xmm
SymCryptModElementIsZero
SymCryptFdefMontgomeryReduceMulx1024
CipIsSigningLevelRuntimeCustomizable
SymCryptFdefMontgomeryReduceMulx
Gvd5e6c0
42
Conclusion
Takeaways
44
Takeaways
44
Binary Ninja Plugin
https://github.com/mrphrazer/obfuscation_detection
45
Binary Ninja Plugin
https://github.com/mrphrazer/obfuscation_detection
45
Plugin Manager
46
Summary
https://github.com/mrphrazer/obfuscation_detection/
Tim Blazytko
Twitter @mr_phrazer
HOME synthesis.to
Envelope tim@blazytko.to
47
References
48