attacking packing: captain hook beats down on peter packer
TRANSCRIPT
Attacking Packing: Captain Hook Beats Down on Peter Packer
Nick Cano @nickcano93Vadim Kotov @vadimkotov
1)Motivation2)Background3)Tools of trade4)Implementation5)Experiments6)Live demo7)Conclusion8)Future work
Here's what we'll cover
Outline
• Most malware is packed with custom packers• Packers evolve and change constantly• Volumes of malware don't get any lower• Automated analysis is needed, but...• ...to do it @scale one needs an automated unpacker• ...existing generic unpackers are either too old, not
available for public or not open source
Generic unpacking or death
Motivation
How packers work
Background
1) Write into a file and execute2) Extract into the heap or spare
PE section3) Replace the executable
image4) Inject into another process
• Remote thread• Process Hollowing• Etc...
Self-unpacking code
Packed / encrypted payload
(1) Extract
Clean payload
(2) Unpack / decrypt
(3) Jump
Packer Behavior
Executing from the heap
Background
Allocate memoryand protect with VM_EXECUTE
Unpack intothat buffer
Transfer controlcontrol flow to
the buffer
Generic Unpacker
Track memoryallocations
Dump if executionin the heap detected
Packer Behavior
Replacing the image
Background
Allocate memory
Unpack intothat buffer
Overwrite sections
Generic Unpacker
Track changes tothe executable image
Jump to the newentry point
Dump if executingafter image modification
Packer Behavior
Process injection
Background
Allocate memory
Unpack intothat buffer
Write to anotherprocess' memory
Generic Unpacker
Just dump everything
Resume thread / process
Tools of trade
Generic unpacker can be implemented as:1) Kernel driver – harder to make it portable2) Intel PIN tools – too slow3) Hooking – lots of downsides but easy to
implement
We chose Microsoft Detours because it's free, everybody can use it and
reproduce our research
Implementation
Enter Captain Hook
Implementation
Basics
• The magic takes place inside of a DLL that is injected into the malware
• The DLL uses a mix of traditional detour hooking and untraditional VEH-based memory hooking
• The malware must run to completion once the DLL is injected• For obvious reasons, this tool must be used inside of a
hardened and secure VM
Implementation
Unpacking Heap-based Packers
• Hook NTProtectVirtualMemory & NtAllocateVirtualMemory• When a page is given VM_EXECUTE, remove execution and
start tracking the page• Create Vectored Exception Handler
• Catch DEP exceptions on tracked pages• When caught, dump the page, restore execution, and
return EXCEPTION_CONTINUE_EXECUTION
Implementation
Unpacking PE-based Packers
• On injection, remove VM_WRITE from any PE sections that have both VM_WRITE and VM_EXECUTE
• Create Vectored Exception Handler• Catch ACCESS_VIOLATION write exception to detect when a
tracked PE section is overwritten• When caught, restore VM_WRITE, remove VM_EXECUTE, and
start tracking the PE section using DEP exceptions as described previously
Implementation
Unpacking Process Injection-based Packers
• Hook NtWriteVirtualMemory• Start tracking the block's address, size, and data• Combine any adjacent writes into a single block• On process exit, dump all tracked blocks
• Hook NtMapViewOfSection• Dump entire block to disk
Implementation
Challenges #1
Problem: Some malware doesn't enforce DEPSolution: SetProcessDEPPolicy(PROCESS_DEP_ENABLE)
Problem: Sometimes, ACCESS_VIOLATION exceptions occur for reasons other than our memory hooks (control transfer, bad code)
Solution: Make sure to only handle exceptions we've created ourselves, and pass EXCEPTION_CONTINUE_SEARCH otherwise
Problem: DEP exceptions sometimes don't trigger properly when a new thread is created on tracked memory
Solution: Instead of figuring out why this is, just hook NtCreateThread and detect when a new thread is created on a tracked block
Implementation
Challenges #2
Problem: When we enforce DEP, it can cause DEP exceptions to occur where they otherwise wouldn't Solution: if we're enforcing DEP and a DEP exception occurs that isn't a result of a memory hook, restore PAGE_EXECUTE and continue execution anyways
Problem: Some packers are two-stage; they unpack on disk, and then run that executable which then unpacks in memorySolution: Propagate injected DLL into new processes via CreateProcessInternalW hook
Problem: Code gets increasingly more complex and more messySolution: Re-factor constantly, cry silently
Implementation
Source Code
What? PackerAttacker (written in C++), scripts for unpacking automation (written in Python)How? Visual Studio 2010, Microsoft Detours x86, Python, VMWare FusionWhere? https://github.com/BromiumLabs/PackerAttacker
Experiments
Dataset and lab setup
Experiments
VirusShare.comZeus / Citadel pack
Filter: 32-bit, exe
Database
VM VM VM...
Test machine
Resultsjournal
Randomsample(~350)
Setting up the packer attacker
Experiments
1)The Packer Attacker components:• PackerAttackerHook.dll – does all the unpacking
and dumping • PackerAttacker.exe – launches the malware and
injects PackerAttackerHook.dll2)It's best to put both to the %PATH%3)Dumps and logs are saved to C:\dumps (make sure
that folder exists)4)Oh and don't forget MSVC++ redistributable ;)
VM setup and operation
Experiments
Host(unpack.py)
Guest(agent.py)
Restore snapshot
Start VM
Submit file
Listen forincomingconnections
RunPackerAttacker
Sleep (20 sec)
Request dumps Zip dumpsand send back
Shutdown VM
No VMWare / VBox tools in the guest (easy to detect)
Communicates to host only (internal network)
Use PaFish to check how prone is your VM to bypasses
Dumped 87.54%
PE 45.51%
Crashed 26.96%
Errors 3.48%
Hidden code chunks
Experiments
0 50 100 150 200 250 300 3500
10
20
30
40
50
60
70
Malware samples
# hi
dden
cod
e ch
unks
AVG = 13.2
STD = 12.5MAX = 62
~20% - Use Process Hollowing
Demo
Conclusion
• Half of the packers unpack full PE and thus are easy to defeat
• Packed malware is prone to crashing and enforcing DEP causes unexpected behavior – bad design?
• Packers usually have many layers, in average 13 code chunks are executed before final payload kicks in
Some interesting observations
Future Work
• Fix crashes (might improve efficiency)• Anti-anti-hooking• DLL support• Glueing together dumped chunks• IOC extraction and classification (strings, URLs,
filenames, registry keys, etc.)• Cuckoo Sandbox plugin maybe? (conflicting hooks
might be a problem)
Thank you!
Where is the source code again?
https://github.com/BromiumLabs/PackerAttacker