reconstructing gapz: position-independent code analysis problem
TRANSCRIPT
![Page 1: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/1.jpg)
Reconstructing Gapz:
Position-Independent Code Analysis
Problem
Aleksandr Matrosov Eugene Rodionov
@matrosov @vxradius
![Page 2: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/2.jpg)
Outline of The Presentation
Gapz: dropper exploprer.exe code injection trick
Gapz: bootkit Classification of modern bootkits
New VBR bootkit technique
Gapz: payload Hidden file system implementation
Disk hooks and Hooking engine
NDIS, TCP/IP stack implementation, HTTP protocol
C&C communications
Gapz: forensic approaches
HexRaysCodeXplorer
![Page 3: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/3.jpg)
Gapz: dropper
![Page 4: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/4.jpg)
PowerLoader Builder (since September 2012)
![Page 5: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/5.jpg)
PowerLoader Builder (since September 2012)
![Page 6: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/6.jpg)
Gapz Dropper Execution Stages
Injecting intoexplorer.exe(entry point)
Local Privilege Escalation
(icmnf)
Infecting the system(isyspf)
stage 1 stage 2
![Page 7: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/7.jpg)
Bypassing HIPS with eplorer.exe Code Injection
opens shared sections from \\BaseNamedObjects mapped into explorer.exe and writes shellcode
![Page 8: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/8.jpg)
Bypassing HIPS with eplorer.exe Code Injection
The dropper searches for the window “Shell_TrayWnd”
![Page 9: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/9.jpg)
Bypassing HIPS with eplorer.exe Code Injection
The dropper calls GetWindowLong() so as to get the address of the routine related to the “Shell_TrayWnd” window handler
The dropper calls SetWindowLong() to modify “Shell_TrayWnd” window-related data
![Page 10: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/10.jpg)
Bypass HIPS with eplorer.exe Code Injection
calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space
arbitrary code execution in WndProc() of “Shell_TrayWnd”:
![Page 11: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/11.jpg)
Triggering Shellcode Execution
SendNotifyMessage() transfers control to the address pointed to address points to the KiUserApcDispatcher() routine
![Page 12: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/12.jpg)
Triggering Shellcode Execution
uses ROP-gadgets to jump into shellcode memory region and execute shellcode
![Page 13: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/13.jpg)
Triggering Shellcode Execution
uses ROP-gadgets to jump into shellcode memory region and execute shellcode
![Page 14: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/14.jpg)
Triggering Shellcode Execution
![Page 15: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/15.jpg)
Gapz: bootkit
![Page 16: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/16.jpg)
Modern Bootkits Classification (BIOS based)
Bootkits
MBR VBR/IPL
MBR Code modification
Partition Table modification
IPL Code modification
BIOS Parameter Block modification
TDL4 Olmasco Rovnix Gapz
![Page 17: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/17.jpg)
Gapz Bootkit Overview
Module Name Hooked Routine
ntldr BlLoadBootDrivers
bootmgr Archx86TransferTo32BitApplicationAsm
winload.exe OslArchtransferToKernel
ntoskrnl.exe IoInitSystem
Gapz bootkit features: hooks int 13h handler patches modules: ntldr, bootmgr, winload.exe, kernel
image to survive processor execution mode switching and kernel-mode code integrity checks
![Page 18: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/18.jpg)
Gapz Bootkit Workflow
Hook Archx86TransferTo32BitApplicationAsm
in bootmgr
Hook OslArchTransferToKernel
in winload.exe
Hook IoInitSystem
in kernel image
Int 13h handler is hooked
Bootmgr loads winload.exe
Winload.exe loads kernel image
Bootkit loads malicious kernel-mode code and runs it in a new system thread
![Page 19: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/19.jpg)
Gapz VBR Bootkit
Gapz VBR bootkit features: Relies on Microsoft Windows VBR layout The infections results in modifying only 4 bytes of VBR The patched bytes might differ on various installations
jmp BIOS
Parameter Block (BPB)
VBR code Text Strings0x550xAA
0x000 0x003 0x054 0x19C 0x1FE 0x200
transfer control
![Page 20: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/20.jpg)
Gapz BPB Layout
struct BIOS_PARAMETER_BLOCK{
WORD BytesPerSector;BYTE SecPerCluster; WORD ReservedSectors;BYTE Reserved[5];BYTE MediaDescriptorID;WORD Reserved2;WORD SectorsPerTrack;WORD NumberOfHeads;DWORD HiddenSectors;DWORD Reserved3[2];LONGLONG TotalSectors;LONGLONG StartingCluster;LONGLONG MFTMirrStartingCluster;DWORD ClustersPerMFTRecord;DWORD ClustersPerIndexBuffer;LONGLONG VolumeSerialNumber;DWORD Reserved4;
};
![Page 21: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/21.jpg)
Gapz BPB Layout
struct BIOS_PARAMETER_BLOCK{
WORD BytesPerSector;BYTE SecPerCluster; WORD ReservedSectors;BYTE Reserved[5];BYTE MediaDescriptorID;WORD Reserved2;WORD SectorsPerTrack;WORD NumberOfHeads;DWORD HiddenSectors;DWORD Reserved3[2];LONGLONG TotalSectors;LONGLONG StartingCluster;LONGLONG MFTMirrStartingCluster;DWORD ClustersPerMFTRecord;DWORD ClustersPerIndexBuffer;LONGLONG VolumeSerialNumber;DWORD Reserved4;
};
![Page 22: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/22.jpg)
Gapz BPB Modification
MBR NTFS File SystemIPLVBR
NTFS Volume0x200 0x1E00
Number of “Hidden Sectors”
MBR NTFS File SystemIPLInfected
VBR
NTFS Volume0x200 0x1E00
Hard Drive
Modified value of number of “Hidden Sectors”
Bootkit
before infection
after infection
![Page 23: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/23.jpg)
Gapz: rootkit
![Page 24: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/24.jpg)
Gapz Rootkit Overview
Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms
Gapz rootkit capabilities: Hidden storage implementation User-mode payload injection Covert network communication channel C&C server authentication mechanism
![Page 25: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/25.jpg)
Gapz Rootkit Overview
Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms
Gapz rootkit capabilities: Hidden storage implementation User-mode payload injection Covert network communication channel C&C server authentication mechanism
![Page 26: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/26.jpg)
Gapz Kernel-mode Code Organization
struct GAPZ_BASIC_BLOCK_HEADER
{
// A constant which is used to obtain addresses
// of the routines implemented in the block
unsigned int ProcBase;
unsigned int Reserved[2];
// Offset to the next block
unsigned int NextBlockOffset;
// Offset of the routine performing block initialization
unsigned int BlockInitialization;
// Offset to configuration information
// from the end of the kernel-mode module
// valid only for the first block
unsigned int CfgOffset;
// Set to zeroes
unsigned int Reserved1[2];
};
![Page 27: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/27.jpg)
Gapz Kernel-mode Code Blocks
Block # Implemented Functionality
1 General API, gathering information on the hard drives, CRT string routines and etc.
2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc.
3 Hooking engine, disassembler engine.
4 Hidden Storage implementation.
5 Hard disk driver hooks, self-defense.
6 Payload manager.
7 Payload injector into processes’ user-mode address space.
8 Network communication: Data link layer.
9 Network communication: Transport layer.
10 Network communication: Protocol layer.
11 Payload communication interface.
12 Main routine.
![Page 28: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/28.jpg)
Gapz Hidden Storage Implementation
Gapz implements modified FAT32 hidden volume based on FullFat project Length of file name in FAT directory entry is 32 bytes
The hidden volume is stored in the file with name:“\??\C:\System Volume Information\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”
The contents of the volume is encrypted with AES-256 in CBC mode: The sector LBA is used as IV
![Page 29: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/29.jpg)
Gapz Hidden Storage Implementation
Gapz implements modified FAT32 hidden volume based on FullFat project Length of file name in FAT directory entry is 32 bytes
The hidden volume is stored in the file with name:“\??\C:\System Volume Information\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”
The contents of the volume is encrypted with AES-256 in CBC mode: The sector LBA is used as IV
![Page 30: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/30.jpg)
Gapz Hidden Storage Implementation
Gapz implements modified FAT32 hidden volume based on FullFat project Length of file name in FAT directory entry is 32 bytes
The hidden volume is stored in the file with name:“\??\C:\System Volume Information\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”
The contents of the volume is encrypted with AES-256 in CBC mode: The sector LBA is used as IV
![Page 31: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/31.jpg)
Gapz Crypto Library Implementation
Gapz crypto library functionality: Hashing: MD5, SHA1 Symmetric ciphers: RC4, AES Asymmetric cipher: ECC
![Page 32: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/32.jpg)
Gapz Self-Defence Mechanisms
Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and IRP_MJ_DEVICE_CONTROL handlers to monitor:
IOCTL_SCSI_PASS_THROUGH IOCTL_SCSI_PASS_THROUGH_DIRECT IOCTL_ATA_PASS_THROUGH IOCTL_ATA_PASS_THROUGH_DIRECT
Gapz protects:
MBR/VBR from being read/overwritten its image on the hard drive from being overwritten
![Page 33: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/33.jpg)
Gapz Hooking Engine Implementation
Gapz hooking engine is based on the ”Hacker Disassembler Engine”
Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
![Page 34: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/34.jpg)
Gapz Hooking Engine Implementation
Gapz hooking engine is based on the ”Hacker Disassembler Engine”
Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
![Page 35: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/35.jpg)
Gapz Code Injection Functionality
Allocate memory buffer
in target process address space
Write payload and loader code
into allocated buffer
Create remote thread in the
target process
Loader code
DLL loader(load/unload DLL modules)
Command executer(call specific handler in DLL payload
and pass necessary parameters)
EXE loader 1(run EXE modules)
EXE loader 2(run EXE modules)
![Page 36: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/36.jpg)
Gapz Payload Loader Code: DLL Loader & Command Executer
Map image into address space
Fix relocations and initialize IAT
Load or unload?
Execute export #1
Execute export #2
Release image memory
unload load
![Page 37: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/37.jpg)
Gapz Payload Loader Code: EXE Loaders
Drop payload image into %TEMP% directory
Execute CreateProcessW API
EXE Loader 1Create legitimate suspended
process (via CreateProcessAsUser)
Overwrite process image with the malicious one
Set process thread context according to malicious image
Resume process thread
EXE Loader 2
![Page 38: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/38.jpg)
Gapz Network Protocol Implementation
svchost.exe
overlord32(64).dll
Win32/Gapzkernel-mode module
TCP/IP protocol stackimplementation
Message to be sent to C&C Server
user mode
kernel mode
C&C Server
Send using Win32 socket implementation
Send directly using NDIS miniport driver
![Page 39: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/39.jpg)
Gapz Network Protocol Architecture
Gapz implementation OSI Model
HTTP protocol(block #10)
TCP/IP protocol(block #9)
NDIS miniport wrapper(block #8)
Application/Presentation Layer
Network/Transport Layer
Data Link Layer
![Page 40: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/40.jpg)
Gapz Network Protocol Implementation: NDIS
Gapz network protocol stack relies on miniport adapter driver:
Miniport adapter driver
Intermediate driver
Protocol driver(tcpip.sys)
Filter driver..
...
...
.At the level of
protocol or intermediate drivers Win32/Gapz’s network
packet is “invisible”
Win32/Gapz communicates directly to miniport adapter
Win32/GapzNetwork packet
![Page 41: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/41.jpg)
Gapz C&C Communication Protocol
Gapz communicates to C&C servers over HTTP protocol
Capabilities of the protocol:
00 - download payload 01 - send bot information to C&C 02 - request payload download information 03 - report on running payload 04 - update payload download URL
The requests corresponding to commands 0x01, 0x02 and 0x03 are performed by the POST method of the HTTP protocol.
![Page 42: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/42.jpg)
Gapz C&C Communication Protocol: HTTP Request
Message HeaderHTTP Header Request specific data
HTTP header HTTP body
struct MESSAGE_HEADER
{
// Output of PRNG
unsigned char random[128];
// a DWORD from configuration file
unsigned int reserved;
// A binary string which is used to
authenticate C&C servers
unsigned char auth_str[64];
};
![Page 43: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/43.jpg)
Gapz C&C Communication Protocol: HTTP Request
Message HeaderHTTP Header Request specific data
HTTP header HTTP body
struct MESSAGE_HEADER
{
// Output of PRNG
unsigned char random[128];
// a DWORD from configuration file
unsigned int reserved;
// A binary string which is used to
authenticate C&C servers
unsigned char auth_str[64];
};
![Page 44: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/44.jpg)
Gapz C&C Communication Protocol: C&C Reply
Encrypted rc4 key K1
HTTP HeaderReply specific
data
HTTP message header HTTP message body
Authentication string
rc4 encrypted data with key k1
Decrypt key K1
Decrypt authentication string and reply-specific data using key K1
Check authentication string
Process reply-specific data
Reject reply-specific data
matchdoesn’t match
![Page 45: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/45.jpg)
Gapz C&C Communication Protocol: URLs
![Page 46: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/46.jpg)
Gapz C&C Communication Protocol: URLs
![Page 47: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/47.jpg)
Gapz User-mode Payload Functionality
The module overlord32(64).dll is essential part of the Gapz bootkit
Overlord32(64).dll is injected into
svchost.exe process
Overlord32(64).dll dispatches the requests from kernel-mode
Cmd # Command Description
0gather information about all the network adapters installed in the system and their properties and send it to kernel-mode module
1 gather information on the presence of particular software in the system
2 check internet connection by trying to reach update.microsoft.com
3 send & receive data from a remote host using Windows sockets
4 get the system time from time.windows.com
5 get the host IP address given its domain name (via Win32 API gethostbyname)
6get Windows shell (by means of querying “Shell” value of “Software\Microsoft\Windows NT\CurrentVersion\Winlogon” registry key)
![Page 48: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/48.jpg)
Gapz User-mode Payload Interface
Gapz impersonates the handler of the payload requests in the null.sysdriver to communicate with the injected payload:
Win32/Gapz module
Driver\NullDRIVER_OBJECT
Driver\NullDriver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload = NULLDriverUnload rotuine
IRP_MJ_DEVICE_CONTROL handler
Driver\NullDRIVER_OBJECT
Driver\NullDriver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload DriverUnload rotuine
IRP_MJ_DEVICE_CONTROL handler
Gapz’s hook
jmp gapz_hook
Payload interface
before patching after patching
![Page 49: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/49.jpg)
Gapz User-mode Payload Interface
Gapz impersonates the handler of the payload requests in the null.sysdriver to communicate with the injected payload:
Win32/Gapz module
Driver\NullDRIVER_OBJECT
Driver\NullDriver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload = NULLDriverUnload rotuine
IRP_MJ_DEVICE_CONTROL handler
Driver\NullDRIVER_OBJECT
Driver\NullDriver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload DriverUnload rotuine
IRP_MJ_DEVICE_CONTROL handler
Gapz’s hook
jmp gapz_hook
Payload interface
before patching after patching
![Page 50: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/50.jpg)
Modern bootkits comparison
Functionality GapzOlmarik
(TDL4)
Rovnix
(Cidox)
Goblin
(XPAJ)
Olmasco
(MaxSS)
MBR modification
VBR modification
Hidden file system
type FAT32 customFAT16
modification
custom
(TDL4 based)custom
Crypto
implementation
AES-256,
RC4, MD5,
SHA1, ECC
XOR/RC4Custom
(XOR+ROL)
RC6
modification
Compression
algorithm aPlib aPlib
Custom TCP/IP
network stack
implementation
![Page 51: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/51.jpg)
Gapz: forensic approaches
![Page 52: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/52.jpg)
Hidden File System Reader
![Page 53: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/53.jpg)
Hidden File System Reader
![Page 54: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/54.jpg)
Hidden File System Reader
![Page 55: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/55.jpg)
HiddenFsReader: Free public forensic tool
http://download.eset.com/special/ESETHfsReader.exe
![Page 56: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/56.jpg)
C++ code reconstruction
problems
![Page 57: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/57.jpg)
C++ Code Reconstruction Problems
Object identification Type reconstruction
Class layout reconstruction Identify constructors/destructors
Identify class members
Local/global type reconstruction
Associate object with exact method calls
RTTI reconstruction Vftable reconstruction
Associate vftable object with exact object
Class hierarchy reconstruction
![Page 58: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/58.jpg)
C++ Code Reconstruction Problems
Class A
vfPtr
a1()
a2()A::vfTable
meta
A::a1()
A::a2()
RTTI Object Locator
signature
pTypeDescriptor
pClassDescriptor
![Page 59: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/59.jpg)
C++ Code Reconstruction Problems
![Page 60: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/60.jpg)
Identify Smart Pointer Structure
![Page 61: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/61.jpg)
Identify Exact Virtual Function Call in vtable
![Page 62: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/62.jpg)
Identify Exact Virtual Function Call in vtable
![Page 63: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/63.jpg)
Identify Exact Virtual Function Call in vtable
![Page 64: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/64.jpg)
Identify Objects Constructors
![Page 65: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/65.jpg)
Identify Objects Constructors
![Page 66: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/66.jpg)
Using Hex-Rays Decompiler
Identifying constructors/destructors Usually follow memory allocation
The pointer to object is passed in ecx (sometimes in other registers)
Reconstructing object’s attributes Creating custom type in “Local Types” for an object
Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
![Page 67: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/67.jpg)
Using Hex-Rays Decompiler
Identifying constructors/destructors Usually follow memory allocation
The pointer to object is passed in ecx (sometimes in other registers)
Reconstructing object’s attributes Creating custom type in “Local Types” for an object
Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
![Page 68: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/68.jpg)
Reconstructing Object’s Methods
![Page 69: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/69.jpg)
Reconstructing Object’s Methods
![Page 70: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/70.jpg)
Reconstructing Object’s Methods
![Page 71: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/71.jpg)
HexRaysCodeXplorer
![Page 72: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/72.jpg)
HexRaysCodeXplorer Features
Hex-Rays decompiler plugin
The plugin was designed to facilitate static analysis of:
object oriented code
position independent code
The plugin allows to:
navigate through decompiled virtual methods
partially reconstruct object type
![Page 73: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/73.jpg)
Hex-Rays Decompiler Plugin SDK
At the heart of the decompiler lies ctree structure:
syntax tree structure
consists of citem_t objects
there are 9 maturity levels of the ctree structure
![Page 74: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/74.jpg)
Hex-Rays Decompiler Plugin SDK
At the heart of the decompiler lies ctree structure:
syntax tree structure
consists of citem_t objects
there are 9 maturity levels of the ctree structure
![Page 75: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/75.jpg)
Hex-Rays Decompiler Plugin SDK
Type citem_t is a base class for: cexpr_t – expression type
cinsn_t – statement type
Expressions have attached type information
Statements include: block, if, for, while, do, switch, return, goto, asm
Hex-Rays provides iterators for traversing the citem_tobjects within ctree structure: ctree_visitor_t
ctree_parentee_t
citem_t
cexpr_t cinsn_t
![Page 76: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/76.jpg)
Hex-Rays Decompiler Plugin SDK
Type citem_t is a base class for: cexpr_t – expression type
cinsn_t – statement type
Expressions have attached type information
Statements include: block, if, for, while, do, switch, return, goto, asm
Hex-Rays provides iterators for traversing the citem_tobjects within ctree structure: ctree_visitor_t
ctree_parentee_t
citem_t
cexpr_t cinsn_t
![Page 77: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/77.jpg)
HexRaysCodeXplorer: Gapz Position Independent Code
![Page 78: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/78.jpg)
HexRaysCodeXplorer: Virtual Methods
The IDA’s “Local Types” is used to represent object type
![Page 79: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/79.jpg)
Hex-Rays decompiler plugin is used to navigate through
the virtual methods
HexRaysCodeXplorer: Virtual Methods
![Page 80: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/80.jpg)
Hex-Rays decompiler plugin is used to navigate through
the virtual methods
HexRaysCodeXplorer: Virtual Methods
![Page 81: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/81.jpg)
DEMO
![Page 82: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/82.jpg)
HexRaysCodeXplorer: Object Type REconstruction
Hex-Rays’s ctree structure may be used to
partially reconstruct object type based on its
initialization routine (constructor)
Input: pointer to the object instance
object initialization routine entry point
Output: C structure-like object representation
![Page 83: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/83.jpg)
HexRaysCodeXplorer: Object Type REconstruction
Hex-Rays’s ctree structure may be used to
partially reconstruct object type based on its
initialization routine (constructor)
Input: pointer to the object instance
object initialization routine entry point
Output: C structure-like object representation
![Page 84: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/84.jpg)
HexRaysCodeXplorer: Object Type REconstruction
citem_t objects to monitor: memptr
idx
memref
call (LOBYTE, etc.)
![Page 85: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/85.jpg)
DEMO
![Page 86: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/86.jpg)
http://REhints.com
Follow us on twitter and github:
@REhints
https://github.com/REhints
Beta testing will be open in July
send request to [email protected]
![Page 87: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/87.jpg)
References
Gapz and Redyms droppers based on Power Loader codehttp://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
Mind the Gapz: The most complex bootkit ever analyzed?http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policyhttp://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf
Defeating Anti-Forensics in Contemporary Complex Threatshttp://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf
Bootkit Threats: In-Depth Reverse Engineering & Defensehttp://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
![Page 88: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/88.jpg)
![Page 89: Reconstructing Gapz: Position-Independent Code Analysis Problem](https://reader033.vdocuments.net/reader033/viewer/2022052903/557578fdd8b42adb7e8b4a58/html5/thumbnails/89.jpg)
Thank you for your attention!
Aleksandr Matrosov@matrosov
Eugene Rodionov@vxradius