ADVANCED Malware Analysis | Reverse Engineering | Decompiling Disassembling & Debugging (PART 1)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the time has finally come to analyze malware using Advanced tactics finally we're not messing around anymore sge your malware is no match for us because we've got reverse engineering through decompiling disassembling and debugging all of which was covered in this one class in my cyber security bachelor's program so if you're sitting there wondering if you need this to get a job well my University thought so now malware analysis is of course the process of examining malicious software malware to understand how it works and identify its capabilities behavior and potential impact now there are four main steps in analyzing malware basic static analysis basic Dynamic analysis both of which I covered in my last video here and now we've got Advanced static analysis and advanced Dynamic analysis each step uses different tools and techniques to gather information about malware and just like before both methodologies are covered by try hack me so follow along or you can just watch the chaos unfold now just like any other smart cyber security professional we'll be working inside of a VM to launch the reverse engineering VM of your choice and will be using gidra why because it's got a dragon logo of course duh and because it's free open source and has many features that we can use to get proficient in reverse engineering but mostly cuz we like dragons so fire up gidra and let's start a new project you want to name the project something hip and trendy like hello world or if you're like me mad world now import whatever Mal executable you like into your new project once imported you'll get a summary that has really nothing useful on it since we're trying to get to the meat of the malware now double click the malware in gidra and it will install a C2 communication with Russia ah gotcha no just kidding it opens it up for analysis you'll want to click through and select the defaults unless you know what you're doing and want to customize the options but we're noobs so we're just going to select the defaults once it finishes analyzing you'll get this layout you've got the program trees where you can view PE headers in their various sections my last video touched on PE headers not what we'll be looking at today but definitely useful to know the symbol tree has the Imports exports functions labels classes and name spaces if you ever coded a day in your life you'll know what all of these refer to the tldr version of it is Imports are code that executables will call on in order to function now this is common in code referencing existing libraries of code so you don't have to code the same thing over and over again exports this section contains the API function calls being exported by the program this section is useful when analyzing various dlls that it calls upon as it will show the functions the dll contains functions this section contains well the functions that it finds within the code now clicking on each function will take us to the disassembled code of that function it also contains the entry function which you have to search for cuz it's not in plain site if you click the entry function it will take us to the start of the program that we are analyzing you also have the decompile section where the pseudo C code is shown and the middle section is the disassembled code as you can see there's a lot of buttons and a lot of intimidating crap everywhere to get to the assembly code that we're interested in we'll just double click on the DOT text up in the top left this takes us to the top of the code there are different approaches to begin analyzing the disassembled code you could locate the main function from the symbol tree check the do text code in the program trees to see the code section and find the entry point as we just did or you could search for interesting strings and locate the code to where those strings are referenced it's also worth noting that different compilers add their own code from various checks while compiling so you can expect some garbage assembly code that doesn't make any sense now instead of scrolling through and most likely missing what we're looking for we you can use the search function to find the hello world as you can see the arguments being used here to push hello world and call the message box a which is a box the person will see in their computer's gooey but now that we've caught a glimpse at the power of disassembly let's break down C code a little bit and it's various constructs and their corresponding assembling code once you know a little bit how it's translated you'll know better what to look for in malare analysis now this module provides a hello world executable as it's most likely the very first program that you will ever encounter if you ever do any coding it prints hello world World on the console when you run it or on the computer guey this is a simple C code that will print hello world on the console and this is an Assembly Language where hello world is defined as a string in the data section then uses the right system call to print the string to standard out which by default is your console now let's look at the hello world executable scrolling down to the push argument and hello world we can see the hello world parameter being fed into this function where it's push to the stack before calling the print function some commonly used code components are for Loops functions and while Loops here is a for Loop and here is a for Loop in assembly in this code the main function initializes the loop counter ECX to one and the loop limit edx to 5 the loop label is used to Mark the beginning of the loop inside the loop the loop counter is printed to the console using the print F function from the standard C library as in the library that standard C has access to after printing the loop counter the loop counter is incremented and the loop limit is checked to see if the loop should continue Loop continues if the counter is still less than or equal to the loop limit if the loop counter exceeds the loop limit and control is passed to the end of the program where the program returns zero aka the program ends confusing well that's for Loops for you and programming in general it's confusing until you get it then it becomes obvious now if we open the provided for Loop executable find the entry function and check the assembly we can see how the for Loop is translated into disassembly code you'll notice as you click into each argument it highlights a corresponding argument on the right decompiler section which is Handy for understanding what each argument does now here is a simple add function in C and its corresponding Assembly Language the ad function starts by having the current base pointer value on the stack then it sets the base pointer to the current stack pointer value function then moves the value of a and b into the eax register it adds them and then it stores the result in a result variable finally the function moves the value of the result into the eax register restores the previous base pointer value and returns to the calling function and here is a while loop in both C and assembly in this example the move instruction initializes the register EC X20 representing the variable I the loop start label marks the beginning of the loop the CMP instruction compares the value of ECX to 10 if ECX exceeds or equals 10 the loop ends and the program jumps to the loop end label otherwise the value of ECX is pushed onto the stack along with the format string and the value of ECX itself is then printed using print F now the add instruction cleans up the stack after the print call finally the value of ECX is incremented and the program jumps back to the loop start label to repeat the loop once again if we take a look at the while loop executable find our entry function we can see what arguments are passed while loop prints the label it's fun to learn at THM now that's just a taste of what I got taught over 3 months easy right now let's talk Windows apis why are we talking about Windows apis because malware uses them to evade detection Windows API is a collection of functions and services that Windows operating systems provide SES to enable developers to create Windows applications while also enabling hackers to create some sneaky malware create process a is a function that well it creates a process duh it takes several parameters much like other functions here is an example of code that uses the create process a function to launch a new process when compiled into assembly code the create process a function call looks like this this assembly code pushes the necessary parameters onto a stack in reverse order and then calls the create process a function create process a function then creates a new process and returns a handle to the process and its primary thread what's a handle well Loosely explained it's an abstract reference to a resource that is used when application software references blocks of memory not to be confused with the pointer that confused the hell out of me in my class so clearly identifying the API calls in malware and examining the code can help in understanding the purpose of the malware malware heavily relies on Windows API obviously referring to the malware that was designed for Windows operating systems of course of course so for that reason it's important to check the import functions in our Advanced analysis without going over every single one here's a list of the commonly used Windows apis key loggers downloaders C2 communication data exfiltration droppers API hooking anti-debugging and VM detection this last one is particularly important because it well hardens the malware and it makes our jobs as white hats mat hats more difficult and quite maddening all right so we're all experts in code constructs and assembly now let's analyze something I am painfully aware of now after my company's last penetration test process hallowing which utilizes the process injection technique here's a summary of how it works a new process is created using the create process a API this process will act as a legitimate process and will be hollowed out NT suspend process is then used to suspend the new process then memory is allocated in the suspended process using the virtual aloc ex API this memory will then be used to hold the malicious code the malicious code is written to the allocated memory using the right process memory API then the entry point of the process is modified to point to the address of the malicious code using the set thread context and get thread context apis then the suspended process is resumed using the NT resume process API this will cause the process to execute the malicious code finally it cleans up the process and any resources during the process let's look at an example of process hollowing in an executable load up your clearly benign malware into GE ra and let's analyze it since we know what we're looking for is process injection we're going to look for create process a function obviously if we didn't know what type of malware this was then we wouldn't start here but we're amazing it can sput process injections from a mile away because we definitely didn't miss it during a company penetration test and Clos the alert as benign only to get a phone call from our boss to double check the alert that that didn't happen let's head to Imports again this is where apis are imported for use by the executable and let's find the create process a API now if you right click cck it and click show references 2 which will then display all the program sections where its function is called as you can see right before the function is called the value 0x4 is pushed onto the stack which represents the suspended state if you want to know more about process creation Flags you can reference Microsoft's web page here now if we go into the display function graph we can get a graph view of the disassembled code to visually show us what is happening during this part of the code if it fails to create a victim process in the suspended state it will move to the block on the right if it successfully creates the victim process it will move to block two but it has evaded our AVG Antivirus Color Me surprised so it moves on to the create file a API which is used to either create or open an existing file let's search for this API in the symbol tree section and go to the code where it's referencing now the malware Hollows the process malware uses ZW unmap view of section or NT unmap view of section API calls to unmap the Target process memory let's search for both and see if the API is called NT unmap view of section takes exactly two arguments The Base address which is the virtual address to be unmapped and then the handle to the process that needs to be hollowed once the process is hollowed malware must allocate the memory using virtual alak ex before writing the process let's find the instances of virtual alak ex API calls in the same way arguments passed to the function include a handle to the process address to be allocated size allocation type and the memory protection flag once the memory is allocated the malware will attempt to write the susp icious process or code into the memory of the hollowed process the right process memory API is used for this purpose now let's locate the function and analyze the code once all is sorted out the malware will get hold of the thread using the set thread context and then resume the thread using the resume thread API to execute the code now wasn't that fun you know what's more fun Advanced Dynamic malware analysis where we can get around all the various evasion techniques used by the bad guys to thwart our Advanced static analysis so we're going to execute the malware and hope we don't infect our entire network subscribe for part two feel you treat me like you do when you play

Info

Channel: Mad Hat

Views: 15,715

Rating: undefined out of 5

Keywords: Cybersecurity, programming, coding, beginners, education, free learning, learn cybersecurity, cybersecurity for beginners, ethical hacking, malware analysis, dark web, cyber security, tryhackme, day in the life of a software engineer

Id: z3lFMfWvwEo

Channel Id: undefined

Length: 12min 14sec (734 seconds)

Published: Tue Oct 17 2023