dirtbox a x86/Windows dirtbox, a x86/Windows Emulator

dirtbox, a x86/Windows
dirtbox
Emulator
Georg Wicherski
Virus Analyst, Global Research and Analysis Team
BlackHat USA, 2010-07-29
Motivation & System Overview
Why not just use CWSandbox, Anubis, Norman‘s, JoeBox, …
Malware Analysis Sandbox Solutions
ƒ VMWare „Rootkits“
ƒ
ƒ
ƒ
ƒ
ƒ
CWSandbox
JoeBox
ThreatExpert
zBox
…
ƒ Norman
ƒ
2010-07-29
Sandbox
Anubis
BlackHat USA 2010, Las Vegas
Malware Detection Emulators (A/V)
ƒ Most serious A/V
ƒ
ƒ
ƒ
solutions have one
API level emulation
Often pure
software emulators
Detection by
y
ƒ Unimplented APIs
ƒ Heap Layout,
SEH handling, …
ƒ …
2010-07-29
BlackHat USA 2010, Las Vegas
Detection by API Side-Effects
ƒ Functions containing try { in VS C++ share code
ƒ Epilogue is always the same
ƒ Uses sequence push ecx / ret to return to caller
ƒ The ecx register belongs to the called function by definition, so it is
undefinde
d fi d upon API return
t
ƒ The ecx value can be predicted because it will point to the API‘s
ret
ƒ This breaks a lot of A/V emulators right away
ƒ There are some funny but trivially detected workarounds
ƒ Could be used for generic anti
anti-emulation
emulation detection (use of
undefined registers after SEH protected API calls)
ƒ Relies on the fact that the API‘s bytecode is not
emulated
l d
2010-07-29
BlackHat USA 2010, Las Vegas
System Overview or „A cat pooped into my
sandbox and now I have a dirtbox!“
ƒ System Call Layer
ƒ
Emulation of Windows
ntdll‘s native code is
run inside
i id virtual
i t l CPU
ƒ Other libraries wrap
around kernel32 which
wraps around ntdll
Ring 0
malware.exe
ntdll
ƒ Malware issuing
system calls directly
supported
2010-07-29
BlackHat USA 2010, Las Vegas
libcpu
Custom x86 Basic Block Level Virtualization
libcpu Overview
ƒ Software emulation of x86 bytecode is too slow
ƒ A lot
l t off additional
dditi
l code,
d such
h as ntdll
tdll & kernel32
k
l32
ƒ Existing Virtualization solutions are too
powerful
f l
ƒ Implementing their own MMU, support for privileged
instructions
ƒ We want instruction level introspection
¾ Homebrew x86 virtualization based on LDT
2010-07-29
BlackHat USA 2010, Las Vegas
x86 Memory Views
Logical
2010-07-29
Virtual
Physical
BlackHat USA 2010, Las Vegas
x86 Memory View on Current OS
Logical
2010-07-29
Virtual
Physical
BlackHat USA 2010, Las Vegas
x86 Segmentation
ƒ Global Descriptor Table
ƒ Allocated by Operating System
ƒ Shared among processes
ƒ Local Descriptor Table
ƒ Has to be allocated by the OS, too
• SYS_modifyy_ldt
• NtSetLdtEntries
ƒ Process specific, usually not present
¾ Define 2 GB gguest „„userland“ LDT segment
g
2010-07-29
BlackHat USA 2010, Las Vegas
Rogue Code Execution
ƒ Basic block level execution on host CPU
ƒ No instruction rewriting required (thanks to host MMU)
ƒ Basic block is terminated by
ƒ Control flow modifying instruction
ƒ Privileged instructions
ƒ Exception: Backward pointing jumps
ƒ Directly copy if points into same basic block
ƒ Enhanced loop execution speeds
ƒ Currently no code cache, could cache
disassembly results (length of basic block)
2010-07-29
BlackHat USA 2010, Las Vegas
Self-Modifying Code
2010-07-29
BlackHat USA 2010, Las Vegas
libcpu Demo
2010-07-29
BlackHat USA 2010, Las Vegas
libscizzle
Or „libx86shellcodedetection“ if you prefer…
Shellcode Detection
ƒ Simple Approach: Brute-Force over byte buffer
ƒ If n valid instructions can be executed from there,
there
assume we found valid shellcode
ƒ Pre-filter buffers: Scan for „GetPC“ sequences
1. Find GetPC opcode candiates: 89, a3, d9, e8
•
•
•
mov r/m32, r32 or mov rm/32, eax → SEH based
GetPC
fstenv
call rel32
2. Check for valid memory operands or FS prefix
•
2010-07-29
Require fstenv operand to be esp relative
BlackHat USA 2010, Las Vegas
Free Shellcode Detector:
http://code mwcollect org/libscizzle
http://code.mwcollect.org/libscizzle
Free Shellcode Emulator:
http://libemu.carnivore.it/
libscizzle Demo
2010-07-29
BlackHat USA 2010, Las Vegas
dirtbox
Or „The System Call Implementor‘s Sysiphus Tale“
Why System Call Layer Emulation
ƒ System
y
Calls mostly
y undocumented
ƒ Wine, ReactOS, …
ƒ We get a lot of genuine environment for free!
ƒ There is a fixed number of system calls but an
ƒ
ƒ
unbound number of APIs (think third party DLLs)
Some malware uses system calls directly anyway
Less detectability by API side effects (because we run
original
i i l bytecode)
b t
d )
2010-07-29
BlackHat USA 2010, Las Vegas
Things for Free: PE Parsing & Loading (!)
ƒ Process startup handled mostly by new process
ƒ C
Creating
ti process allocates
ll
t new process:
NtCreateProcess
ƒ Creates „„Section“ of new image
g & ntdll and maps
p into
process, this requires kernel to parse section headers
ƒ Creates new Thread on Entry Point with APC in ntdll
ƒ ntdll!LdrInitializeThunk will relocate images if necessary,
resolve imports recursively, invoke TLS and DLL startup
routines and do magic (see demo).
ƒ All we have to implement is NtCreateSection &
NtMapViewOfSection for SEC_IMAGE
SEC IMAGE → we
only need to parse PE‘s section headers!
2010-07-29
BlackHat USA 2010, Las Vegas
Things for free: Accurate Heap
Implementation
ƒ A lot of A/V emulators naturally come with their
o n guest
own
g est heap allocator implementations
ƒ Some even do not put heap headers before blocks
ƒ Let alone arena structures,
structures …
ƒ The Windows heap is implemented in ntdll
ƒ Interfacing the kernel with NtVirtualAlloc & NtVirtualFree
ƒ All protections like heap cookies are present
ƒ Fingerprinting other emulators:
ƒ Look at malloc(0)-8, look for proper block header
ƒ Or overflow until the heap cookie and free
2010-07-29
BlackHat USA 2010, Las Vegas
Things for free: Proper SEH Handling
ƒ Generate CONTEXT record from current CPU state
ƒ Jump to ntdll!KiUserExceptionDispatcher
ƒ ntdll will do proper SEH handling for us
ƒ Lookup current top of SEH chain in TEB
ƒ Walk list, invoke exception handlers with correct flags
ƒ Checking for SafeSEH structures etc.
ƒ Trivial detection for other emulators:
ƒ Link with SafeSEH header
ƒ Trigger exception with invalid handler registered
ƒ Check in UnhandledExceptionHandler
2010-07-29
BlackHat USA 2010, Las Vegas
dirtbox Demo
2010-07-29
BlackHat USA 2010, Las Vegas
Conclusion & Future Work
Let‘s use this for exploit development!
Detecting dirtbox / Anti-Emulation
ƒ No leaked registers in Ring 0 transition except for eax
ƒ N
Need
d to
t provide
id proper return
t
codes,
d
esp. error codes
d
ƒ ntdll just cares about ≥ 0xc0000000; malware might
look for specific
p
error codes
ƒ Side effects on buffers etc., especially in error
cases
ƒ Fill out IN OUT PDWORD Length in case of error?
ƒ Roll back system calls performing multiple things?
ƒ Tradeoff between detectability and performance
2010-07-29
BlackHat USA 2010, Las Vegas
Future Work: Adding Tainting & SAT
Checking
ƒ Already did Proof-of-Concept based on STP
ƒ Interleave static analysis into dynamic emulation
ƒ Look for interesting values (e.g. reads from network,
date)
ƒ Do static forward data-flow analysis on usage
ƒ If used in conditional jumps, identify interesting values
with a SAT Checker (there are better domain specific
ways, but I‘m lazy)
¾Automatic reconstruction of network protocols (e.g.
commands in IRC
C bots))
¾Identify specific trigger based behaviour
¾Identify
Id tif Anti-Emulation
A ti E l ti behaviour
b h i
2010-07-29
BlackHat USA 2010, Las Vegas
Questions? Thank You!
[email protected]
georg
wicherski@kaspersky com
blog.oxff.net & securelist.com