Hooking-oriented size disassembler for malware analysis
Day after day, malware researchers, forensic analysts or administrators have to face security threats on information systems. The objective can be to analyse unauthorised intrusions, to protect users from viruses, or to prevent a system from being compromised. To achieve these objectives we have to analyse the inner works of malware using reverse engineering.
Author: Rubén Santamarta
Source: http://hakin9.org Hakin9 2/2006
What you will learn…
- how to use hooking on malware analysis,
- how to use Structure Exception Handling to create a size disassembler.
What you should know…
- assembler x86 and C,
- knowledge of Win32 API and Structure Exception Handling,
- basic knowledge of malware and virus techniques.
Malware creators (viruses, trojans, rootkits) try to prevent this analysis as much as possible, using anti-debug techniques, polymorphism, stealth or packers, among others, the latter as they reduce the size of the executable, and with more or less complexity an additional layer of protection. In this situation, time is crucial, there is no doubt that with a slow and exhaustive analysis sooner or later we will reach the objective of knowing every single detail about the threat. Unfortunately, there are occasions when we don’t have as much time as we would like, and we have to optimize every action for the analysis. Let’s imagine a worm exploiting some unknown vulnerability to propagate through the Internet. The time invested in analysing and understanding its inner works will make the difference between a real catastrophe for the users or a neutralized threat. We should, therefore, gather sufficient resources to be able to solve any possible problem. Hooking As we have seen, there are many tricks for making difficult the use of a debugger (both in Ring0 or Ring3), a basic tool for reverse engineering. Because of this, we should create a method that, under certain circumstances, allows us to interact and modify the behaviour of the executable we are investigating. One of the most common techniques for achieving this objective is hooking. We could briefly classify the different hooking techniques according to the place where they happen. Every kind is focused on different applications. We could have the following kinds:
- Inline Hooking,
- Import Address Table Hooking,
- System Service Table Hooking (Ring0),
- Interrupt Descriptor Table Hooking (Ring0),
- IRP Hooking (Ring0),
- Filter drivers (NDIS,IFS…Ring0),
The method we’ll use will be Inline Hooking. The reason is that through this technique, what we do is to patch directly the function that we want to intercept when it’s loaded into memory. This way, we don’t care about from where is being referenced, or how many times. We attack directly to the root. Every call to this function will be intercepted by our hook.
download id="127" format="1"] <div id="upgrade"> <div id="headersubscriptionform">Option for individual subscribers</div> </div>