Malware Sandbox Emulation in Python

229b1596ce57cd0935a2bacd410d87a0?s=47 馬聖豪
August 01, 2018

Malware Sandbox Emulation in Python

議程內設計的虛擬機 PoC: github.com/aaaddress1/vtMal

許多知名防毒軟體在查殺惡意程式時,經常會使用已知的特徵碼來確認一支執行文件是否為惡意程式;不過現今惡意程式技術逐步進步,大量的惡意程式變種、新型態的惡意程式與日俱增之下,以往作為防毒軟體核心技術——特徵碼查殺已經無法阻擋下所有的惡意程式了,我們就該如此止步讓駭客為所欲為嗎?

本議程將提出一個概念,有別以往防毒軟體核心使用的特徵碼查殺;將介紹以 Python 開發一個虛擬化技術的沙箱運行惡意程式。使惡意程式在未被使用者真正打開執行之前,將此惡意程式預先在假的虛擬 Windows 作業系統架構下執行起來,卻不會感染到使用者真正的作業系統環境。

議程內將提及如何以 Python 開發一個簡易的 EXE 虛擬化執行虛擬機(針對單一執行程式)。剖析 Windows EXE 結構體(PE 結構)並模擬系統程式裝載器(PE Loader)創建一個新的 Process 的過程 e.g. Section Mapping, IAT Apply, Section Relocation, etc,並透過 Unicorn Engine 做記憶體管理與模擬執行緒運行組合語言指令,過程中將在虛擬環境內記錄下所有程式的行為。

When anti-virus software try to detect malwares, it will usually use some well known pattern to verify is this execution file is malicious or not. However, the technique of malware will also improve. The core technical of anti-virus pattern recognition have not been able to defent moden malware. Should we let the hacker do whatever they want?

In this session, the speaker will provide a new concept. By using Python to implement a virtualization sandbox to run the malware. Before the OS execute the malware, we could pre-run this malware in a virtual Windows OS environment and will not infect the real OS environment.

This session will introduce how to use Python implement a EXE simulator (Singal thread). Will analyze the Windows PE format and how to simulate PE Loader to create a Windows process. e.g Section Mapping, IAT Apply, Section Relocation, etc. By using Unicorn Engine to manage the memory and simulate the process to run the CPU instruction. During this flow we can recode all the data inside this simulator.

229b1596ce57cd0935a2bacd410d87a0?s=128

馬聖豪

August 01, 2018
Tweet