$30 off During Our Annual Pro Sale. View Details »

Binary Instrumentation for Malware Analysis

Thomas Roccia
February 24, 2023
Technology
2
1.3k

Binary Instrumentation for Malware Analysis

Analysing malware can be a complex and tedious task to understand deeper how it works. Malware can use anti-analysis techniques such as obfuscation or packing than can significantly increase the analysis time.

Binary instrumentation is the process of adding new instructions into a program or modifying existing code of a program. This concept can be applied to malware analysis to speed up the analysis process and retrieving internal data without spending too much time debugging binaries. Additionally, you can integrate binary instrumentation into your own tools to enhance your malware analysis arsenal.

This presentation will explore the concept of binary instrumentation as it can be applied to malware analysis. We'll look at some of the most popular tools like Frida and show you how to use them to extract information and defeat anti-analysis techniques.

Thomas Roccia

February 24, 2023
Tweet

More Decks by Thomas Roccia

See All by Thomas Roccia
State-Sponsored Financially Motivated Attacks
fr0gger
0
530
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
780
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.6k
Code Graphology
fr0gger
0
500
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
750
AISA - Practical Threat Intelligence
fr0gger
0
1.2k
Hermetic Wiper Infographic
fr0gger
1
730
Technical Analysis of Cuba Ransomware
fr0gger
1
240
Sigma Rules Cheat Sheet
fr0gger
0
1.4k

Other Decks in Technology

See All in Technology
技術的負債あるある早く言いたい〜/RookiesLT-link-and-motivation
lmi
0
1.8k
LangChainやるならPythonよりTypeScriptの方がいんじゃね?
optimisuke
0
180
Making your Kubernetes-based log collection reliable & durable with Vector
palark
0
210
走馬灯のIaCは考えておいて
nwiizo
6
3k
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
2023年版 デザインシステム 技術選定の勘所 - フロントエンドカンファレンス沖縄
takanorip
2
1.5k
3つの⽴場で考える技術的負債への組織的アプローチ
sansantech
PRO
14
4.5k
Kuma UIのこれまでとこれから
poteboy
5
3k
知っておきたいRubyKaigiスポンサーのはじめかた / rubykaigi_uragawa
achamixx
1
250
eBPF for the rest of us - Golab 2023
fedepaol
0
260
Why run OpenShift on Google Cloud
shkitayama
1
170
Snowflake x Terraformに自動テストを導入した話
kddisnowvillage
0
150

Featured

See All Featured
For a Future-Friendly Web
brad_frost
168
8.4k
How GitHub (no longer) Works
holman
299
140k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Rails Girls Zürich Keynote
gr2m
90
12k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
49
29k
Embracing the Ebb and Flow
colly
77
3.8k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
Fireside Chat
paigeccino
18
2.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k

Transcript

  1. BINARY INSTRUMENTATION FOR MALWARE ANALYSIS
    Practical Tools and Techniques
    Thomas Roccia
    Sr. Security Researcher at Microsoft

    View Slide

  2. WHOAMI

    View Slide

  3. WHAT WE WILL COVER?

    View Slide



  4. QUOTE OF THE DAY

    View Slide

  5. WHAT IS BINARY INSTRUMENTATION?

    View Slide

  6. WHAT IS BINARY INSTRUMENTATION?
    It modifies program behavior during
    execution by altering machine code.
    Involves adding code to the program to
    track, monitor or manipulate behavior.
    Used in software dev, security,
    performance analysis and other fields.
    Static and dynamic binary
    instrumentation
    Can be used for debugging,
    vulnerability research or malware
    analysis.
    Allows deeper insights into software
    behavior and effective issue resolution.

    View Slide

  7. Malware are often obfuscated or packed
    and used different mechanisms.
    It can be tricky and time consuming to
    reverse the whole binary.
    Isolate and analyse specific parts of the
    malware's behavior.
    HOW IT CAN BE USED FOR MALWARE ANALYSIS?

    View Slide

  8. BINARY INSTRUMENTATION TOOLS

    View Slide

  9. FRIDA

    View Slide

  10. FRIDA API HOOKING
    Trampoline-based hooks modify function call flow by inserting a jump instruction at the
    beginning of the targeted function.
    This jump redirects control to a function under our control, and once our function executes, the
    trampoline ensures that the original function's execution continues.
    Source: https://learnfrida.info/

    View Slide

  11. INTERCEPTOR API
    The "onEnter" function allows the viewing
    and modification of function arguments
    and memory sections before execution.
    The "onLeave" function allows the viewing and
    modification of return values and modified function
    arguments and memory sections after execution.

    View Slide

  12. TRACING API
    Source: https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa

    View Slide

  13. TRACING API USING FRIDA

    View Slide

  14. GetProcAddress is used to get the memory address of a function in a DLL.
    Used by malware for obfuscation and evasion to avoid having to call the function directly.
    UNCOVERING OBFUSCATED API CALL
    Source: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress

    View Slide

  15. UNCOVERING OBFUSCATED API CALL

    View Slide

  16. OTHER INTERESTING API HOOKING FOR MALWARE ANALISIS

    View Slide

  17. UNPACKING
    VirtualAlloc reserves, commits, or modifies a region of pages in the calling process's virtual
    address space.
    VirtualProtect changes the protection of a region of committed pages in the calling process's
    virtual address space.
    Malware often uses VirtualAlloc in conjunction with VirtualProtect to change the permission of
    allocated memory to read-write-execute.

    View Slide

  18. UNPACKING USING FRIDA
    Source: https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks

    View Slide

  19. UNPACKING

    View Slide

  20. WSCRIPT.EXE
    SHELL32.DLL
    ShellExecuteExW


    WS-32.DLL
    WSASocketW
    GetAddrInfoExW
    WSASend
    WSAAddressToStringW
    WSAStartup
    MALICIOUS SCRIPT ANALYSIS
    VBS/JS
    Source: OALabs https://www.youtube.com/watch?v=uqhBsWXUw7Q

    View Slide

  21. MALICIOUS SCRIPT ANALYSIS

    View Slide

  22. INTRODUCING MALWARE MUNCHER
    https://github.com/fr0gger/MalwareMuncher

    View Slide

  23. BONUS: BINARY INSTRUMENTATION USING GPT

    View Slide

  24. WRAP-UP
    To gain a deeper understanding, I encourage you to explore further on your own.
    Reverse engineering and malware analysis are complex processes
    with no single approach.
    Binary instrumentation is a powerful method to automate analysis and tool
    development, but it requires a foundation in malware analysis and OS internals.
    While we have only scratched the surface, binary instrumentation can be used for
    other goals such as taint analysis or symbolic execution.

    View Slide



  25. Thomas Roccia
    @fr0gger_
    SecurityBreak.io


    THANK YOU

    View Slide

  26. RESOURCES

    View Slide