Binary Instrumentation for Malware Analysis

Transcript

1. BINARY INSTRUMENTATION FOR MALWARE ANALYSIS Practical Tools and Techniques Thomas

   Roccia Sr. Security Researcher at Microsoft

2. WHOAMI

3. WHAT WE WILL COVER?

4. QUOTE OF THE DAY

5. WHAT IS BINARY INSTRUMENTATION?

6. WHAT IS BINARY INSTRUMENTATION? It modifies program behavior during execution

   by altering machine code. Involves adding code to the program to track, monitor or manipulate behavior. Used in software dev, security, performance analysis and other fields. Static and dynamic binary instrumentation Can be used for debugging, vulnerability research or malware analysis. Allows deeper insights into software behavior and effective issue resolution.

7. Malware are often obfuscated or packed and used different mechanisms.

   It can be tricky and time consuming to reverse the whole binary. Isolate and analyse specific parts of the malware's behavior. HOW IT CAN BE USED FOR MALWARE ANALYSIS?

8. BINARY INSTRUMENTATION TOOLS

9. FRIDA

10. FRIDA API HOOKING Trampoline-based hooks modify function call flow by

    inserting a jump instruction at the beginning of the targeted function. This jump redirects control to a function under our control, and once our function executes, the trampoline ensures that the original function's execution continues. Source: https://learnfrida.info/

11. INTERCEPTOR API The "onEnter" function allows the viewing and modification

    of function arguments and memory sections before execution. The "onLeave" function allows the viewing and modification of return values and modified function arguments and memory sections after execution.

12. TRACING API Source: https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa

13. TRACING API USING FRIDA

14. GetProcAddress is used to get the memory address of a

    function in a DLL. Used by malware for obfuscation and evasion to avoid having to call the function directly. UNCOVERING OBFUSCATED API CALL Source: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress

15. UNCOVERING OBFUSCATED API CALL

16. OTHER INTERESTING API HOOKING FOR MALWARE ANALISIS

17. UNPACKING VirtualAlloc reserves, commits, or modifies a region of pages

    in the calling process's virtual address space. VirtualProtect changes the protection of a region of committed pages in the calling process's virtual address space. Malware often uses VirtualAlloc in conjunction with VirtualProtect to change the permission of allocated memory to read-write-execute.

18. UNPACKING USING FRIDA Source: https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks

19. UNPACKING

20. WSCRIPT.EXE SHELL32.DLL ShellExecuteExW WS-32.DLL WSASocketW GetAddrInfoExW WSASend WSAAddressToStringW WSAStartup MALICIOUS

    SCRIPT ANALYSIS VBS/JS Source: OALabs https://www.youtube.com/watch?v=uqhBsWXUw7Q

21. MALICIOUS SCRIPT ANALYSIS

22. INTRODUCING MALWARE MUNCHER https://github.com/fr0gger/MalwareMuncher

23. BONUS: BINARY INSTRUMENTATION USING GPT

24. WRAP-UP To gain a deeper understanding, I encourage you to

    explore further on your own. Reverse engineering and malware analysis are complex processes with no single approach. Binary instrumentation is a powerful method to automate analysis and tool development, but it requires a foundation in malware analysis and OS internals. While we have only scratched the surface, binary instrumentation can be used for other goals such as taint analysis or symbolic execution.

25. Thomas Roccia @fr0gger_ SecurityBreak.io THANK YOU

26. RESOURCES