Slide 1

Slide 1 text

BINARY INSTRUMENTATION FOR MALWARE ANALYSIS Practical Tools and Techniques Thomas Roccia Sr. Security Researcher at Microsoft

Slide 2

Slide 2 text

WHOAMI

Slide 3

Slide 3 text

WHAT WE WILL COVER?

Slide 4

Slide 4 text

QUOTE OF THE DAY

Slide 5

Slide 5 text

WHAT IS BINARY INSTRUMENTATION?

Slide 6

Slide 6 text

WHAT IS BINARY INSTRUMENTATION? It modifies program behavior during execution by altering machine code. Involves adding code to the program to track, monitor or manipulate behavior. Used in software dev, security, performance analysis and other fields. Static and dynamic binary instrumentation Can be used for debugging, vulnerability research or malware analysis. Allows deeper insights into software behavior and effective issue resolution.

Slide 7

Slide 7 text

Malware are often obfuscated or packed and used different mechanisms. It can be tricky and time consuming to reverse the whole binary. Isolate and analyse specific parts of the malware's behavior. HOW IT CAN BE USED FOR MALWARE ANALYSIS?

Slide 8

Slide 8 text

BINARY INSTRUMENTATION TOOLS

Slide 9

Slide 9 text

FRIDA

Slide 10

Slide 10 text

FRIDA API HOOKING Trampoline-based hooks modify function call flow by inserting a jump instruction at the beginning of the targeted function. This jump redirects control to a function under our control, and once our function executes, the trampoline ensures that the original function's execution continues. Source: https://learnfrida.info/

Slide 11

Slide 11 text

INTERCEPTOR API The "onEnter" function allows the viewing and modification of function arguments and memory sections before execution. The "onLeave" function allows the viewing and modification of return values and modified function arguments and memory sections after execution.

Slide 12

Slide 12 text

TRACING API Source: https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa

Slide 13

Slide 13 text

TRACING API USING FRIDA

Slide 14

Slide 14 text

GetProcAddress is used to get the memory address of a function in a DLL. Used by malware for obfuscation and evasion to avoid having to call the function directly. UNCOVERING OBFUSCATED API CALL Source: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress

Slide 15

Slide 15 text

UNCOVERING OBFUSCATED API CALL

Slide 16

Slide 16 text

OTHER INTERESTING API HOOKING FOR MALWARE ANALISIS

Slide 17

Slide 17 text

UNPACKING VirtualAlloc reserves, commits, or modifies a region of pages in the calling process's virtual address space. VirtualProtect changes the protection of a region of committed pages in the calling process's virtual address space. Malware often uses VirtualAlloc in conjunction with VirtualProtect to change the permission of allocated memory to read-write-execute.

Slide 18

Slide 18 text

UNPACKING USING FRIDA Source: https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks

Slide 19

Slide 19 text

UNPACKING

Slide 20

Slide 20 text

WSCRIPT.EXE SHELL32.DLL ShellExecuteExW WS-32.DLL WSASocketW GetAddrInfoExW WSASend WSAAddressToStringW WSAStartup MALICIOUS SCRIPT ANALYSIS VBS/JS Source: OALabs https://www.youtube.com/watch?v=uqhBsWXUw7Q

Slide 21

Slide 21 text

MALICIOUS SCRIPT ANALYSIS

Slide 22

Slide 22 text

INTRODUCING MALWARE MUNCHER https://github.com/fr0gger/MalwareMuncher

Slide 23

Slide 23 text

BONUS: BINARY INSTRUMENTATION USING GPT

Slide 24

Slide 24 text

WRAP-UP To gain a deeper understanding, I encourage you to explore further on your own. Reverse engineering and malware analysis are complex processes with no single approach. Binary instrumentation is a powerful method to automate analysis and tool development, but it requires a foundation in malware analysis and OS internals. While we have only scratched the surface, binary instrumentation can be used for other goals such as taint analysis or symbolic execution.

Slide 25

Slide 25 text

Thomas Roccia @fr0gger_ SecurityBreak.io THANK YOU

Slide 26

Slide 26 text

RESOURCES