BINARY INSTRUMENTATION FOR MALWARE ANALYSIS Practical Tools and Techniques Thomas Roccia Sr. Security Researcher at Microsoft

WHOAMI

WHAT WE WILL COVER?

QUOTE OF THE DAY

WHAT IS BINARY INSTRUMENTATION?

WHAT IS BINARY INSTRUMENTATION? It modifies program behavior during execution by altering machine code. Involves adding code to the program to track, monitor or manipulate behavior. Used in software dev, security, performance analysis and other fields. Static and dynamic binary instrumentation Can be used for debugging, vulnerability research or malware analysis. Allows deeper insights into software behavior and effective issue resolution.

Malware are often obfuscated or packed and used different mechanisms. It can be tricky and time consuming to reverse the whole binary. Isolate and analyse specific parts of the malware's behavior. HOW IT CAN BE USED FOR MALWARE ANALYSIS?

BINARY INSTRUMENTATION TOOLS

FRIDA

FRIDA API HOOKING Trampoline-based hooks modify function call flow by inserting a jump instruction at the beginning of the targeted function. This jump redirects control to a function under our control, and once our function executes, the trampoline ensures that the original function's execution continues. Source: https://learnfrida.info/

INTERCEPTOR API The "onEnter" function allows the viewing and modification of function arguments and memory sections before execution. The "onLeave" function allows the viewing and modification of return values and modified function arguments and memory sections after execution.

TRACING API Source: https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa

TRACING API USING FRIDA

GetProcAddress is used to get the memory address of a function in a DLL. Used by malware for obfuscation and evasion to avoid having to call the function directly. UNCOVERING OBFUSCATED API CALL Source: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress

UNCOVERING OBFUSCATED API CALL

OTHER INTERESTING API HOOKING FOR MALWARE ANALISIS

UNPACKING VirtualAlloc reserves, commits, or modifies a region of pages in the calling process's virtual address space. VirtualProtect changes the protection of a region of committed pages in the calling process's virtual address space. Malware often uses VirtualAlloc in conjunction with VirtualProtect to change the permission of allocated memory to read-write-execute.

UNPACKING USING FRIDA Source: https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks

UNPACKING

WSCRIPT.EXE SHELL32.DLL ShellExecuteExW WS-32.DLL WSASocketW GetAddrInfoExW WSASend WSAAddressToStringW WSAStartup MALICIOUS SCRIPT ANALYSIS VBS/JS Source: OALabs https://www.youtube.com/watch?v=uqhBsWXUw7Q

MALICIOUS SCRIPT ANALYSIS

INTRODUCING MALWARE MUNCHER https://github.com/fr0gger/MalwareMuncher

BONUS: BINARY INSTRUMENTATION USING GPT

WRAP-UP To gain a deeper understanding, I encourage you to explore further on your own. Reverse engineering and malware analysis are complex processes with no single approach. Binary instrumentation is a powerful method to automate analysis and tool development, but it requires a foundation in malware analysis and OS internals. While we have only scratched the surface, binary instrumentation can be used for other goals such as taint analysis or symbolic execution.

Thomas Roccia @fr0gger_ SecurityBreak.io THANK YOU

RESOURCES