Rather than reversing the obfuscation I decided to take a different route. Ollydbg has a useful feature called Run Trace or rtrace for short. It's great for tracking down anti-debugging or logging changes to registers. It's not a feature I would recommend for tracing over large amounts of code. Creating a PinTool would be a better choice for this type of task but rtrace is good for small jobs. Here are three excellent reads on using Pintool for similar tasks 1, 2 and 3.
 |
| rtrace log |
''' Name: rtrace_2_idb.py Date: 2014/04/?? Author: alexander<dot>hanel<at>gmail<dot>com ''' import sys import json import collections ########################################################## def run(): 'this function creates an ordered dict saved to a json from an rtrace log' rtrace = collections.OrderedDict() # rtrace log passed as argument with open(sys.argv[1]) as f: for line in f: addr, reg_values = parse_line(line.rstrip()) if addr: try: addr = int(addr,16) except: pass if rtrace.has_key(addr): if len(reg_values) == 0: rtrace[addr].append([]) continue for val in reg_values: rtrace[addr].append(val) else: rtrace[addr] = [] if len(reg_values) == 0: rtrace[addr].append([]) continue for val in reg_values: rtrace[addr].append(val) save_off(rtrace) def save_off(rtrace): 'save the data to a file named rtrace.json' with open("rtrace.json", 'w') as f: json.dump(rtrace, f) def parse_line(line): 'parses the rtrace log' temp = line.split('\t') try: return (temp[0], list(temp[3:])) except: return None, None ########################################################## def show_data(): 'prints all the modified registers for an address in a rtrace log' try: print rtrace_data[str(here())] except: print "Error: never called" def show_next(): 'prints next called address. Kind of buggy on ret' try: temp = rtrace_data.items()[rtrace_data.keys().index(str(here())) + 1] print hex(int(temp[0])) except: print "Error: Could not be found" def populate(): 'populate the IDB with counts and set values' import idautils import idaapi global rtrace_data rtrace_data = get_json() idaapi.add_hotkey("Shift-A", show_data) idaapi.add_hotkey("Shift-S", show_next) for func in idautils.Functions(): flags = GetFunctionFlags(func) if flags & FUNC_LIB or flags & FUNC_THUNK: continue dism_addr = list(FuncItems(func)) for line in dism_addr: com = format_data(rtrace_data, line) if com: MakeComm(line, com) def format_data(rtrace_data, line): try: instr_data = rtrace_data[str(line)] except: return None count = len(instr_data) # Empty lists are not hashable for sets. try: data_count = len(set(instr_data)) except: data_count = None if data_count: comment = "C: 0x%x, S: 0x%x" % (count, data_count) else: comment = "C: 0x%x" % (count) return comment def get_json(): try: f = open("rtrace.json") js = json.load(f, object_pairs_hook=collections.OrderedDict) except e: print "ERROR: %s" % e return js ########################################################## if __name__ == '__main__': try: sys.argv[1] run() except: populate() # the sys.arv[1] exception is a hack to guess how the script is being # called. If there is an exception it is being run in IDA.
To execute the code above pass the output log file to the script, copy the rtrace.json to the working directory of the script and the IDB and then execute the script in IDA. This will give an output as seen below. The C is for Count and S is for Set. Glancing over other functions it is easy to see which instructions are responsible for looping and decoding data.
Since rtrace logs all modified register values it is easy to access those values. Included in the script is the ability to print all those values. This can be done by selecting the address and pressing Shift-A. To print the next address called, select the address and the press Shift-S. The arrow is the address of the selected line.
Once I followed the address in the output window it lead me to what called ExitProcess. Now all I needed to do was investigate the calls of EBX in the first block of the previous to see what is being checked and patch the ZF flag results to continue execution. What makes this sample interesting (and actually worth reading the code) is Upatre is using an undocumented technique to determine if it is running on a Windows NT 6.0 or higher. I'm unaware if this techniques works on Windows Vista. I have only tested on Windows XP SP3 (NT 5.1) and Windows 7 ( NT 6.1).
The malware calls RtlAcquirePebLock and NtCurrentTeb twice. On Windows XP when RtlAcquirePebLock is called the first time ECX, EDX and EAX is over written. ECX will be the return address of RtlAcquirePebLock, EDX will be the address of PEB FastPebLoclk which is a pointer to _RTL_CRITICAL_SECTION and EAX will be zero. On the second call only EAX will be over written. On Windows 7 when RtlAcquirePebLock is called EAX will become zero and ECX will be equal to the Thread Information Block (TEB) ClientId. On the second call to RtlAcquirePebLock EAX will be zero, EDX will be the TEB CliendId but ECX will be equal the the TEB. On the second call to RtlAcquirePebLock if ECX is equal to TEB or the return of NtCurrentTeb the sample is running on NT 6.0 or higher.
Below is the code rewritten in C++
#include <windows.h> #include <stdio.h> #include <iostream> int getECX() { int value = 0; //Moves edx into 'value' _asm mov value, ecx; return value; } int getEAX() { int value = 0; //Moves edx into 'value' _asm mov value, eax; return value; } int getEDX() { int value = 0; //Moves edx into 'value' _asm mov value, edx; return value; } int main() { HMODULE hModule = GetModuleHandleA(("ntdll.dll")); FARPROC pRtlAcquirePebLock = GetProcAddress(hModule, "RtlAcquirePebLock"); HMODULE h2Module = GetModuleHandleA(("ntdll.dll")); FARPROC ntcur = GetProcAddress(h2Module, "NtCurrentTeb"); pRtlAcquirePebLock(); // ecx, eax & edx are modifed when RtlAcquirePebLockis called int ecxValue = getECX(); int eaxValue = getEAX(); int edxValue = getEDX(); // call current teb ntcur(); eaxValue = getEAX(); if (eaxValue == ecxValue) std::cout << "EAX & ECX Match - second stage" << std::endl; if (eaxValue == edxValue) std::cout << "EAX & EDX Match - second stage" << std::endl; // lock again pRtlAcquirePebLock(); ecxValue = getECX(); eaxValue = getEAX(); edxValue = getEDX(); // current teb ntcur(); eaxValue = getEAX(); if (eaxValue == ecxValue) std::cout << "EAX & ECX Match - second stage aka > XP" << std::endl; }
The changes in the return values are caused by the difference in how RtlAcquirePebLock calls RtlEnterCriticalSection. In Windows XP RtlEnterCriticalSection is called by being passed a pointer from PEB FastPebLockRoutine. Since the PEB is writable from user mode the FastPebLockRoutine, it can be over written to cause a heap overflow. See Refs 1 and 2. Below we can see the difference between XP and Win7 for RtlAcquirePebLock.
 |
| _RtlAcquirePebLock XP |
 | |
| _RtlAcquirePebLock Win7 |
Hash - 891F33FDD94481E84278736CEB891D1036564C03
References
[1] http://net-ninja.net/article/2011/Sep/03/heap-overflows-for-humans-102/
[2] http://www.exploit-db.com/papers/13178/
http://www.debugwin.com/home/fastpeblock
http://msdn.moonsols.com/winxpsp3_x86/PEB.html
No comments:
Post a Comment