Category Archives: Malware Analysis

Extracting Strings from PE sections

Posted on by

One of the first things we do when we analyze malware is strings extraction. This is a good approach, but there is a problem – neither Sysinternals’ strings nor UNiX/cygwin version provide an ability to extract strings from a specific PE section. Being able to extract strings this way may be handy. It may simplify static analysis and even more importantly, it  helps to avoid noise coming from bad strings. Examples of bad strings are sequences of machine instructions coming from a code section that are interpreted as actual strings. The same goes for ‘strings’ from resource section. This part of file often contain bitmaps, icons and other data that often holds a lot of data that ‘looks’ like strings. We may not want to see these in the output.

So, having an ability to extract strings from each section separately would be certainly helpful. There are many way to do so – if you like to code, you can write your own script.

Or…You can just use a simple method presented below.

It turns out that 7zip has an ability to extract sections from PE files. It is available from both GUI and command line. GUI is option is straightforward, as per the command line, use the following:

“c:\Program Files\7-Zip\7zG.exe” x <filename> -osections

Example for Notepad.exe is shown below. Note that 7zip also extracts resources into a subdirectory – another handy feature.

We can now extract strings from .text section only:

Note:

There are executables for which extracting strings from specific sections won’t help and may even make you miss something or draw wrong conclusions; these include Borland applications (code and data is mangled together), position-independent code (shellcodes, viruses, code injects), etc.

Anti-forensics – live examples

Posted on by

Amongst many various techniques that are used by malware to prevent its detection and analysis (e.g. rootkits, disabling OS tools, anti-debug, anti-disasm, anti-dumping, anti-VM, anti-sandbox, etc.), there are a few that are not so common, yet still “make it ” to some malicious releases. These techniques do not prevent malware analysis itself, but aim at making it difficult for forensic guys to analyze post-intrusion activities. And since the reason for using these is to wipe out traces of actual hacking, finding these inside the binaries usually suggests that the malware is designed to be remotely controlled in a manual fashion (and is not a typical botnet serving different purposes like like spam, or DDoS campaigns). Indeed, anti-forensics routines are often seen in backdoors as well as hacking tools used by carders and APT-like malware. Of course, many of these techniques are not new – even old tools from early noughties use it.

Out of curiosity, I recently searched my sample collection for malware that actually do use anti-forensics techniques (Windows specific only). In order to do searches, I first had to think of various techniques I came across in the past or heard of, and then create a list of interesting targets – this is a list I came up with so far:

  • Cache and cookies cleanup (as shown in Purple Haze)
  • Event Logs cleanup (as used in various hacking tools)
  • RestorePoints cleanup (very rarely used technique, I found only a few samples doing so)
  • Weak timestomping (used by many samples, it does change only the timestamps visible in Explorer and shell)
  • Full timestomping (haven’t seen any sample yet)
  • Changing attributes (this one I skipped, because it’s very common, I list it here only for the completeness)
  • Alternate Data Streams (also skipped, because it’s quite common and hard to find good keywords)
  • Patching (creating a way to autostart malware without any known autostart keys; also skipped as it is hard to find good keywords other than opening or mapping files in memory + file names of files being patched, usually user32.dll, etc. so it’s too generic)

My searches continue and if I come across something new, I will add it to the list. And if you know some more or spot some techniques I missed, please do let me know.  Thanks in advance!

So, here it is – if you see any of these functions in the malware you analyze, you better get ready for some serious business!

Cache/Cookies cache cleanup

I posted and example recently when I briefly talked about Purple Haze:

APIs and strings to look for:

  • FindFirstUrlCacheEntryA / FindFirstUrlCacheEntryW
  • UnlockUrlCacheEntryFileA / UnlockUrlCacheEntryFileW
  • DeleteUrlCacheEntryA / DeleteUrlCacheEntryW
  • FindNextUrlCacheEntryA / FindNextUrlCacheEntryW
  • FindCloseUrlCache
  • ‘cookie’
  • ‘Temporary Internet Folder’

Event logs cleanup

The recent sample I came across is a new version of Gh0st. Its source can be easily found online, so it’s not a surprise we continue to see new updated versions. A simple routine used to clean the Event logs uses a triplet of functions i.e. OpenEventLog, ClearEventLog and CloseEventLog that is executed with 3 different Event log types i.e. Application, Security, System.

 

APIs and strings to to look for:

  • OpenEventLogA / OpenEventLogW
  • ClearEventLogA / ClearEventLogW
  • CloseEventLog
  • ‘Application’
  • ‘Security’
  • ‘System’

Restore Points cleanup

This is very rarely seen. The sample I looked at contained the following code:

APIs and strings to to look for:

  • SRRemoveRestorePoint
  • SRSetRestorePointA / SRSetRestorePointW
  • ‘srclient.dll’
  • ‘Last known good configuration’

Weak timestomping

This is an easy one:

APIs and strings to to look for:

  • GetSystemTime
  • SystemTimeToFileTime
  • SetFileTime

Full Timestomping

This is based on Vincent Liu’s technique used in his timestomp tool and later expanded upon by Joakim Schicht in his SetMACE script – it allows for a full modification of all time stamps within the MFT record on NTFS system (2x $FILE_NAME records and $STANDARD_INFORMATION) either by using NtSetInformationFile / ZwSetInformationFile or by directly writing to a \\.\PhysicalDriveXXX device (where XXX is a number 0, 1, 2, …):

I have not found any malware using it, but this is also non-trivial to find.

APIs and strings to to look for:

  • NtSetInformationFile / ZwSetInformationFile
  • ‘\\.\PhysicalDrive’

and often together with the following, commonly used functions:

  • NtQueryInformationFile / ZwQueryInformationFile
  • NtOpenFile / ZwOpenFile
  • NtClose / ZwClose
  • DeviceIoControl / NtDeviceIoControl / ZwDeviceIoControl
  • RtlInitUnicodeString