Chapter 13 Notes

to accompany Sikorski and Honig, Practical Malware Analysis, no starch press

Chapter 12 in the printed edition

Covert Malware Launching

How does malware avoid detection?

Launchers

• Sometimes, as you have seen, malware will hide executable code in the Resource section
• When the Resource is used, the malicious code is extracted, but the resource is used normally after that
• So API calls that deal with Resources are suspect

Process Injection

• API calls VirtualAllocEx and WriteProcessMemory are suspect
• DLL Injection
  • Modify some DLL some other process needs to use, and wait for that process to use it
  • For example, get around process-specific firewalls by injecting code into a DLL that IE uses
  • First, obtain a handle to the "victim" process, by searching the process list, find the victim's process identifier, and
    use the PID to obtain a handle via the OpenProcess call
  • Why do these calls exist?? Maybe because the dynamic loading feature of Windows itself needs them, to
    implement DLLs?
  • API calls OpenProcess and CreateRemoteThread indicate potential trouble
  • Figure 13-2 shows DLL injection code
  • breakpoints at the entry to WriteProcessMemory, for example, may give insight
• Direct Injection
  • more flexible than a DLL inject
  • often used to inject shellcode

Process Replacement

• Overwrite the memory space of a running process with malicious code
• A target may, for example, be an instance of svchost
• Create a suspended process by loading a process into memory such that it suspends at the entry point
• Rewrite each of the sections
• Adjust the thread context to point to the malware, then call ResumeThread

Hook Injection

• Windows hooks are used to intercept messages
• Since messages are well-defined objects in Windows...
• Local hooks handle messages destined for an internal process
• Remote hooks handle messages destined for a remote process, and can be low-level or high-level
• Used with keyloggers
• Calls to SetWindowsHookEx are suspect
• References to a specific dwThreadId may be preceded by a search of the process list

Detours

• A library developed by Microsoft to measure and extend OS and application functionality
• Can be used to add DLLs to existing binaries on disk, through creation of a .detour section

APC Injection

• APC stands for Asynchronous Procedure Call
• "APCs can direct a thread to execute some other code prior to executing its regular execution path."
• APCs can be in kernel-mode or user-mode
• User-mode APCs
  • Threads in processes that are likely to go into the alertable state are desirable for this purpose
  • API call QueueUserAPC is suspect
  • Review the different states: alertable, blocked, runnable?, whatever Windows has
• Kernel-mode APCs
  • Malware-infested device drivers and rootkits run in kernel space
  • but wish to execute code in user space
  • so they might build an APC and a thread to execute it in user-mode, e.g. svchost