Notes on

Practical Malware Analysis

Chapter 8

To complement Sikorski, Michael; Honig, Andrew (2012-02-24). Practical Malware Analysis. . O'Reilly Distribution. Kindle Edition.

Windows is a complex system!

CreateFile, ReadFile, WriteFile
CreateFileMapping, MapViewOfFile
Windows has special files, not accessed via drive letter. Can you find any of them?
Shared files \\servername\share
NT namespace can be used to access special files directly, e.g. using \\.\PhysicalDisk1, using the WinObj Object Manager
you can download the WinObj Object Manager from Microsoft. Different versions seem to exist for Win 7 and Win 8.
demo of WinObj Object Manager namespace viewer, device is a good one to look at
Russinovich's books on Windows Internals are very helpful.
So is the web site http://technet.microsoft.com/en-us/sysinternals/default. Worth exploring!
Alternate Data Streams? as in normalFile.txt:Stream:$DATA, could use an example of this
Having downloaded Visual C++, or CodeBlocks, we can write some Windows code! Such as to explore the Registry...

a database for programs to store info about themselves, or that several programs share
five top level directories called root keys
demonstrate regedit.exe
regshot is another registry utility.
does anybody have any favorite registry utilities, other than regedit?
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, contains a series of values that are executables
that are started automatically when a user logs in."
demo of Autoruns
"When a user double-clicks a .reg file, it automatically modifies the registry by merging the information the file contains
into the registry—almost like a script for modifying the registry." Take care when doing this!

ws2_32 has an implementation of Berkeley sockets
WSAstartup needs to be called before calling other networking API calls such as socket, bind, listen, accept, connect, recv, send
clients will call socket, connect, send and recv
servers will call socket, bind, listen, accept, send and recv
"The WinINet API functions are stored in Wininet.dll."
InternetOpen, InternetOpenUrl, InternetReadFile

DLLs are handy because they can be shared, and executable binaries are smaller and therefore load faster.
malware authors use DLLs in three ways: to store malicious code, to access the Windows API, and
to exploit third party code.
a dll file will export DllMain
virtual memory assures that equal logical addresses refer to different physical addresses
malware can use its own process, or run as part of another process
guess what the function CreateProcess does? See Example 8.4 in textbook
code can be stored in a resource section - can you see why this might be useful?
threads share memory space, but have their own registers and stacks - these make up the thread context

mutexes control access to shared resources via calls to WaitForSingleObject, ReleaseMutex
mutex names are often hard-coded, which is helpful to analysts

services run in the background, without their own processes or threads, under the auspices
of the Windows Services Manager
malware authors like services, since they can confer privilege and persistence
functions OpenSCManager, CreateService, StartService
service types include share process (e.g. svchost), own process, and kernel driver
services are described in registry under key HKLM\SYSTEM\CurrentControlSet\Services.
demo use of regedit to list services
demo the sc qc command to query a service (see also Example 8-10 in PMA)

Microsoft Component Object Model (COM) supports reusable software components
Microsoft supplies a lot of COM objects for programs, including obviously malware, to use
Code that uses COM has to call OleInitialize or CoInitializeEx before making other COM calls
COM objects are known by their globally unique identifiers, which may be class identifiers or interface identifiers
The CoCreateInstance call, for example, can be used to run IE, in order to implement the IWebBrowser2 interface
IDA Pro knows about common COM objects
A malicious COM server may, for example, provide Browser Helper Objects (BHOs) which have no restrictions!
But, "Malware that implements a COM server is usually easy to detect because it exports several functions, including DllCanUnloadNow, DllGetClassObject, DllInstall, DllRegisterServer, and DllUnregisterServer, which all must be exported by COM servers."

Exceptions can be raised by errors such as division by zero or null pointer access, or manually by call to RaiseException
SEH (Structured Exception Handling) is the Windows mechanism for dealing with exceptions.
Exception information can be stored on the stack, which makes it easy to find from wherever

Nearly all code runs in user mode
Windows API provides access to hardware and kernel-state functions
"The presence of the SYSENTER, SYSCALL, or INT 0x2E instruction in disassembly indicates that a call is being made into the kernel."
All kernel-mode processes share resources and memory
Invalid ops in kernel force OS to stop running, hence BSOD
Most security software, such as anti-virus and firewalls, runs in kernel mode (why?)
No privilege restrictions, no audit, and greater stealth?
Nearly all rootkits use kernel mode, but most malware does not

Native API bypasses the Windows API, and malware likes to do that
When a user mode program makes a system call, it goes through Kernel32.dll, then Ntdll.dll, both of which run in user mode.
Ntdll.dll makes calls to Ntoskrnl.dll, which runs in kernel mode.
User programs can call Ntdll functons directly, without using Kernel32
We can look at http://undocumented.ntinternals.net
"Another Native API function that is popular with malware authors is NtContinue. This function is used to return from an exception, and it is meant to transfer execution back to the main thread of a program after an exception has been handled. However, the location to return to is specified in the exception context, and it can be changed."
Native applications use the Native API, and bypass the Windows libraries
Native apps are often malicious, but not necessarily so.