260 likes | 496 Views
Malware Packer. Jenna Kallaher Costas Akrivoulis Raul Gonzalez. Project Goal. Defeat common off-the-shelf static/dynamic analysis done by unpackers. Project Goal. Defeat common off-the-shelf static/dynamic analysis done by unpackers Explore different approaches from prior groups.
E N D
Malware Packer Jenna Kallaher Costas Akrivoulis Raul Gonzalez
Project Goal Defeat common off-the-shelf static/dynamic analysis done by unpackers
Project Goal Defeat common off-the-shelf static/dynamic analysis done by unpackers Explore different approaches from prior groups
Previous Work Incremental Unpacking • Unpack/repack encrypted payload • Leave < 256 B of unencrypted payload in memory at any given time
Our Approach Instruction Virtualization + Emulation
Our Approach Malware Binary = Emulator + Payload Bytecode No Encryption, just Obfuscation
Our Approach Malware Binary = Emulator + Payload Bytecode No Encryption, just Obfuscation Although we COULD add an encryption layer …
In a Perfect World • Auto-generate new ISA (target) • Grok relationship (mapping) between ISAs • Lift native binary to an IR • Lower IR to target ISA • Auto-generate emulator for target ISA • Emulates native ISA from target ISA • Package malware as Emulator + Bytecode
Facing Reality Working with binaries is difficult • Lifting native instructions to an IR in order to manipulate them can be hard • Disassembly issues, IR not rich enough to manipulate
Facing Reality Working with binaries is difficult • Lifting native instructions to an IR in order to manipulate them can be hard • Disassembly issues, IR not rich enough to manipulate Instead we are: • Operating at the source level
Facing Reality Generating an arbitrary ISA is difficult • Is it compatible with native (x86) ISA? • How do we know?
Facing Reality Generating an arbitrary ISA is difficult • Is it compatible with native (x86) ISA? • How do we know? Instead we are: • Permuting the x86 ISA* *Harder than you might think
Techonologies mod_llvm.py translate.py reconfigure_llvm.py qemu_translator.py reconfigure_llvm.py
Anti-RE Auto inserts Anti-RE protections to malware • Nice … (do not have to be baked into malware)
Anti-RE Current Anti-RE inserted: • Anti-Debugging • Rogue 0xCC • 0xF1 • Anti-Virtualization • CPUID • VMWARE Magic # Detection
Demo {"opcode_index": "0", "target_opcode":"0x40", "instruction":"MOV8ri", "llvm_helper":"MOV8ri:Ii8", "native_opcode":"0xB0"}, {"opcode_index": "0", "target_opcode":"0xB8", "instruction":"POP32r, "llvm_helper":"POP32r:I", "native_opcode":"0x58"}, {"opcode_index": "0", "target_opcode":"0xB8", "instruction":"POP16r", "llvm_helper":"POP16r:I", "native_opcode":"0x58"}, {"opcode_index": "0", "target_opcode":"0x48", "instruction":"MOV32ri", "llvm_helper":"MOV32ri:Ii32", "native_opcode":"0xB8"}, {"opcode_index": "0", "target_opcode":"0x48", "instruction":"MOV16ri", "llvm_helper":"MOV16ri:Ii16", "native_opcode":"0xB8"}, {"opcode_index": "0", "target_opcode":"0xB0", "instruction":"DEC32r", "llvm_helper":"DEC32r:I", "native_opcode":"0x48"}, {"opcode_index": "0", "target_opcode":"0xB0", "instruction":"DEC16r", "llvm_helper":"DEC16r:I", "native_opcode":"0x48"}, {"opcode_index": "0", "target_opcode": "0x58", "instruction":"INC16r", "llvm_helper":"INC16r:I", "native_opcode":"0x40"}, {"opcode_index": "0", "target_opcode": "0x58", "instruction":"INC32r", "llvm_helper":"INC32r:I", "native_opcode":"0x40"}
Demo #include <stdio.h> extern int boo(void); int main() { printf(“Expecting 89\n”); int ret = boo(); printf(“Returned %d\n”, ret); return ret; } boo: movl $8, %eax inc %eax push %eax /* Push 9 on the stack */ movl $100, %ecx dec %ecx dec %ecx push %ecx /* Push 98 on the stack */ pop %ecx pop %eax sub %eax, %ecx xchg %eax, %ecx /* 98 - 9 = 89 */ ret
GCC: Unmodified Clang: Translated
Demo Jenna Kallaher Costas Akrivoulis Raul Gonzalez
Limitations (of our approach) • Some opcodes will not be changed • There’s too many! • Some are too hard! • Exchanged opcodes are usually related • INC/DEC • PUSH/POP
Limitations (of our approach) • No self-modifying code* • It hasn’t been compiled to our new ISA • Emulator can’t “understand” it • No Position Independent Executables (PIEs) • Only emulating .text section • ASLR throws off our compass *Support is possible (for future work)
Future Work (next week) Goals: • Succesfully pack common programs • binutils/coreutils (ls + friends) • Collect performance metrics • Allow dynamically linked libraries