Anti-disassembler techniques 2019
Recommendations:
- When you are dealing with assembly that has been handcrafted to confuse the disassembler, it is usefull to look at the machine language bytes of each instruction or data. You can activate this by: Options - General - Number of opcode bytes (non-graph) set to 6.
In this lab we will be analyzing a PE binary that uses anti-disassembly techniques to hide its true evil nature. It is classified as malware by virustotal.com, however we will only be doing static analysis from linux, so no worries.
This lab is an adaptation of Lab 15-3 from the awesome "Practical Malware Analysis" book.
-
Download the executable available at http://rarceresearch.fun/misc/Lab15-03-pr.exe. Perform static analysis using IDA Pro to follow the steps below and answer the questions.
-
The code imports some functions that can be used for dubious purposes. For instance, a call to
URLDownloadToFileA
might be used to download a malware executable file from a website, thenWinExec
can be called to execute the malware. Just as evidence that you accesed the Imports view: what is the name of the Library that contains the functionURLDownloadToFileA
. -
Examine the calling functions to
URLDownloadToFileA
by double clicking on its name on the Imports, then choosing 'Xrefs graph to' on the IDA View-A. Does the graph illustrate a path from the main function toURLDownloadToFileA
?What name did IDA give to the function that calls
URLDownloadToFileA
?According to IDA, does any function invoke the function that then invokes
URLDownloadToFileA
? -
Lets go back to the
main
function and use your anti-disassembly knowledge to try to understand how the seemingly harmlessmain
ends up calling other malicious subroutines. -
When IDA paints text in a red background, it usually means it found something fishy. The instruction at address 0x401016 is
mov [ebp + 4], eax
and was painted red by IDA.The instruction
mov [ebp + 4], eax
is fishy because it will rewrite main's return address, i.e. whenmain
ends, it will jump to the new adress that was written to [ebp+4] instead of the function that really calledmain
. What is the address being written to [ebp+4]? -
Explore the function at the address where the
main
will return. It contains ajmp
that was marked by IDA as suspicious:-
Examine the two instructions before the
jmp near ptr 4054D503h
. Explain the disassembly trick that is being used. -
Use the
d
andc
keys to turn the code into something more meaningful, i.e. to correctly identify what is data and what are instructions. What is the first instruction after thedb 0E9h
?
-
-
The two instructions after the
db 0E9h
are part of another anti-disassembly plot. What are they doing? -
What exception is forced by the instructions that follow, which cause the flow to jump to the subroutine at
0x004014C0
? -
Did IDA initially identify the content of address
0x004014C0
as instructions or data? -
Use
c
ord
to turn0x004014C0
into its right interpretation (instructions). -
The first instructions at
0x004014C0
removing the exception record from the linked list (notice the references tofs:0
). What comes next is the instruction:Notice the red message. Once again this is IDA telling something's fishy. The instruction itself seems a bit odd: the jump target is the address of the second byte of the jump instruction! But IDA cannot interpret two instructions from the same bytes. Lets help IDA by converting the byte at
0x004014D7
to data, and the bytes starting at0x004014D8
to code. What is the instruction at0x004014D8
? -
Now give the sequence of subroutines beggining with
main
that are invoked to eventually callURLDownloadToFile
. -
From what URL is a file downloaded? The subroutine
sub_401534
uses a simple XOR deciphering scheme which translates each byte by XORing it with0xFF
. Instead of painfully translating each byte by hand, you can use IDA's scripting habilities. Double click on the first string that is passed as parameter tosub_401534
so that you are looking at a weird byte sequence:Now run the following script using File -> Script Command:
#define here get_screen_ea() static main(){ auto i = 0; while (byte(here + i) != 0xff) { Message("%c", byte(here + i) ^ 0xff); i++; } Message("\n"); }
From what URL is the file downloaded?
-
What is the name of the file that is downloaded and run by
WinExec
?