图片

The content of today’s study is to give you a brief understanding of the virus dynamic analysis technology, if there are any inappropriate points hope that partners can point out, let us work together to improve and progress together!

Note: The content of the article is only to share their own knowledge base, only their own understanding, not necessarily accurate, I hope that when watching just reference, thinking is not limited by it.

Note: This is a translation of a previously written article into English, so if you have trouble reading the information, I will improve the translation.

Knowledge base​

Advantages​

Some viruses are identified as normal during static analysis, but will actually behave maliciously at runtime, so dynamic analysis techniques are often used to close the loop (virus creators often circumvent virus analysis software by applying static anti-virus processing to viruses on the way to creation)

Virtual Environment​

Security considerations, most dynamic analysis is carried out in virtual machines

Causes​

Because unknown computer viruses are full of uncertainty, it is necessary to run computer viruses and monitor their behaviour when carrying out dynamic analysis, and security considerations require a safe and controlled operating environment to reduce the harm caused by viruses

Examples of common hazards:

Code:

1
2
3
4
5
6
7
Transmission hazard: computer viruses can infect other computers on the network (e.g. computers connected to a WiFi, other computers accessible on the intranet, this is just an example of the many possibilities that exist in practice, so don't be limited in your thinking, e.g. a PC running and only attacking a mobile phone or other terminal using a WiFi without serious disruption or damage to the host computer)

Difficult to remove:
Some viruses are difficult to remove from the system and if they need to be used again need to be at the end of the analysis and will be removed by clearing disk data, retyping hardware drivers, reinstalling drivers, refreshing the bios, etc. to remove the modifications made to the computer by the virus.

Hardware damage:
Some viruses can damage the computer's hardware in certain ways (examples of causes: making it more difficult to trace the attack afterwards by destroying the hardware to hide the attack record)

Common Virtual Machine Software​

  • Vmware
  • VirtulBox
  • Hyper-V
  • Parallels
  • Xen
  • QEMU
  • Android emulators (too many of these to single out)

    Drawbacks​

As the virtual environment is not real, there are some limitations or drawbacks

Examples of common limitations or drawbacks:

Code:

1
2
3
4
5
Environment detection: viruses tend to detect their own operating environment and do not perform malicious acts if they are detected to be in a virtual environment

Penetration attacks: Viruses detect that the runtime environment is not virtual, and some viruses will penetrate the virtual machine to attack the real environment without performing malicious actions in the virtual machine environment

Performance limitations: as the environment is virtualised, sometimes the runtime environment is unstable, increasing analysis time, etc.

Behavioural monitoring​

When a virus is harmful, it will often perform some malicious or dangerous actions.

Examples of common behaviours that can be used for analysis:

  • Network behaviourSending network connection requests, remote control, downloading malicious code, local data listening, transferring sensitive data, etc.
  • System modificationsBoot up, create scheduled tasks, create hidden accounts, open ports, infect and replace system files, create and stop services, destroy the system runtime structure, modify, delete and add to the registry, etc.
  • Other actionsModifying file attributes, deleting, reading, adding, encrypting, releasing files, hijacking processes, closing, detecting certain programs or processes, monitoring the operating environment, executing attack commands, etc.

    Commonly used tools​

Tools sourced from publicly available products, own custom development

Software debugging​

In dynamic analysis, it is common to run the analysed program through a debugger or attach the analysed process with a debugger to analyse the analysed program for malicious behaviour

Examples of common debuggers:

  • x64dbg32/64 bit debugger for Windows
  • olldbgAssembly analysis debugger
  • immunity debuggerImmunity Debugger is a powerful new approach to writing exploits, analysing malware and reverse engineering binaries. It is built on a solid user interface with function diagrams, the industry’s first heap analysis tool built specifically for heap creation, and a large, well-supported Python API for easy extension.
  • windbgThe Windows debugger (WinDbg) can be used to debug kernel and user mode code, to analyse fault dumps and to check CPU registers during code execution.
  • dnspydnSpy is a debugger and editor for .NET assemblies. You can use it to edit and debug assemblies, even if you don’t have any source code available!
  • GDBGDB, the GNU Project Debugger, allows you to see what is going on “inside” another program while it is executing - or what another program is doing when it crashes.
  • drozerThe leading security assessment framework for Android
  • fridaA dynamic toolbox for developers, reverse engineers and security researchers
  • edb-debuggeredb is a cross-platform AArch32/x86/x86-64 debugger.

    Monitoring category​

In dynamic analysis, monitoring tools are often used to monitor what the program is doing after it has been run to analyse whether the program being analysed has malicious behaviour.

Examples of common monitoring tools:

  • Firewalls.GlassWire、FortKnox Firewall、TinyWall、WFN、OpenSnitch、、、
  • Network data monitoringHuorong System Diagnostics Toolkit、Windows Sysinternals、Directory Monitor、Process Hacker、Process Lasso、FSMonitor etc.
  • Automated malware analysis environmentOnline virus analysis sandbox, online antivirus engine, Cuckoo and more

    Injection technology​

Process Injection​

Virus developers often use process injection techniques to bypass virus protection software and add malicious functions to legitimate processes, or to read sensitive data from memory, interfere with analysis, etc.

In the Windows operating system, processes are allowed to allocate, read and write in the virtual memory of another process, as well as create new threads, suspend threads and change the registers of these threads, including instruction fingers (EIP/RIP), based on which code can be injected into processes (malicious use of this technique to inject malicious code into normal processes and execute it to circumvent protection software.

dll injection​

Windows has created registry entries for DLLs so that they can be loaded in processes that meet certain criteria. Many of these entries allow malware DLLs to be injected into processes, such as browsers and other normal processes. For example

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

图片

This registry entry is one of the most abused registry entries by malware and is used to inject DLL code into other processes and to maintain persistence. However, it requires administrator privileges to add, and Microsoft has set the LoadAppInit_DLLs value to 0 by default to prevent unknown dlls from being loaded, which can be turned off by changing the value to 1.

图片

Principle:

Code:

1
2
By changing the AppInit_DLLs key to the path of the dll to be loaded, all windows processes will be able to load the dll.
This is because the DLL specified in the "AppInit_DLLs" registry entry is loaded by user32.dll, which is used by almost all applications.

Example of analysis​

Demonstrate dynamic analysis techniques by running a number of samples or programs and analysing them for the presence of malicious behaviour

Registry Monitoring​

Before running the program, make a backup of the registry, turn on Huorong System Diagnostics Toolkit monitoring, and after running for a while, check for registry-sensitive operations, such as

  • Modify key value has default protection turned off(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs - 0x1)
    Load malicious dlls

(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs value is unknown dll, normal is empty)

Attack location is monitored for:

图片

Attack parameters:

图片

intercept log:

图片

x64dbg loads the program and places breakpoints on common network functions to see if they can be broken (the sample program was only tested before it was run to learn of the network behavior)

  • Open network analysis tool before running图片

Network function under break single step analysis:图片
As shown above: successfully broken and single-stepped to see the network address of the downloaded file Add:UrlCanonicalizeW Function ExplanationConverts a URL string to a canonical formCode:

1
2
3
4
5
6
7
8
9
LWSTDAPI UrlCanonicalizeW(
PCWSTR pszUrl、
PWSTR pszCanonicalized、
DWORD *pcchCanonicalized、DWORD dwFlags。
DWORD dwFlags
);

Example implementation: e.g. replacing unsafe characters with escaped sequences
If the URL string contains "/... /" or "/. /", URLCononicalize treats these characters as indicating navigation in the URL hierarchy. This function simplifies the URL before merging it, for example "/hello/craul/. /world" is reduced to "/hello/world".

Other API functions:In Windows, programs using network functions often use functions in the ws2_32.dll dynamic link libraryCode:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyaddr
gethostbyname
gethostname
getnameinfo
getpeername
getprotobyname
getprotobynumber
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket
FreeAddrInfoW
GetAddrInfoW
GetNameInfoW
WEP
WPUCompleteOverlappedRequest
WSAAccept
WSAAddressToStringA
WSAAddressToStringW
WSAAsyncGetHostByAddr
WSAAsyncGetHostByName
WSAAsyncGetProtoByName
WSAAsyncGetProtoByNumber
WSAAsyncGetServByName
WSAAsyncGetServByPort
WSAAsyncSelect
WSACancelAsyncRequest
WSACancelBlockingCall
WSACleanup
WSACloseEvent
WSAConnect
WSACreateEvent
WSADuplicateSocketA
WSADuplicateSocketW
WSAEnumNameSpaceProvidersA
WSAEnumNameSpaceProvidersW
WSAEnumNetworkEvents
WSAEnumProtocolsA
WSAEnumProtocolsW
WSAEventSelect
WSAGetLastError
WSAGetOverlappedResult
WSAGetQOSByName
WSAGetServiceClassInfoA
WSAGetServiceClassInfoW
WSAGetServiceClassNameByClassIdA
WSAGetServiceClassNameByClassIdW
WSAHtonl
WSAHtons
WSAInstallServiceClassA
WSAInstallServiceClassW
WSAIoctl
WSAIsBlocking
WSAJoinLeaf
WSALookupServiceBeginA
WSALookupServiceBeginW
WSALookupServiceEnd
WSALookupServiceNextA
WSALookupServiceNextW
WSANSPIoctl
WSANtohl
WSANtohs
WSAProviderConfigChange
WSARecv
WSARecvDisconnect
WSARecvFrom
WSARemoveServiceClass
WSAResetEvent
WSASend
WSASendDisconnect
WSASendTo
WSASetBlockingHook
WSASetEvent
WSASetLastError
WSASetServiceA
WSASetServiceW
WSASocketA
WSASocketW
WSAStartup
WSAStringToAddressA
WSAStringToAddressW
WSAUnhookBlockingHook
WSAWaitForMultipleEvents
WSApSetPostRoutine
WSCDeinstallProvider
WSCEnableNSProvider
WSCEnumProtocols
WSCGetProviderPath
WSCInstallNameSpace
WSCInstallProvider
WSCUnInstallNameSpace
WSCUpdateProvider
WSCWriteNameSpaceOrder
WSCWriteProviderOrder

Release files​

  • Huorong System Diagnostics Toolkit Monitor that the sample execution will release the file and analyse its release behaviour in depth:
  • Monitoring to write files图片
    It looks like a file was written here but we don’t know how it was done yet
    Since the sample is written in .net and not encrypted, it can be debugged at source level directly through dnspy.图片
    Search and locate the execution code based on the previously monitored write file:图片
    Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
      private void btn_crack_Click(object sender, EventArgs e)
{
try
{
this.Dosya_Sil(new string[]
{
"C:\\metasploit\\apps\\pro\\ui\\app\\views\\layouts\\application.html.erb",
"C:\\metasploit\\apps\\pro\\ui\\app\\controllers\\application_controller.rb",
"C:\\metasploit\\apps\\pro\\ui\\app\\models\\license.rb",
"C:\\metasploit\\apps\\pro\\engine\\app\\concerns\\metasploit\\pro\\engine\\rpc\\tasks.rb"
});
this.Dosya_Cikar("application", "C:\\metasploit\\apps\\pro\\ui\\app\\views\\layouts\\application.html.erb");
this.Dosya_Cikar("application_controller", "C:\\metasploit\\apps\\pro\\ui\\app\\controllers\\application_controller.rb");
this.Dosya_Cikar("license", "C:\\metasploit\\apps\\pro\\ui\\app\\models\\license.rb");
this.Dosya_Cikar("tasks", "C:\\metasploit\\apps\\pro\\engine\\app\\concerns\\metasploit\\pro\\engine\\rpc\\tasks.rb");
MessageBox.Show("Metasploit Crack Done!", "OK DONE", MessageBoxButtons.OK, MessageBoxIcon.Asterisk);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "FAILED", MessageBoxButtons.OK, MessageBoxIcon.Hand);
}
}

Parsing:
Find the file, if it exists replace it, if it doesn't exist error-proof the file not found
  • Broken single step run to see monitoring:图片
    Prove that the file was released by the code here and determine that there are no errors

    Process monitoring​

Collecting information after the software has been run

  • Huorong System Diagnostics Toolkit图片
    Filtering: Paths, Processes, ActionsAction Categories:Execution Monitoring, File Monitoring, Registry Monitoring, Process Monitoring, Network Monitoring, Behavior MonitoringTask Group:Information Summary
  • 图片

  • procexp(process explorerr)Displays information about the handles and DLLs that have been opened or loaded by the processProperties - string information.图片
    dll information: 图片

  • suspicious resource information foundHandle information:图片

  • Based on the access mask, query the permissions obtained (normally it is more intuitive and easier to read to see the Decoded Access Mask) Tips for use:To ensure that the display data is up-to-date, it is best to refresh manually, shortcut key F5You can determine the process status and type according to the background colour of the process, the specific colour represents the information shown belowUnder the [Options] menu [Configure Colors] option

    • 图片
  • GlassWireMonitoring the network behaviour of sample runs图片
    Already online:

  • 图片

  • 192.168.86.131 is the attacker’s IP

  • TcpViewMonitoring Tcp and Udp informationAfter the sample has been run:图片

  • Remote desktop view in progress:图片
    Notification message gives away monitoring status (program has remote desktop service enabled)

  • AutorunsCompare autostart items before and after running to check if the new autostart items are malicious programs图片

  • Process Monitor (Procmon)Real-time monitoring of system information, such as registry, files, processes, network, etc.Remote sample detection of system information:图片

  • Remote desktop information for remote control samples.图片

  • Remote control sample file management information:图片

  • Capsa Network AnalyzerMonitor network data and view details of:Process IP information:图片

  • Saw some outreach IP information (simulated attack IP in it), in the actual scenario, the actual attack IP will be identified based on multiple sources

    Port analysis to locate​

Some samples develop ports for malicious exploitation

  • Use packet capture software to find out which processes are currently using a port normally图片

  • Use the netstat command to query the PID of a process occupying a portnetstat -ano|findstr “port number”Then query the occupied processes in conjunction with Task Manager or other process monitoring programs图片
    图片

Firewall-assisted analysis for location​

Most malware will use the network for further attacks, such as remote control, remote command execution, remote download, remote file theft, etc. This is often the case when the firewall can monitor or capture the network link between the local and the attacking end and locate the malicious program based on this link or intercept it so that it cannot attack further.

  • ProgCopMonitoring remote connections:
  • View attachment 1521 Monitored a local link to a remote address (Client-built is the remote sample for this experiment) Monitored this process:图片
    Saw some dangerous actions performed by this process (deleting/writing files, creating accounts, reading registry keys, etc.)