{"id":525,"date":"2013-10-03T04:22:20","date_gmt":"2013-10-03T04:22:20","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=525"},"modified":"2013-10-03T04:22:20","modified_gmt":"2013-10-03T04:22:20","slug":"happy-wednesday","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/10\/happy-wednesday\/","title":{"rendered":"Happy Wednesday!"},"content":{"rendered":"<p>Hello again!<\/p>\n<p>It&#8217;s been a busy week at work. Lots of unique malware. As you may or may not know, malware uses non-conventional things to stay hidden and throw off heuristic analysis. <\/p>\n<p>I see weird stuff. Instructions that make no sense in context like the &#8216;out&#8217; instruction, blocks of code which perform floating point arithmetic for no reason other than to do it. <\/p>\n<p>I see this on a daily basis. Weird opcodes, memory packing, wacky logic, etc. This week I was unpacking a program that did the usual &#8216;store everything in the data section then virtualquery \/ run&#8217; trick. But it was wacky confusing. After unpacking, the binary was different &#8211; different md5 \/ larger, but it looked the same in IDA and immunity. I unpacked it again several more times only to realize the program was making a copy of itself and storing it in the same location I unpacked it from, except it was setting a breakpoint before calling itself. I determined this had something to do with the OpenProcess call which was skipped at the program&#8217;s startup, then I lost interest.<\/p>\n<p>How do they do it? They have more time on their hands.<\/p>\n<p>So what did I learn today? I learned how to get the same weird opcodes into my programs even if my compiler throws a shit-fit. <\/p>\n<p>When I tried with my compiler (Pelles C compiler), it said it couldn&#8217;t find the opcode.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-no-work.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-no-work-300x269.png\" alt=\"why u no work\" width=\"300\" height=\"269\" class=\"alignnone size-medium wp-image-528\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-no-work-300x269.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-no-work.png 729w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><br \/>\nSolution? Hex editor!<\/p>\n<p>Compile your program, inline a nop sled or something easy to identify, then find \/ replace.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work-279x300.png\" alt=\"why u work\" width=\"279\" height=\"300\" class=\"alignnone size-medium wp-image-530\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work-279x300.png 279w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work.png 323w\" sizes=\"(max-width: 279px) 100vw, 279px\" \/><\/a><br \/>\nIn this case, I am doing several int3 interrupts RDTSC instructions in a row (0xCC &#038; 0x0F,0x31).<br \/>\nAnd now we look in the hex editor for the op codes CC 0f 31.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work2.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work2-260x300.png\" alt=\"why u work2\" width=\"260\" height=\"300\" class=\"alignnone size-medium wp-image-531\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work2-260x300.png 260w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/why-u-work2.png 639w\" sizes=\"(max-width: 260px) 100vw, 260px\" \/><\/a><br \/>\nSee it?<br \/>\nNow what we do is replace the op codes with the ones the compiler didn&#8217;t allow us to add and nop out the rest.<br \/>\nI did this to force insert the icebp (int01) break point into my program. Its an undocumented op code which does a breakpoint without setting the trap flag.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/tadaa.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/tadaa-260x300.png\" alt=\"tadaa\" width=\"260\" height=\"300\" class=\"alignnone size-medium wp-image-529\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/tadaa-260x300.png 260w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/tadaa.png 639w\" sizes=\"(max-width: 260px) 100vw, 260px\" \/><\/a><br \/>\nSave and we&#8217;re good.<br \/>\nThere are plenty of instructions out there to mess with. Using this crude method, I can force my instructions into my programs without the compiler giving me shit. <\/p>\n<p>Bye bye for now!<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/mfw.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/mfw.png\" alt=\"mfw\" width=\"811\" height=\"480\" class=\"alignnone size-full wp-image-532\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/mfw.png 811w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/10\/mfw-300x177.png 300w\" sizes=\"(max-width: 811px) 100vw, 811px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello again! It&#8217;s been a busy week at work. Lots of unique malware. As you may or may not know, malware uses non-conventional things to stay hidden and throw off heuristic analysis. I see weird stuff. Instructions that make no sense in context like the &#8216;out&#8217; instruction, blocks of code which perform floating point arithmetic [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,5],"tags":[3],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/525"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=525"}],"version-history":[{"count":3,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/525\/revisions"}],"predecessor-version":[{"id":533,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/525\/revisions\/533"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}