{"id":963,"date":"2014-11-22T13:51:43","date_gmt":"2014-11-22T13:51:43","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=963"},"modified":"2014-11-22T13:52:02","modified_gmt":"2014-11-22T13:52:02","slug":"too-much-stuff","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/11\/too-much-stuff\/","title":{"rendered":"assembly, c-sharp, anti-sandbox, anti-antivirus, anti-debug, and malware research"},"content":{"rendered":"

Hello fellow readers!<\/p>\n

You all are probably wondering what the hell I’ve been up to this past month. Lot’s of stuff. This post is all over the place with code and slides and malware and general wackiness. Rather than spreading it out over several blog posts, I decided to just get it all over with so I can focus on cooler things in the future. <\/p>\n

I saw an interesting webinar on sandbox detection techniques employed by malware by Cyphort. They haven’t released their slides like they said they would, so here are the ones I took<\/a>. These are cool and all, but I felt like I could contribute.<\/a><\/p>\n

I read an awesome paper on bypassing antiviruses by employing a number of code based tricks. The idea behind them was that AV’s will skip binaries based on certain behaviors. One thing missing though – an AV will skip the “dropper” heuristic if the file ends in ‘.msi’. All the code I saw was in C\/C++. I figured why not try and convert it to assembly? Next thing to do is make a patcher that can inject these into pre-compiled binaries. A future project perhaps? Anyways, I only did 2 before I lost interest. Read the article here<\/a>.
\n<\/p>\n

\n
;AV bypass 1<\/span>\r\nxor<\/span>     eax<\/span>, eax<\/span>\r\ndb<\/span> Caption<\/span> "Joe"<\/span>\r\ndb<\/span> Text<\/span> "Giron"<\/span>\r\nmov<\/span>     edx<\/span>, 5F5E100h<\/span>\r\njoe:\r\ninc<\/span>     eax<\/span>\r\ndec<\/span>     edx<\/span>\r\njnz<\/span>     joe<\/span>\r\ncmp<\/span>     eax<\/span>, 5F5E100h<\/span>\r\njnz<\/span>     short<\/span> urafag<\/span>\r\npush<\/span>    0<\/span>               ; MB_OK<\/span>\r\npush<\/span>    offset<\/span> Caption<\/span>\r\npush<\/span>    offset<\/span> Text<\/span>   \r\npush<\/span>    0<\/span>               ; hWnd <\/span>\r\ncall<\/span>    MessageBoxA<\/span>\r\nurafag:\r\nxor<\/span>     eax<\/span>, eax<\/span>\r\nretn<\/span>\r\n\r\n;AV bypass 1.5<\/span>\r\n; same as above, just using the loop instruction instead of branching conditionals<\/span>\r\nxor<\/span>     eax<\/span>, eax<\/span>\r\ndb<\/span> Caption<\/span> "Joe"<\/span>\r\ndb<\/span> Text<\/span> "Giron"<\/span>\r\nmov<\/span>     ecx<\/span>, 5F5E100h<\/span>\r\njoe: ; essentially do nothing<\/span>\r\nmov<\/span> eax<\/span>,10<\/span>\r\nmov<\/span> ebx<\/span>,20<\/span>\r\nxchg<\/span> eax<\/span>,ebx<\/span>\r\nloop<\/span> joe<\/span>\r\n; now start code<\/span>\r\nxor<\/span> eax<\/span>,eax<\/span>\r\nxor<\/span> ebx<\/span>,ebx<\/span>\r\npush<\/span>    0<\/span>               ; MB_OK<\/span>\r\npush<\/span>    offset<\/span> Caption<\/span>\r\npush<\/span>    offset<\/span> Text<\/span>   \r\npush<\/span>    0<\/span>               ; hWnd <\/span>\r\ncall<\/span>    MessageBoxA<\/span>\r\nretn<\/span>\r\n\r\n;AV bypass 2<\/span>\r\npush<\/span>    ebx<\/span>\r\npush<\/span>    edi<\/span>\r\npush<\/span>    5F5E100h<\/span>        ; bytes to alloc<\/span>\r\npush<\/span>    40h<\/span>             ; zero init<\/span>\r\ncall<\/span>    GlobalAlloc<\/span>\r\nmov<\/span>     ebx<\/span>, eax<\/span>\r\ntest<\/span>    ebx<\/span>, ebx<\/span>\r\njz<\/span>      short<\/span> cl<\/span>eanup<\/span>\r\nmov<\/span>     edi<\/span>, ebx<\/span>\r\nmov<\/span>     eax<\/span>, 0FFFFFFF1h<\/span>\r\nmov<\/span>     ecx<\/span>, 5F5E100h<\/span>\r\nrep<\/span> stosb<\/span>\r\npush<\/span>    0<\/span>               ; MB_OK<\/span>\r\npush<\/span>    offset<\/span> Caption<\/span>  ; "Joe"<\/span>\r\npush<\/span>    offset<\/span> Text<\/span>     ; "Giron"<\/span>\r\npush<\/span>    0<\/span>               ; hWnd<\/span>\r\ncall<\/span>    MessageBoxA<\/span>\r\npush<\/span>    ebx<\/span>             ; memory handler<\/span>\r\ncall<\/span>    GlobalFree<\/span>\r\ncleanup:                             \r\nxor<\/span>     eax<\/span>, eax<\/span>\r\npop<\/span>     edi<\/span>\r\npop<\/span>     ebx<\/span>\r\nretn<\/span>\r\n<\/pre>\n<\/div>\n
Feels good to put my crappy assembly skills to good use. Especially now that I figured out how to use inline assembly within C#. Sort of. The way it works is by utilizing delegates and cramming code inside an executable code page. Observe this piece of genius:
\n<\/p>\n
\n
using<\/span> System<\/span>;\r\nusing<\/span> System.Collections.Generic<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nusing<\/span> System.Runtime.InteropServices<\/span>;\r\n\r\nnamespace<\/span> InLineAsm<\/span>\r\n{\r\n    static<\/span> class<\/span> Program<\/span>\r\n    {\r\n        [UnmanagedFunctionPointer(CallingConvention.StdCall)]<\/span>\r\n        delegate<\/span> void<\/span> JoesAntiDebuggery<\/span>();\r\n\r\n        [DllImport("kernel32.dll", SetLastError = true)]<\/span>\r\n        static<\/span> extern<\/span> IntPtr VirtualAlloc<\/span>(IntPtr lpAddress, UIntPtr dwSize, IntPtr flAllocationType, IntPtr flProtect);\r\n\r\n\t\tstatic<\/span> byte<\/span>[] opcodez = {\r\n\t\t0<\/span>x55, 0<\/span>x89, 0<\/span>xE5, 0<\/span>x31, 0<\/span>xC0, 0<\/span>xBA, 0<\/span>x00, 0<\/span>xE1, 0<\/span>xF5, 0<\/span>x05, 0<\/span>x40, 0<\/span>x4A, 0<\/span>x75, 0<\/span>xFC, 0<\/span>x3D, 0<\/span>x00,\r\n\t\t0<\/span>xE1, 0<\/span>xF5, 0<\/span>x05, 0<\/span>x75, 0<\/span>x14, 0<\/span>x6A, 0<\/span>x00, 0<\/span>x68, 0<\/span>x12 ,0<\/span>x70, 0<\/span>x40, 0<\/span>x00, 0<\/span>x68, 0<\/span>x0C, 0<\/span>x70, 0<\/span>x40,\r\n\t\t0<\/span>x00, 0<\/span>x6A, 0<\/span>x00, 0<\/span>xFF, 0<\/span>x15, 0<\/span>xD0, 0<\/span>x80, 0<\/span>x40, 0<\/span>x00, 0<\/span>x31, 0<\/span>xC0, 0<\/span>x68, 0<\/span>x00, 0<\/span>x70, 0<\/span>x40, 0<\/span>x00,\r\n\t\t0<\/span>xE8, 0<\/span>x3B, 0<\/span>x00, 0<\/span>x00, 0<\/span>x00, 0<\/span>x59, 0<\/span>x31, 0<\/span>xC0, 0<\/span>x89, 0<\/span>xEC, 0<\/span>x5D, 0<\/span>xC3 \r\n\t\t}\r\n\t\t\/\/ opcodes taken from disassembled program.<\/span>\r\n\t\t\/*<\/span>\r\n\t\t__asm<\/span>\r\n\t\t{<\/span>\r\n\t\txor     eax, eax<\/span>\r\n\t\tmov     edx, 5F5E100h<\/span>\r\n\t\tjoe:<\/span>\r\n\t\tinc     eax<\/span>\r\n\t\tdec     edx<\/span>\r\n\t\tjnz     joe<\/span>\r\n\t\tcmp     eax, 5F5E100h<\/span>\r\n\t\tjnz     short urafag<\/span>\r\n\t\t}<\/span>\r\n\t\tMessageBox(0,Text, Caption,0);<\/span>\r\n\t\t__asm<\/span>\r\n\t\t{<\/span>\r\n\t\turafag:<\/span>\r\n\t\txor     eax, eax<\/span>\r\n\t\t\t<\/span>\r\n\t\t}<\/span>\r\n\t\t*\/<\/span>\r\n\r\n\t\tstatic<\/span> IntPtr codeBuffer = VirtualAlloc(IntPtr.Zero, new<\/span> UIntPtr((uint<\/span>)opcodez.Length), (IntPtr)(0<\/span>x1000 | 0<\/span>x2000), (IntPtr)0<\/span>x40);\r\n\t\t\/\/ EXECUTE_READWRITE, MEM_COMMIT | MEM_RESERVE<\/span>\r\n\t\tMarshal.Copy(opcodez, 0<\/span>,codeBuffer, opcodez.Length);\r\n\t\tJoesAntiDebuggery JoeDbg = (JoesAntiDebuggery)\r\n\t\tMarshal.GetDelegateForFunctionPointer(codeBuffer, typeof<\/span>(JoesAntiDebuggery));\r\n        \r\n        static<\/span> void<\/span> Main<\/span>(string<\/span>[] args)\r\n        {\r\n           Console.Write("lol"<\/span>);\r\n           JoeDbg();\r\n        }\r\n\r\n    }\r\n}\r\n<\/pre>\n<\/div>\n
It’s a thing of beauty – Assembly, C code, op codes \/ hex, delegates, and C#. <\/p>\n
Moving on to what else I’ve been up to – pulling apart malwarez. This one piece gave me trouble for a few days. Namely because of the weird anti-debugging counter measure I encountered. I’m unsure if its even anti-debug as the conditions always seem to equate to false. I mean it’s easy to get around when you see it, but you can’t get around it automatically – you have to patch it. I even took a video of the weird behavior.
\n