Basic Static Techniques

Static Analysis - process of analyzing the code or structure of a program to determine its function

Hashing

• Hashing

  • A common method used to uniquely identify malware

  • Run through a hashing program that produces a unique hash that identifies that malware

  • Uses

    • Hash as a label

    • Share that hash

    • Search for the hash online

Finding Strings

• String

  • Program is a sequence of characters

  • Simple way to get hints about the functionality of a program

  • Usually stored in either ASCII or Unicode format

    • Both store characters in sequences that end with a NULL terminator to indicate that the string is complete

Packed and Obfuscated Malware

• Obfuscated

  • Programs are ones whose execution the malware author has attempted to hide

  • If when you search a program you only find a few strings it is probably obfuscated or packed

• Packed

  • A subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed

• NOTE - They often include at least the LoadLibrary and GetProcAddress which are used to load and gain access to additional functions

• Packing Files

  • On packed programs, a small wrapper program runs to decompress the packed file and then run the unpacked file

Detect Packers with PEiD

• PEiD to detect the type of packer or compiler employed to build an application

• You have to unpack it in order to be able to perform any analysis

• Command to unpack using UPX: upx -d PackedProgram.exe

• You can also detect packed malware using PEview

  • If the Size of Raw Data < Virtual Size then that might be indication that it is packed.

Portable Executable File Format

• Portable Executable (PE)

  • File format used by Windows executables, object code, and DLLs

    • Think of it as a giant array of bytes

  • A data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code

  • Every file with executable code that is loaded by Windows is in the PE file format

  • Begin with a header that includes information about the code:

    • Type of application

    • Required library functions

    • Space requirements

  • Contains a header followed by a series of sections

    • Header contains metadata about the file itself

  • All Microsoft executables start with MZ

• PE File Headers and Sections

  • .text

    • All other sections store data and supporting information

    • Only section that can execute and only one that includes code

  • .rdata

    • Contains the import and export information

    • Store other read-only data used by the program

    • Sometimes will contain .idata and .edata section which store the import and export information

  • .data

    • Contains the program's global data

    • Accessible from anywhere in the program

    • Local data is not stored in this section, or anywhere else in the PE file

  • .rsrc

    • Includes the resources used by the executable that are not considered part of the executable

    • Strings can be stored either in the .rsrc section or in the main program

Linked Libraries and Functions

• Imports

  • Functions used by one program that are actually stored in a different program, like code libraries

  • Executables can import functions by ordinal instead of by name, when they do this the name of the function never appears in the original executable

• Code libraries

  • Can be connected to the main executable by linking

  • Can be linked statically, at runtime, or dynamically

  • Information found in the PE file header depends on how the library code has been linked

• Static Linking

  • Least commonly used method of linking libraries

  • Common in UNIX and Linux programs

  • All code from that library is copied into the executable, making it grow in size

  • Nothing in the PE file header indicates that the file contains linked code

• Runtime Linking

  • Commonly used in malware

  • Connect to libraries only when that function is needed, not at program start

  • Windows functions allow programmers to import linked functions not listed in a program's file header

• Common Functions

  • LoadLibrary - Allow a program to access any function in any library on the system - GetProcAddress - Allow a program to access any function in any library on the system - LdrGetProcAddress - LdrLoadDll

• Dynamic Linking

  • Most common and most interesting

  • Host OS searches for the necessary libraries when the program is loaded

  • Program calls the linked library function, function executes within the library

  • PE file header stores information about every library that will be loaded and every function that will be used by the program

• Common DLLs

Function Naming Conventions

• Functions that take strings as parameters include an A of a W at the end of their names, like CreateDirectoryW

• Drop the trailing A or W when searching for the function in the Microsoft documentation

• Functions with names ending in "Ex" = new function that is incompatible with old one. Old one still supported

Imported and Exported Functions

• Imported Functions

  • PE file header includes information about specific functions by an executable

• Exported Functions

  • DLL implements functions and exports them for use by an executable that can then import and use them

  • PE file contains information about which functions a file exports

  • DLLs provide functionality for executables = exported functions are common

  • Exported functions are not common in executables

  • Sophisticated malware will often omit function names or use unclear or misleading names

Static Analysis in Practice

• Seeing a lot of imports = file is not packed

• Function Examples

  • SetWindowsHookEx - commonly used in spyware and most popular way that keyloggers receive keyboard inputs

  • RegisterHotKey - registers a hotkey whenever the user presses that hotkey combination the application is notified

  • LowLevelKeyboardProc - an applicaiton defined or library-defined callback function used with the SetWindowsHookEx

• Examine PE Files with PEview

  • All Delphi programs use a compile time of June 19,1992

  • Subsystem description

    • indicates whether this is a console or GUI program

    • Console program = IMAGE_SUBSYSTEM_WINDOWS_CUI

    • GUI programs = IMAGE_SUBSYSTEM_WINDOWS_GUI

  • Virtual Size - How much space is allocated for a section during the loading process

  • Size of raw data - shows how big the section is on disk

  • These should usually be equal Virtual Size = Size of Raw Data

  • Virtual Size > Size of Raw Data = Packed Code

  • Memory Space > Disk Space = Packed Code

  • In Windows it is normal for .data to have virtual size > raw data size - it is not enough to mean its not malicious

• Viewing Resource Section with Resource Hacker

  • Informative Sections

    • Icon - lists images shown when the executable is in a file listing

    • Menu

      • stores all menus that appear in various windows

      • Contains the names of all the menus and the text shown for each

    • Dialog - program's dialog menus

    • String Table - stores strings

    • Version Info - contains a version number and often the company name and a copyright statement

• NOTE - Malware often store an embedded program or driver here and before the program runs, they extract the embedded executable or driver.

• PE Header Summary

Tools

• Dependency Walker - lists only dynamically linked functions in an executable

• PEview

• Resource Hacker

• PEBrowse Professional

• PE Explorer