1. Part 6: Special Topics Chapter 19: Shellcode Analysis
Chapter 20: C++ Analysis
Chapter 21: 64-bit Malware

2. Chapter 19: Shellcode Analysis

3. Shellcode Analysis Shellcode Issues to overcome
Payload of raw executable code that allows adversary to obtain interactive shell access on compromised system
Often used alongside exploit to subvert running program
Issues to overcome
Getting placed in preferred memory location
Applying address locations if it cannot be placed properly
Loading required libraries and resolving external dependencies

4. Shellcode Analysis
1. Position-Independent Code 2. Identifying Execution Location 3. Manual Symbol Resolution 4. Shellcode Encodings 5. NOP Sleds 6. Finding Shellcode

5. 1. Position-Independent Code
No hard-coded addresses
All branches and jumps must be relative so that code can be placed anywhere in memory and still function as intended
Essential in exploit code and shellcode being injected from a remote location since addresses are not necessarily known
Table 19-1, p. 408

6. 2. Identifying Execution Location
Shellcode may need to find out its execution location
32-bit x86 does not provide EIP-relative access to embedded data as it does for control-flow instructions
Must load EIP into general purpose register
Problem: "mov %eip, %eax" not allowed
Two methods
call/pop
fnstenv

7. 2. Identifying Execution Location
call/pop
call pushes EIP of next instruction onto stack, pop retrieves it (Listing 19-1, p. 410)

8. 2. Identifying Execution Location
fnstenv
stores 28-byte structure of FPU state to memory
FPU runs parallel to CPU, so must be able to accurately identify faulting instruction
fpu_instruction_pointer = EIP of last instruction that used FPU (Listing 19-2, 19-3, p. 412)

9. 2. Identifying Execution Location
fnstenv

10. 3. Manual Symbol Resolution
Shellcode can not use Windows loader to find where libraries are in process memory
Must dynamically locate functions such as LoadLibraryA and GetProcAddress (both located in kernel32.dll)
Finding kernel32.dll in memory
Undocumented structure traversal (Figure 19-1, Listing 19-4, p. 414, 415)

11. Manual Symbol Resolution

12. Manual Symbol Resolution
Once found, then parse PE Export Data in kernel32.dll
Addresses of exported calls in header (relative virtual addresses in IMAGE_EXPORT_DIRECTORY )
AddressOfFunctions, AddressOfNames, AddressOfNameOrdinals arrays (Figure 19-2, p. 417)

13. Manual Symbol Resolution
Algorithm for resolution
Iterate over the AddressOfNames array looking at each char* entry, and perform a string comparison against the desired symbol until a match is found. Call this index into AddressOfNames iName.
Index into the AddressOfNameOrdinals array using iName. The value retrieved is the value iOrdinal.
Use iOrdinal to index into the AddressOfFunctions array. The value retrieved is the RVA of the exported symbol. Return this value to the requester.

14. Manual Symbol Resolution
Using hashes to parse PE Export Data in kernel32.dll
To make shellcode compact and to avoid signature detection on strings, hashes of function names can be used to compare (Listing 19-5, 19-6, p )

15. Manual Symbol Resolution

16. Manual Symbol Resolution

17. 4. Shellcode Encodings Many exploits target unsafe string functions
strcpy, strcat
Injection of malicious code must avoid NULL bytes which will terminate buffer overflow pre-maturely (Listing 19-8, p. 421)
strcpy( buffer, argv[1] );
mov eax, ; 4 bytes of NULL
xor eax, eax ; No NULL bytes

18. Shellcode Encodings ASCII armor Hardens against buffer overflow
If exploit requires injection of addresses, then force addresses to include NULL by putting all code/data within ASCII armor at beginning of address space

19. 5. NOP Sleds Sequence of NOPs preceing shell code
Address targeting inexact
Allows exploit to increase likelihood of hits by giving a range of addresses that will result in shellcode executing
Buffer[0..256]
[stuff]
Return
addr
[stuff]
Shell Code
New
Addr
New
Addr
New
Addr
New
Addr

20. 5. NOP Sleds IP? IP? IP? IP? Shell Code Shell Code NOP xor eax, eax
mov al, 70
xor ebx, ebx
xor ecx, ecx
int 0x80
jmp short two
one:
pop ebx
mov [ebx+7], al
mov [ebx+8], ebx
mov [ebx+12], eax
mov al, 11
lea ecx, [ebx+8]
lea edx, [ebx+12]
two:
call one
db '/bin/shXAAAABBBB'
IP?
IP?
xor eax, eax
mov al, 70
xor ebx, ebx
xor ecx, ecx
int 0x80
jmp short two
one:
pop ebx
mov [ebx+7], al
mov [ebx+8], ebx
mov [ebx+12], eax
mov al, 11
lea ecx, [ebx+8]
lea edx, [ebx+12]
two:
call one
db '/bin/shXAAAABBBB'
IP?
Shell Code
Shell Code

21. 6. Finding Shellcode In Javascript
Binary instructions encoded via escaped bytes
%u1122%u3344%u5566%u7788 =
Example: FBI Playpen exploit

22. 6. Finding Shellcode In payloads
Common API calls (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)
Common opcodes (Call, Unconditional jumps, Loops, Short conditional jumps)

23. Chapter 20: C++ Analysis

24. C++ Analysis
1. Object-Oriented Programming 2. Virtual vs. Nonvirtual Functions 3. Creating and Destroying Objects

25. 1. Object-Oriented Programming
Functions (i.e. methods) in C++ associated with particular classes of objects
Classes used to define objects
Similar to struct, but also include functions
“this” pointer
Implicit pointer to object that holds the variable being accessed
Implied in every variable access within a function that does not specify an object
Passed as a compiler-generated parameter to a function (typically the ECX register, sometimes ESI)
“thiscall” calling convention (compared to stdcall, cdecl, and fastcall calling conventions)
Listing 20-2, Listing 20-3, p. 429, 430
3) loads this pointer into ecx
4) puts ecx into eax, then access x to compare it to 10

26. Object-Oriented Programming
Overloading and Mangling
Method overloading allows multiple functions to have same name, but accept different parameters
When function called, compiler determines which version to use (Listing 20-4, p. 431)
C++ uses name mangling to support this construct in the PE file
Algorithm for mangling is compiler-specific
IDA Pro demangles based on what it knows about specific compilers (Figure 20-1, p. 431)
public: void __thiscall SimpleClass::TestFunction(int,int)
Can use c++filt on linux (CTF level?)
mashimaro <~> 9:19AM % c++filt -n _Z1fv
f()

27. 2. Virtual vs. Nonvirtual Functions
Can be overridden by a subclass (polymorphism)
Execution is determined at runtime with the child subclass overriding the parent
Can keep parent functionality by changing the type of the object to be an instance of the parent class
Nonvirtual functions
Execution is determined at compile time
If object is an instance of the parent, the parent class's function will be called, even if the object at run-time belongs to the child class
Table 20-1, p. 433
On left g() compiled to call A’s foo()
On right g() compiled to check at run-time which foo() to call

28. Virtual vs. Nonvirtual Functions
Implementation
Nonvirtual functions the same
Polymorphism via virtual function tables (vtables), effectively an array of pointers to code (Table 20-2, p. 434)
On left, nonvirtual call as before
On right, vtable traversed in 1) and 2), then function pointer loaded into eax and called
Recognizing vtables
Should point to legitimate subroutines in IDA Pro (sub_####) (Listing 20-6, p. 435)
Switch tables similar but point to legitimate code locations within code in IDA Pro without function prologue (loc_#####)
Virtual functions never directly called
Code xrefs to functions within IDA Pro yield nothing due to use of registers in call
vtable similarity can be used to associate objects
Listing 20-7, p. 436

29. 3. Creating and Destroying Objects
Constructor and Destructor functions
Object either stored on stack for local variables
Object stored in heap if “new” is used
Note: Implicit “deletes” for objects that go out of scope may be handled as exceptions
Listing 20-8, p. 437
Initializes vtable for object stored on stack
Does multiple loads of vtable (parent, then child)
Creates another object via “new” call (note the name mangling)
void * __cdecl operator new(unsigned int)

30. In-class exercise
Lab 20-1

31. Chapter 21: 64-bit Malware

32. 64-bit Malware
1. Why 64-bit Malware? 2. Differences in x64 architectures 3. Windows 32-Bit on Windows 64-Bit Bit Hints at Malware Functionality

33. 1. Why 64-bit Malware? AMD64 now known as x64 or x86-64
Similar to 32-bit x86 with quad extensions
Not all tools support it
Backwards compatibility support for 32-bit ensures that 32-bit malware can run on both 32-bit and 64-bit machines
Reasons for 64-bit malware
Kernel rootkits must be 64-bit for machines to run on a 64-bit OS
Malware and shellcode being injected into a 64-bit process must be 64-bit

34. 2. Differences in x64 Architecture
64-bit vs. 32-bit x86
All addresses and pointers 64-bit
All general purpose registers 64-bit (%rax vs. %eax)
Special purpose registers also 64-bit (%rip vs. %eip)
Double the general purpose registers (%r8-%r15)
%r8 = 64-bits
%r8d = 32-bit DWORD
%r8w = 16-bit WORD
%r8l = 8-bit LOW byte

35. 2. Differences in x64 Architecture
64-bit vs. 32-bit x86
RIP-relative data addressing (Listing 21-2 vs. Listing 21-3, p. 443, 444)
Recall “call/pop” needed previously to get location of data attached to exploit code
Allows compiler to easily generate position-independent code
Decreases the amount of relocation needed when code/DLLs are loaded
Without call/pop, it is much harder to identify exploit code
offset 0xD3A2

36. Differences in x64 Architecture
64-bit vs. 32-bit x86 calling convention and stack usage
Similar to “fastcall”
First six parameters passed in %rdi,%rsi,%rdx,%rcx,%r8,%r9
Additional parameters passed on stack
Hand-coded malware may completely deviate from this convention to confuse analysis
Stack space is allocated at beginning of function call for the duration of the call (i.e. no push/pop within function) (Figure 21-1, p. 445)
Microsoft's 64-bit exception handling model assumes a static stack

37. Differences in x64 Architecture
64-bit vs. 32-bit x86 calling convention and stack usage
Reverse engineering complicated since local variables and function parameters co-mingled (Listing 21-4 vs 21-5, p. 445, 446)

38. Differences in x64 Architecture
64-bit vs. 32-bit x86
Leaf and Nonleaf Functions
Functions that call other functions are non-leaf or frame functions as they require a frame to be allocated
Nonleaf functions required to allocate at least 0x20 bytes of stack space when calling another function to save register parameters (local variables bump allocation beyond 0x20)
64-Bit Exception Handling
For 32-bit, SEH handling uses stack
For 64-bit, static exception information table stored in PE file and stored in .pdata section per function. (Does not use stack)

39. 3. Windows 32-Bit on Windows 64-Bit
WOW64 subsystem allows 32-bit Windows to run on 64-bit Windows
Redirects accesses to C:\Windows\System32 to C:\Windows\WOW64
So if 32-bit malware running on 64-bit Windows writes a file to C:\Windows\System32, it shows up in C:\WINDOWS\WOW64
Similar redirection for registry keys
32-bit malware wishing to “break-out” of WOW64 to infect 64-bit system can disable redirection (IsWow64Process, C:\Windows\Sysnative, Wow64DisableWow64FsRedirection to disable for a thread)

40. 4. 64-Bit Hints at Malware Functionality
64-bit shortcuts
Integers often stored in 32-bit values
Pointers are always 64-bit
Can differentiate non-pointers from pointers via size of register used (Table 21-1, p. 448)

41. Extra

42. Machine learning in malware
Polymorphic malware difficult to catch with signatures
After unpacking, shares common functions
Can use RCE to identify features to use in an ML model
Humans (you) decide labels of good and bad
Humans (you) decide features that are helpful or not
Example: Cylance (End Point See)
Issue
Difficult to get explainability out of results
What if polymorphic game code gets flagged?
Can one reason about what ML algorithm is doing?