Note: some scripts in this file being built with Visual Studio (need C++ 17 or higher). Otherwise, compiling with others like GCC (from MinGW or others) is possible
This type of file using for Win32, used on Win32 for almost purpose
Why we need to know PE file?
- Injecting code into executable file
- Manual unpacking product file (being packed)
Get detail with a document here
Basic structure of PE file:
DOS MZ header
DOS stub
PE header
Section table
Section 1
Section 2
...
Section n
PE file includes 2 sections at least:
- 1 section for code
- 1 section for data
Ex: an application using for Window NT includes:
- Executable Code Section: .text (Micro$oft)/CODE (Borland).
- Data Sections:
.data,.rdataor.bss(Micro$oft)/DATA (Borland) - Resources Section:
.rsrc - Export Data Section:
.edata - Import Data Section:
.idata - Debug Information Section:
.debug
Every field of PE header declare space on physical memory.
Some definitions:
Virtual memory: is a common technique used in a computer's operating system (OS), uses both hardware and software to enable a computer to compensate for physical memory shortages, temporarily transferring data from random access memory (RAM) to disk storageInvisible layer: a layer between processor and OSPage table: list of all Process including address of physical memory is usingPE headerhas 2 alignment fields:Section alignment: method how to arrange sections aboveFile alignment(512 bytesor200h): method how to arrange sections in file on disk and size of sector is optimized inLoading process
Hmodule: address where the beginning of file
Accounting for first 64 bytes of file, defined in window.inc or winnt.h. In PE file, magic of DOS header includes value: 4Dh, 5Ah (2 bytes first). Ifanview which at the end of DOS header and beginning of DOS stub, is DWORD and includes offset of PE header
Getting header from IMAGE_NT_HEADERS including 3 part (defined in windows.inc):
Signature: value is often50h,45h,00hFileHeader: next 20 bytes including information of propertiesNumberOfSectionsCharacteristics: identify this PE file is executable or DLL
OptionalHeader: next 224 bytes including Logic map of PE fileData Directory: an array of 16IMAGE_DATA_DIRECTORYstructures, ex:import address tableVirtualAddress (VA)import table: get it fromIMAGE_IMPORT_DESCRIPTORisize: include size of bytes by data structure
AddressOfEntryPoint (RVA): first instruction loaded by PE loader. Moreover, we needVAto read data when program inStarForcemodeImageBase: load address prioritize for PE fileSectionAlignment: linker of all Sections in memoryFileAlignment: linker of all Sections in fileSizeOfImage: size of PE image in memorySizeOfHeaders: size of all headers and section table
Get it from IMAGE_SECTION_HEADER which are containers of the actual data:
.text: Contains the executable code of the program..data: Contains the initialized data..bss: Contains uninitialized data..rdata: Contains read-only initialized data..edata: Contains the export tables..idata: Contains the import tables..reloc: Contains image relocation information..rsrc: Contains resources used by the program, these include images, icons or even embedded binaries..tls: (Thread Local Storage), provides storage for every executing thread of the program.
Located at the beginning of the .idata section, get it from IMAGE_IMPORT_DESCRIPTOR:
- OriginalFirstThunk: RVA of the ILT
- TimeDateStamp: A time date stamp, that’s initially set to 0 if not bound and set to 0-1 if bound
- ForwarderChain: The index of the first forwarder chain reference
- Name: An RVA of an ASCII string that contains the name of the imported DLL
- FirstThunk: RVA of the IAT
Using this simple CPP program to get information from PE file
Using command line: gcc pe.cpp -o pe.exe to build EXE file with GCC
Using this program with PowerShell or cmd: .\pe.exe <path/of/file>, then result will be similar like this:
Note: this script only read data of PE32+ file
It will display all information of PE file:
NT header- Pointer To EntryPoint
- CheckSum
- ImageBase
- FileAlignment
- SizeOfImage
Sections- Name section
- Characteristics
- RawSize
- VirtualAddress
- VirtualSize
Imports table- Name of Dll module & its name function
Program (C/C++) to insert into any EXE file a Message Box "You've got infected". After showing that Message Box, the program continues to run normally.
You write a program to insert a code into EXE file so that when running the modified EXE file, it will turn on the Message Box, after pressing the Ok button on that Message Box, the file continues to run as it was.
To do work:
- Open file to read and write
- Extract PE file information
- Find a suitably-sized code cave (create a new section
.inflect) - Tailor
shellcodeto the target application, using Metasploit framework - Acquire any additional data for the
shellcodeto function - Inject the
shellcodeinto the application - Modify the application's original entry point to the start
Using this simple CPP program to infect Message Box into EXE file
Using command line gcc messagebox.cpp -m32 -std=c++17 -lstdc++fs -o messagebox.exe to build EXE
Warning: after compiler built executable file, window defender will detect it is a Trojan, so you just allow it to run
Using this program with PowerShell or cmd: .\messagebox.exe <path/of/directory>, then all EXE file in target directory will be modified with Message Box. Opening modified application to see result as description
Note: this script only read data of PE32 file only
Analysis a sample and source code of LockBit ransomware on the internet and try to analyze it behaviors both static and dynamic way
Get details from document here
We need a sandbox environment using virtual machine to make sure hosting machine will be not affected by malware. Just download any window virtual machine from here or ISO file. In this case, FlareVM (Window Based Reverse Engineering and Malware Analysis Platform) is selected to main OS virtual machine. Using Host-only virtual network card to prevent threat of malware.
Using VMware (recommended) or Virtual Box. Configure virtual machine before analyzing malware, choose custom network card to make virtual network, often take snapshot for machine when get sample of malware
Note: should avoid performing malware analysis on any critical or sensitive machine and keep virtual machine software up-to-dated
Describe the process of analyzing the code or structure of a program to determine its function
Technique using for static analysis:
Antivirus toolsto confirm maliciousness- Known suspicious code (
file signatures) - Pattern-matching analysis (
heuristics)
- Known suspicious code (
Hashesto identify malware- Commonly used is
MD5orSHA-1 - Using hash as label, share to other to help them to identify malware
- Commonly used is
Gleaning informationfrom afile’s strings, functions, and headersFinding Strings: get hints from ASCII or Unicode format string of programPacked and Obfuscated Malware: this technique hide information of malwarePacking file: usingPEiD programto detect type of packer then unpack
Portable Executable File Format: PE files begin with a header that includes information about the code, the type of application, required library functions, and space requirements. -Linked LibrariesandFunctions:Importsare functions used by one program that are actually stored in a different programStatic, Runtime, and Dynamic Linking:Static linking: used in UNIX and Linux programs that all code from that library is copied into the executableRuntime linking: Executables that use runtime linking connect to libraries only when that function is needed- Two most commonly used are
LoadLibraryandGetProcAddress.LdrGetProcAddressandLdrLoadDllare also used. Dynamic linking: host OS searches for the necessary libraries when the program is loaded. UsingDependency Walkerto exportDynamic linking
Running Malware: focus on running the majority of malware, encounter (EXEs and DLLs). Using rundll32.exe to provide a cointainer for running a DLL. Malicious DLLs frequently run most of their code in DLLMain (called from the DLL entry point)
Monitoring with Process Monitor or procmon: monitor certain registry, file system, network, process, and thread activity
Viewing Processes with Process Explorer: provide valuable insight into the processes currently running on a system
Using Dependency Walker: determine whether a DLL is loaded into a process after load time, compare the DLL list in Process Explorer to the imports shown in Dependency Walker
Analyzing Malicious Documents: using Process Explorer to analyze malicious documents, such as
PDFs and Word documents.
Comparing Registry Snapshots with Regshot to get hint about alternative of window registry
Faking a Network: Malware often beacons out and eventually communicates with a command-and-control server so prevent malware from realizing virtual environment using ApateDNS or FakeNet then monitor with netcat
Packet Sniffing with Wireshark: intercepts and logs network traffic
Using INetSim: simulating common Internet services
The sample in this case is LockBit 3.0 ransomware - designed to block user access to computer systems in exchange for a ransom payment in 2019 and first-ever sample publication in 2022. Exploit Windows Defender to deploy Cobalt Strike, it tricks system to load malicious DLL (Dynamic-Link Library) - sideload method.
This use the encrypted Salsa-20 algorithm. During the encryption threads, memory containing the private key is protected with heavy use of RtlEncryptMemory and RtlDecyptMemory, which makes the private key available unencrypted in memory only for the time it is necessary.
Get sample for this case at here. Make sure safety environment is ready, then download it and unzip
Furthermore, get build file of LockBit Black at here and password for unzip is: !1C!Vk~1i!LW3LR|wgXHC, md5 hash of file: 7db3797ee09aedc1c6ec1389ab199493. After unzip file, we get below files:
Note: this repo storing this source are disabled, only use for educational purpose
Using DIE (Detect it easy) to find file type of malware
PE32 file using Microsoft Linker (14.12)[GUI32] and its import table includes:
gdi32.dll: contain functions for displaying and manipulating graphics- TextOutW
- SetTextColor
- SetPixel
- SelectObject
- GetTextMetricsW
USER32.dll: contain user-interface components- EndDialog
- GetDigItem
- GetDigItemTextW
- GetKeyNameTextW
- GetMessageW
- LoadMenuW
- DialogBoxParamW
- CreateWindowExW
- CreateDialogParamW
- GetClassNameW
KERNEL32.dll: contain core functionality- GetDateFormatW
- LoadLibraryExA
- GetTickCount
- GetProcAddress
- GetModuleHandleW
- GetLocateInfoW
- GetCommandLineA
- FormatMessageW
- GetLastError
Moreover, in string of file, it has string !This program cannot be run in DOS mode - meaning that current running Windows NASMon an MS-DOS (virtual) platform
Continue to use HashCalc to hash file:
This file has:
MD5hash:38745539b71cf201bb502437f891d799SHA1hash:f2a72bee623659d3ba16b365024020868246d901
Then go to website VirusTotal at host machine, find with hash, or see the result at here
We can see some useful details:
Find more details with any.run at here
Lock at config.json and build.bat first in source code, there are a lot of actions when malware run
Using ResourceHacker to look inside file build.exe, and description of each resource by its ID:
- 100: decryption template file
- 101: executable template file
- 103: DLL template file
- 106: DLL template file that enables reflective loading
Try to run build.bat to generate files in build folder:
DECRYPTION_ID.txt:used to uniquely identify a victimLB3.exe: compiled ransomware, which doesn’t require a passwordLB3Decryptor.exe: decryption for the ransomwareLB3_pass.exe: same as LB3.exe which require password and instructions inPassword_exe.txtLB3_RelectiveDLL_DLLMain.dllLB3_Rundll32.dll: DLL version of ransomware, not require passwordLB3_Rundll32_pass.dll: DLL version of ransomware, require password inPassword_dll.txtPassword_dll.txt: contain password and instructions for usingLB3_Rundll32_pass.dllPassword_exe.txt: contain password and instructions for usingLB3_pass.exepriv.key: private encryption key used to encrypt victim filespub.key: public encryption key used generate various strings that tie this instance of the ransomware to a victim
Fact of this malware: it uses Anti-debugging trick by loading/resolving a Windows DLL from its hash tables, which are based on ROT13 to conceal their internal functions calls and hide the
function calls and Windows APIs by using Stack String Obfuscation and simple XOR Encryption
Before first run, capture state with RegShot: compare state of registry before and after
Click to see below video
Following PDF file following in same folder. Using flag -pass when running file to decrypt the source code of LockBit and execute it on victim:
<Ransomware.exe> -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a
After running malware, it encrypts some files into <random>.HLJkNskOq and create multiple note HLJkNskOq.README.txt, see content here and wallpaper is changed
Overall, this malware will disable registry of Window Security to prevent its detection and a lot of registries are modifies, see more here.
Check the status of Window Security with command line: sc query WinDefend in cmd
Check results in ProcessMonitor
