Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 13-2 Solutions
Дальше: Lab 14-1 Solutions

and connect out on TCP port 8910 to that host. We use Netcat to send some content over the connection, and see the malware respond with some random content, but not with any recognizable strings. If we then terminate the socket from the Netcat side, we see a message like this:

summarizes how we rename the IDA Pro function names.

.

refers to Rijndael, the original name of the AES cipher. After looking at the cross-references, it is clear that s_xor2 and s_xor4 are connected with the encryption constants (_TeX), and s_xor3 and s_xor5 are connected with the decryption constants (_TdX).

The PEiD KANAL plug-in reveals AES constants in a similar location. shows the output of the PEiD tool. PEiD’s identification of S and S-inv refer to the S-box structures that are a basic component of some cryptographic algorithms.

.

, we see a string starting at 0x004120A4 that contains all 64 Base64 characters:

.

contains the xor instruction at that shows that s_xor6 is being used for XOR encoding. The variable arg_0 is a pointer to a source buffer that is being transformed, and arg_4 points to the buffer providing the XOR material. As the loop is followed, pointers to the two buffers (arg_0 and arg_4), as well as the counter var_4, are updated as shown by the three references at .

To determine if s_xor6 is related to the other encoding functions, we examine its cross-references. The function that calls s_xor6 starts at 0x0040352D. shows a graph of the function cross-references from 0x0040352D.

.

). Examining the references to the string CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/, we learn that this string is in the function at 0x0040103F. This function does the indexed lookup into the string, and the calling function (at 0x00401082) divides the string to be decoded into 4-byte chunks. The function at 0x00401082 then is the custom Base64 decode function, and we can see in the function that calls it (0x0040147C) that the decode function lies in between a ReadFile and a WriteFile. This is the same pattern we saw for the use of AES, but in a different function.

Before we can decrypt content, we need to determine the connection between the content and encoding algorithm. As we know, the AES encryption function is used by the function starting at 0x0040132B. Looking at the function that calls the function at 0x0040132B in , we see that 0x0040132B is the start of a new thread created with the CreateThread shown at , so we rename 0x0040132B to aes_thread.

shows select portions of aes_thread with calls to ReadFile and WriteFile, and the origin of the handles passed to those functions.

at . The value pushed for WriteFile in at can be mapped back to var_54/arg_10, as shown in at .

.

shows a custom script for decrypting modified Base64 implementations.

is a generic script that can be repurposed for any custom Base64 implementation by redefining the tab variable.

Using this script, we translate the string to see what command was sent to the command shell. The output in shows that the attacker is sending a request for a directory listing (dir).

.

, we can decrypt the content.

. The raw.replace function at removes the spaces from the raw string, and the binascii.unhexlify function turns the hex representation into a binary string. The AES.new call at creates a new AES object with the appropriate password and mode of operation, which allows for the following decrypt call at .

The output of the AES script is shown in . Note that this captured content was simply a command prompt.

, but there are many potential pitfalls when trying to implement decryption routines directly, including the following:

  • Block cryptography algorithms have many possible modes of operation, such as Electronic Code Book (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB). Each mode requires a different set of steps between the encoding or decoding of each block, and some require an initialization vector in addition to a password. If you don’t match the implementation used, decryption may work only partially or not at all.

  • In this lab, the key was provided directly. A given implementation may have its own technique for generating a key given a user-provided or string-based password. In such cases, the key-generation algorithm will need to be identified and duplicated separately.

  • Within a standard algorithm, there may be options that must be specified correctly. For example, a single encryption algorithm may allow multiple key sizes, block sizes, rounds of encryption or decryption, and padding strategies.

Назад: Lab 13-2 Solutions
Дальше: Lab 14-1 Solutions

sss
sss

© RuTLib.com 2015-2018