![]() ![]()
The entry point of a driver is responsible for setting up passive callback routines that will service user mode I/O requests as well as callbacks used for device addition, removal, and unloading. Speakeasy will then begin emulating the malware’s DriverEntry function. Figure 1: Command line used to emulate the malicious driver This is useful for detecting things like hooking and direct kernel object manipulation (DKOM). We supply the memory tracing flag (“-m”) which will log all memory reads and writes performed by the malware. #Ida hide debugger fullWe instruct Speakeasy to create a full memory dump (using the “-d” flag) so we can acquire memory later. To start, we will instruct Speakeasy to emulate the kernel driver using the command line shown in Figure 1. #Ida hide debugger PatchNote: many techniques employed by this 32-bit rootkit will not work on modern 64-bit versions of Windows due to Kernel Patch Protection (PatchGuard) which protects against modification of critical kernel data structures. For most of this post, we will be examining the emulation report generated by Speakeasy. The Winnti sample we will be analyzing has SHA256 hash c465238c9da9c5ea5994fe9faf1b5835767210132db0ce9a79cb1195851a36fb and the original file name tcprelay.sys. Rather, we will focus on the events that are captured during emulation. The goal of this post is not to discuss the analysis of the malware itself as it is fairly antiquated. This sample was chosen despite its age because it transparently implements some classic rootkit functionality. ![]() In this blog post, we will show an example of Speakeasy’s effectiveness at emulating a real kernel mode implant family publicly named Winnti. #Ida hide debugger codeAdditionally, any system threads or work items that are created are sequentially emulated in order to get as much code coverage as possible. Speakeasy will attempt to emulate each of these functions after the main entry point has completed by supplying a dummy IRP. A driver’s DriverMain entry point is responsible for initializing a function dispatch table that is called to handle I/O requests. As we discussed in the first Speakeasy blog post, additional entry points are emulated as they are discovered. Using emulation, these entry points can be called directly with doped IRP packets in order to identify as much functionality as possible in the rootkit. This includes common tasks such as reading, writing, or sending device I/O control (IOCTLs) to a driver to execute some type of functionality. On a normal Windows system these routines are executed when other applications or devices send input/output requests to the driver. Often, rootkits may expose malicious functionality via I/O request packet (IRP) handlers (or other callbacks). In addition, maximum code coverage is easier to achieve than in a sandbox environment. #Ida hide debugger driversNo custom setup is required, and drivers can be emulated at scale. Driver EmulationĮmulation has proven to be an effective analysis technique for malicious drivers. ![]() Having similar sandbox monitoring work for kernel mode code would require deep system level hooks that would likely produce significant noise. Several sandbox style applications exist that use hooking or other monitoring techniques but typically target user mode applications. The malware can then be loaded as an on-demand kernel service where the driver can be debugged remotely with a tool such as WinDbg. This usually involves setting up two separate virtual machines as debugger and debugee. In order to debug kernel malware, a proper environment needs to be created. If our goal is to automatically analyze many variants of the same malware family, it makes sense to dynamically analyze malicious driver samples.ĭynamic analysis of kernel mode malware can be more involved than with user mode samples. ![]() Additionally, static analysis is often expensive and time consuming. However, binary packers just as easily obfuscate kernel malware as they do user mode samples. Ideally, a kernel mode sample can be reversed statically using tools such as disassemblers. Challenges With Dynamically Analyzing Kernel Malware The malware most often doesn’t interact with hardware and instead leverages kernel mode to fully compromise the system and remain hidden. When malware authors employ kernel mode malware, it will often be in the form of a device driver whose end goal is total compromise of an infected system. In addition to user mode emulation, Speakeasy also supports emulation of kernel mode Windows binaries. If you haven’t had a chance, give the post a read today. In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. Create a Free Mandiant Advantage Account. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |