ANALYZING MALICIOUS WINDOWS PROGRAMS

Windows APIs:

Windows APIs are so powerful that windows programmers will merely use third-party libraries.

• Types and Hungarian Notation

  1. Windows API uses its own names to represent C types. For example, DWORD and WORD type represent 32-bit and 16-bit unsigned integers, Standard C types like int, short and unsigned int are not normally used.
  2. Windows uses Hungarian Notation for API function identifiers. Prefix + Var_name. For example, "dwSize".

  Type and prefix

  Handles:

  Handles are items that have been opened or created in the OS. like window, process, module, menu, file. Like pointers in that they refer an object location in the memory.

  Unlike pointers tho, handles cannot be used in arithmetic operations, and they do not always represent the object's address.

  The only thing you can do with a handle is store it and use it in a later function call to refer to the same object.

  ---

  File System Functions

  • CreateFile(dwCreationDisposition)- the parameter controls whether the CreateFile function create a new file or open a existing one.

  • ReadFile and WriteFile.

  • CreateFileMapping and MapViewOfFile

    • File mapping are used to allow a file to be loaded into memory and manipulated easily.
    • CreateFileMapping loads a file into memory from disk
    • MapViewOfFile returns a pointer to the base address of th emapping, which can be used to access the file in memory.

    The program using these functions can easily load a file into memory and read and write anywhere in the file. it is handy when parsing a file format, because you can easily jump to different memory addresses.

    File mappings are commonly used to replicate the functionality of the Windows loader. After obtaining a map of the file, the malware can parse the PE header and make all necessary changes to the file in memory, thereby causing the PE file to be executed as if it had been loaded by the OS loader.

    ---

    Special files

    • Shared Files.

      • \\ServerNme\share or \\?\serverName\share (SMB), the \\?\ is prefix that tells OS to disable all string parsing, and it allows access to longer filenames.

    • File Accessible via Namespaces.

      • Namespaces can be thought of as a fixed number of folders, each storing different types of objects. lowest level namespace is NT namespace with the prefix \.
      • \\.\**** can be used to access the physical devices directly.

    • Alternate Data Streams

      • ADS features allows addiontial data to be added to an existing file within NTFS, adding one file to another. Only visible when you access the stream.
      • Naming convention normalFile.txt:Stream:Data. Which allows a program to read and write to a stream.

      ---

    Windows Registry

    The Windows registry is used to store OS and program configuration information, such as settings and options. Like the file system, it is a good source of host-based indicators and can reveal useful information about the malware’s functionality.

    • Obviously, malware can use it for persistence. Adds entries into the registry that will allow it to run autoamtically on boot.

    Key terms:

    Key Terms

    Registry Root Keys

    Common Resitry Functions.

    Malware usually will utilize these functions to edit the reg keys.

    Reg Functions

    Berkeley Compatible Sockets

    almost identical on Windows and UNIX system.

    Berkeley compatible sockets’ network functionality in Windows is implemented in the Winsock libraries, primarily in ws2_32.dll. Of these, the socket, connect, bind, listen, accept, send, and recv functions are the most common, and these are described in Table 7-2.

    ---

    

    The WinINet API

    there is a higher-level API called the WinINet API. The WinINet API functions are stored in Wininet.dll. If a program imports functions from this DLL, it’s using higher-level networking APIs.

    The WinINet API implements protocols, such as HTTP and FTP, at the application layer. You can gain an understanding of what malware is doing based on the connections that it opens.

    •  InternetOpen is used to initialize a connection to the Internet.
    • InternetOpenUrl is used to connect to a URL (which can be an HTTP page or an FTP resource)
    • InternetReadFile works much like the ReadFile function, allowing the program to read the data from a file downloaded from the Internet.

    Advantage of using DLL over Static Libs.

    • DLL's memory can be shared among running processes.
    • DLLs are common to find on normal host Windows system. no need to redistirubte them.

    Malware Authors Use DLLs

    • Store code in DLL to hop over into another process. becuase 1 process only allows 1 .exe file.
    • Windows DLL to interact with OS.
    • Using third-party DLLs. Fx: using Mozilla Firefox DLL to connect back to a server. Rather than using Windows API.

    Basic DLL structure

    • a lot like .exe.
    • PE file format.
    • single flag indicates that the file is a DLL and not a .exe
    • DLLs often has more exports, fewer imports.
    • DLLMain is the entry, no label and not an export. DLLMain is specified in PE header as the file's entry point. DLLMain is called when there is a process loads the DLL or unloads it. Create new threads and finishes an existing thread.

    Processes

    • Each process manages its own resource, such as open handles nad memory. A process contains one or more threads that are executed by the CPU.
    • malware has consistes of its own independent process. but newer malwares are likely to executes its code as part of another process

    Processes can share memory addresses, and they often do. For example, if one process stores something at memory address 0x00400000, another can store something at that address, and the processes will not conflict. The addresses are the same, but the physical memory that stores the data is not the same.

    Example of creating a remote shell.

    

    Malware will often create a new process by storing one program inside another in the resource section. In Chapter 1, we discuss how the resource section of the PE file can store any file. Malware will sometimes store another executable in the resource section.

    ---

    Threads

    when one thread is running. it has complte control of the CPU or CPU core.the others cannot affect the state of the CPU(registers).

    Before it switches to another thread, it will save all registers values in a structure called Thread Context. The OS then loads the thread context of a new thread into the CPU and executes the new thread.

    • CreateThread. Thread at START function. in order to analyze further.
    • The caller can speicify where the thread starts and a single parameter to be passed to the start function.

    Malware can use CreateThread to load a new malicious library into a process, with CreateThread called and the address of LoadLibrary specified as the start address.

    CreateThread function (processthreadsapi.h) - Win32 apps

    

    2. Malware can create 2 threads, one to listen for inputs and pipe into the malware.exe, and another one is to read the output from malware.exe and send it to socket or pipe. Ex;

    

    Note: ThreadFunction1:

    

    Note: ThreadFunction2