Types and Hungarian Notation
- Windows API uses its own names to represent C types. For example, DWORD and WORD type represent 32-bit and 16-bit unsigned integers, Standard C types like int, short and unsigned int are not normally used.
- Windows uses Hungarian Notation for API function identifiers. Prefix + Var_name. For example, "dwSize".
Handles:
Handles are items that have been opened or created in the OS. like window, process, module, menu, file. Like pointers in that they refer an object location in the memory.
Unlike pointers tho, handles cannot be used in arithmetic operations, and they do not always represent the object's address.
The only thing you can do with a handle is store it and use it in a later function call to refer to the same object.
File System Functions
-
CreateFile(dwCreationDisposition)- the parameter controls whether the CreateFile function create a new file or open a existing one.
-
ReadFile and WriteFile.
-
CreateFileMapping and MapViewOfFile
- File mapping are used to allow a file to be loaded into memory and manipulated easily.
- CreateFileMapping loads a file into memory from disk
- MapViewOfFile returns a pointer to the base address of th emapping, which can be used to access the file in memory.
The program using these functions can easily load a file into memory and read and write anywhere in the file. it is handy when parsing a file format, because you can easily jump to different memory addresses.
File mappings are commonly used to replicate the functionality of the Windows loader. After obtaining a map of the file, the malware can parse the PE header and make all necessary changes to the file in memory, thereby causing the PE file to be executed as if it had been loaded by the OS loader.
Special files
-
Shared Files.
- \\ServerNme\share or \\?\serverName\share (SMB), the \\?\ is prefix that tells OS to disable all string parsing, and it allows access to longer filenames.
-
File Accessible via Namespaces.
- Namespaces can be thought of as a fixed number of folders, each storing different types of objects. lowest level namespace is NT namespace with the prefix \.
- \\.\**** can be used to access the physical devices directly.
-
Alternate Data Streams
- ADS features allows addiontial data to be added to an existing file within NTFS, adding one file to another. Only visible when you access the stream.
- Naming convention normalFile.txt:Stream:Data. Which allows a program to read and write to a stream.
Windows Registry
The Windows registry is used to store OS and program configuration information, such as settings and options. Like the file system, it is a good source of host-based indicators and can reveal useful information about the malware’s functionality.
- Obviously, malware can use it for persistence. Adds entries into the registry that will allow it to run autoamtically on boot.
Key terms:
Common Resitry Functions.
Malware usually will utilize these functions to edit the reg keys.
Berkeley Compatible Sockets
almost identical on Windows and UNIX system.
Berkeley compatible sockets’ network functionality in Windows is implemented in the Winsock libraries, primarily in ws2_32.dll. Of these, the socket, connect, bind, listen, accept, send, and recv functions are the most common, and these are described in Table 7-2.
The WinINet API
there is a higher-level API called the WinINet API. The WinINet API functions are stored in Wininet.dll. If a program imports functions from this DLL, it’s using higher-level networking APIs.
The WinINet API implements protocols, such as HTTP and FTP, at the application layer. You can gain an understanding of what malware is doing based on the connections that it opens.
- InternetOpen is used to initialize a connection to the Internet.
- InternetOpenUrl is used to connect to a URL (which can be an HTTP page or an FTP resource)
- InternetReadFile works much like the ReadFile function, allowing the program to read the data from a file downloaded from the Internet.
Advantage of using DLL over Static Libs.
- DLL's memory can be shared among running processes.
- DLLs are common to find on normal host Windows system. no need to redistirubte them.
Malware Authors Use DLLs
- Store code in DLL to hop over into another process. becuase 1 process only allows 1 .exe file.
- Windows DLL to interact with OS.
- Using third-party DLLs. Fx: using Mozilla Firefox DLL to connect back to a server. Rather than using Windows API.
Basic DLL structure
- a lot like .exe.
- PE file format.
- single flag indicates that the file is a DLL and not a .exe
- DLLs often has more exports, fewer imports.
- DLLMain is the entry, no label and not an export. DLLMain is specified in PE header as the file's entry point. DLLMain is called when there is a process loads the DLL or unloads it. Create new threads and finishes an existing thread.
Processes
- Each process manages its own resource, such as open handles nad memory. A process contains one or more threads that are executed by the CPU.
- malware has consistes of its own independent process. but newer malwares are likely to executes its code as part of another process
Processes can share memory addresses, and they often do. For example, if one process stores something at memory address 0x00400000, another can store something at that address, and the processes will not conflict. The addresses are the same, but the physical memory that stores the data is not the same.
Example of creating a remote shell.
Malware will often create a new process by storing one program inside another in the resource section. In Chapter 1, we discuss how the resource section of the PE file can store any file. Malware will sometimes store another executable in the resource section.
Threads
when one thread is running. it has complte control of the CPU or CPU core.the others cannot affect the state of the CPU(registers).
Before it switches to another thread, it will save all registers values in a structure called Thread Context. The OS then loads the thread context of a new thread into the CPU and executes the new thread.
- CreateThread. Thread at START function. in order to analyze further.
- The caller can speicify where the thread starts and a single parameter to be passed to the start function.
Malware can use CreateThread to load a new malicious library into a process, with CreateThread called and the address of LoadLibrary specified as the start address.
CreateThread function (processthreadsapi.h) - Win32 apps
- Malware can create 2 threads, one to listen for inputs and pipe into the malware.exe, and another one is to read the output from malware.exe and send it to socket or pipe. Ex;
Note: ThreadFunction1:
Note: ThreadFunction2
In addition to threads, Microsoft systems use fibers. Fibers are like threads, but are managed by a thread, rather than by the OS. Fibers share a single thread context.
Interprocess Coordination with Mutexes.
Mutex, Mutants.
In kernel conditions. Mutexes are global objects that coordinate multiple processes and threads. Mutexes are mainly used to control access to shared resources. For example, 2 Threads must access a memory structure, but only one can safely access it at a time. a mutex can be used to control access. Java.Lock.
- only 1 Thread can own a mutex at a time. Mutexes are often in a hard-coded format in malware analysis, which leads to a host-based indicator. Because it has to keep consistency if it is used by two processes that aren't communicating in any other way.
- Thread gains access to the mutex with a call to WaitForSingleObject. When it finished using a mutex, it uses the ReleaseMutex function.
CreateMutex. One process can get a handle to another process's mutex by using the OpenMutex. Malware will commonly create a mutex and attempt to open an existing mutex with the same name to ensure that only one version of malware is running at a time.
Services
windows services. allows task to run without their own processes or threads by using services that runs as background applications.
—Windows Service Manager.
Windows Services can be installed and manipulated via a few Windows API functions.
- OpenSCManager. Returns a handle to the service control manager.
- CreateService. Adds a new service to the service control manager.
- StartService. StartService.
Service Types:
- WIN32_SHARE_PROCESS: stores the code for the service in a DLL, and combines serval different services in a single, shared process.. svchost.exe
- WIN32_OWN_PROCESS: stores code in an .exe file and runs as an independent process
- KERNAL_DRIVER: which is used for loading code into the kernel. more details in chapter 10
Each service on a local machine is stored in the registry. Subkey under HKLM\SYSTEM\CurrentControlSet\Services.
COM- Microsoft Component Object Model
COM that makes it possible for different software componenets to call each other's code without knowledge of specifics about each othe
- COM use an object construct that works well with object-orientaed programing languages.
- Client-Server mode with COM and Programs. Programs are the client making use of COM objects. and the servers are the reusable software components.
- EACH thread that use COM must call the OleInitialize or CoInitializeEX funct ion at least once prior to calling any other COM lib functions.
COM objects are accessed via GUIDS(globally unique identifiers) known as class identifiers(CLSIDs) and interface identifiers(IIDs).
Accessing the COM
CoCreateInstance is used to get access to COM functionality. EX. function Navigate which allows a program to launch IE and access a web address. The Navigate is part of IWebBroser2 Interface. But does not specify which program will provide that functionality. The function is coming from the interface IWebBrowser2 by COM class implemented in the program.
The interface IWebBroswer2 is identified with a GUID called IID. and classes are identified with a GUID called CLSID.
WALKTHRU:
malware.exe (CoCreateInstance) → accepts CLSID and IID of the object malware is requesting → OS searching for the class info and loads the program that will perform the function.(IE.exe) → IF the program isn't already running. (CoCreateInstance) class returns a pointer that points to a structure that contains function pointers. → supply that pointer address of the function to COM server.
Kernel vs. User Mode
nearly all code runs in user mode. Except the OS and hardware drivers. which runs in kernel mode.
Call windows API to manipulate kernel structures. SYSENTER, SYSCALL, or INT 0x2E. indicates that a call is being made into the kernel.
Native API
There are a series of Native API calls that can be used to get information about the system, processes, threads, handles, and other items. These include NtQuerySystemInformation, NtQueryInformationProcess, NtQueryInformationThread, NtQueryInformationFile, and NtQueryInformationKey. These calls provide much more detailed information than any available Win32 calls, and some of these functions allow you to set fine-grained attributes for files, processes, threads, and so on.
- NtContiune; return after expection. which can be manipulated.
We covered several functions that start with the prefix Nt. In some instances, such as in the export tables of ntdll.dll, the same function can have either the Nt prefix or the Zw prefix. For example, there is an NtReadFile function and a ZwReadFile function. In the user space, these functions behave in exactly the same way, and usually call the exact same code. There are sometimes minor differences when called from kernel mode, but those differences can be safely ignored by the malware analyst.