# Patchwork #### Stitching against malware ### Daniel Plohmann #### families #### with #### IDA Pro ### plohmann@cs.uni-bonn.de ----- ## Some words about myself ###   ### Related ### Personal background ###  ### PhD ### student ### and researcher ### at University of Bonn & Fraunhofer FKIE of Reverse Engineering ###   ### Work ### Research focus: Efficiency ### focus: malware ### analysis ### and botnet ### mitigation ### projects ###   ### [2] IDAscope ### [1] PyBox ### (python ### sandboxing ### toolkit) ### (IDA Pro enhancements ### for ### malware ### RE) ----- ## Patchwork Motivation ----- ## Patchwork … in a nutshell ####    ####  #### Driving #### Patchwork #### = refurbished #### (IDA)PyEmu #### [1] + set #### of convenience #### functions #### Work #### in progress #### ideas: ####   #### Get #### A flexible framework #### that #### allows #### data #### transformations #### aiding #### static #### analysis #### away #### from #### the #### (throwaway-)snippets-per-case #### approach #### Sharing #### is #### caring! ####  ----- ## Patchwork Wishlist ####     #### Notable #### Seamless #### integration #### with #### IDA #### Instrumentalization #### of analysis #### target‘s #### native code ####  #### But #### don‘t #### actually #### run #### code #### (= no debugging, AppCall, PIN, …) #### Reusability #### / generalization #### emulation #### solutions #### compatible #### with #### IDA: ####   #### [2] (IDA)PyEmu: python-based, fully #### [1] Ida-x86emu: standalone #### plugin, no extendability #### scriptable   Outdated Incomplete (limited to most common opcodes) (state of 2009) ----- ## (IDA)PyEmu Workflow ####     #### Emulate Proceed #### Pretty #### straight-forward #### :) #### Set initial #### emulation #### state ####   #### Create #### Allocate #### + fill #### virtual #### memory #### context #### (stack #### / registers #### + EIP) #### step with #### by #### modified #### step #### state #### (algorithmic #### results, transformed #### memory) ----- ## Patchwork Workflow ##### against (with ##### • Execute ResultCallbacks (with wildcards) ##### Arbitrary (IDA)python function taking advantage of earlier results Convenience functions for patching etc. ----- ## Patchwork Example: Nymaim ####   #### Dropper Written #### in assembler, heavily #### / Ransom #### malware #### family #### [1] #### obfuscated ####    #### Obfuscated Obfuscated #### Control #### flow #### obfuscation #### (call/jmp #### redirection) #### stack/register #### stack #### usage #### (delegated #### to subfunction) #### usage #### (introduction #### of many #### irrelevant fields) ####  Hashed #### API calls ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) Arg_0: Displacement offset part 0 (0x4F4AD544) Arg_4: Displacement offset part 1 (0xB0B48F89) Arg_8: Placeholder for original return address Function prologue Save original return address Calculate displacement Apply displacement to return address Clean up and detour to deplaced return address ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Control Flow Obfuscation) ----- ## Patchwork Example: Nymaim (Deobfuscation) ####   #### Select: Emulate: **push_push_call_regex = (** **r"\x68(?P[\S\s]{4})"** **r"\x68(?P[\S\s]{4})"** **r"\xE8"** **)** ####  Until #### first #### ret #### / retn #### instruction ----- ## Patchwork Example: Nymaim (Deobfuscation) ####  #### Validate: **ppc_validators = {** **"call_detour": [** **'push dword',** **'push dword',** **'push ebp',** **'mov ebp,esp',** **'push eax',** **'mov eax,[ebp+0x4]',** **'mov [ebp+0x10],eax',** **'mov eax,[ebp+0xc]',** **'', # contains the operand -> add, sub, xor** **'add [ebp+0x4],eax',** **'pop eax',** **'leave'],** ----- ## Patchwork Example: Nymaim (Deobfuscation) ####  #### Transform: **def _deobfuscate_call_detour(self, validation):** **obf_start_addr = validation.selection.selectionOffset** **call_offset = validation.emulation.cbResult - (obf_start_addr + 10 + 5)** **deobf_call = "\x90" * 10 + "\xE8" + struct.pack("I", (call_offset) & 0xffffffff)** **ida_lib.patch_bytes(obf_start_addr, deobf_call)** **self.updateCallXref(obf_start_addr + 10, validation.emulation.cbResult)** ----- ## Patchwork Example: Nymaim (Deobfuscation) ####  #### Applying #### all deobfuscations: ####     #### ~2 min run #### time #### 4443 transformations #### Functions #### recognition: 463 -> 920 Crypted strings / functions ### Before: After: ----- ## Patchwork Future plans ####   #### Extend #### Looking #### at more #### use #### cases ####    #### Import reconstruction #### Memory #### usage #### analysis #### (deobfuscate #### Nymaim‘s #### blown #### up stack) #### KINS BaseConfig #### (VM-based) decryption #### / patch #### PyEmu ####  #### Change disassembly #### engine #### to IDA / capstone ####  Increase #### coverage #### of opcodes ----- ## Patchwork Conclusion ####  #### Give #### it #### a try #### :) ####  #### Repository #### at http://patchwork.pnx.tf  (points [to: https://bitbucket.org/daniel_plohmann/idapatchwork)](http://patchwork.pnx.tf/) ####  Send feedback or ideas for improvement! ####  #### patchwork@pnx.tf #### / plohmann@cs.uni-bonn.de -----