Upload
bordeaux-i
View
97
Download
0
Embed Size (px)
Citation preview
BE-PUM: Binary Emulation for Pushdown Model Generation
Obfuscation code localizationbased on CFG generation of malware
Nguyen Minh HaiIndustrial University of Ho Chi Minh City (IUH)
with Quan Thanh Tho, Ho Chi Minh City University of Technology (HMCUT) , in
Collaboration with Mizuhito Ogawa (JAIST)
January 2016
BE-PUM• Binary Emulation for Pushdown Model Generation
• Key features: Generate model (CFG) from binary code of malwareShow better results compared with many other tools, e.g.
IDA Pro, Jakstab, Hooper...Tackle many obfuscation techniques and successfully
unpack many packers (27 different packers) Generic Unpacker for Model Generation of MalwareDetect packer by semantic signature (recognizing packer
techniques) Sematic Signature Matching for Packer Detection
1
Agenda
1.Motivation2.BE-PUM3.Experiments4.Conclusions5.Demo
2
Malwares
• Malware (malicious software) – a real threatVirusTrojan horseKeylogger
• How to dealSignature detection (Industry approach)Emulation (Sandbox approach)Model checking (Formal approach)
3
Issues
• Signature-based = Failed by obfuscation techniques
• Sandbox-basedHeavy costVirus may have different behaviors (at different
time points) Virus may even detect sandbox environment
• Model CheckingModel GenerationModel Checking
4
Model Checking Outline
Model GenerationModel
Checking
5
Typical approach• Control Flow Graph (CFG) is generated as the
modelOne program location is mapped a nodeDecide all of destinations when branching
• Things are more difficult with sophisticated binaries:Self-modification code (Encryption/Decryption)Indirect jumpMany other obfuscation techniques
6
Control Flow Graph
• Choices of many tools (CodeSurfer/x86, McVeto, JakStab, BIRD, Renovo, Syman, BINCOA/OSMOSE, IDA Pro)
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d
0x00401005 mov eax, 0x00401001
0x0040100a jmp 0x00401015
0x0040100c halt
0x0040100d mov eax, 0x00401018
0x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 0x0040100c
00
03
05
0A
12
0D
15
18
0A
7
ExampleExample
8
9
10
Demo
Demo
BE-PUM• BE-PUM - Binary Emulation for Pushdown Model
• Apply pushdown model generation of binary codeApply concolic testing (dynamic symbolic execution) to
handle indirect jumpApply on-the-fly model generation for handling self-
modifying codeFocus on obfuscation techniques which are used in
malware and packer tools.
14
Running Examples
Running Example
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d
0x00401005 mov eax, 0x00401001
0x0040100a jmp 0x00401015
0x0040100c halt
0x0040100d mov eax, 0x00401018
0x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 jmp eax
Running Example
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d
0x00401005 mov eax, 0x00401001
0x0040100a jmp 0x00401015
0x0040100c halt
0x0040100d mov eax, 0x00401018
0x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 jmp eax
eax = α
Running Example
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d
0x00401005 mov eax, 0x00401001
0x0040100a jmp 0x00401015
0x0040100c halt
0x0040100d mov eax, 0x00401018
0x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 jmp eax
eax = α
Running Example
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d
0x00401005 mov eax, 0x00401001
0x0040100a jmp 0x00401015
0x0040100c halt
0x0040100d mov eax, 0x00401018
0x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 jmp eax
eax <0
eax >=0eax = α
Running Example
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d
0x00401005 mov eax, 0x00401001
0x0040100a jmp 0x00401015
0x0040100c halt
0x0040100d mov eax, 0x00401018
0x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 jmp eax
00
03
05
0a
12
0d
15
18eax = α
Convert symbolic value of α into a concrete valueUse white-box testing to under-approximate α
jmp to α?
Test-case Generation
00
03
05
0a
12
0d
15
18
00
03
05
0a
12
0d
15
18
eax = eax =
Test-case-1 = Test-case-2 = -
Enlarging the Model by Testing Result Simulation Snapshot
eax=0x0040100C; start=0x00401000;return=0;address=0x0040100C;
Hexa Instructions 0x00401000 cmp eax, 0
0x00401003 jle 0x0040100d0x00401005 mov eax, 0x004010010x0040100a jmp 0x004010150x0040100c halt
0x0040100d mov eax, 0x004010180x00401012 sub eax, 5
0x00401015 sub eax, 1
0x00401018 jmp eax
00
03
05
0a
12
0d
15
18
0cTest-case-1Test-
case-2
Framework
15
Strategy for covered instruction selection• Instruction statistics collected from virus samples
• Full list of 300 supported instructionsCall Jump Return
add shl Call je jz jne jump mov cmovg ret cmp out setna lods daaand sal jnz jb jnae xchg cmovl int pop setnae movs dassub dec jc jnb jae movz cmovl aaa popa setnb neg enteror inc jnc jng jnae movsb cmovna aad popf setnbe nop inxor adc jle ja jl movsw cmovnae aam push setnc shld int1imul shr jnge jnl jnbe mosx cmovnbe aas pusha setne shrd int3ror ror jge jo jg movzb cmovne bsf pushf setng stc lahfdiv rep jnle jns loop movzw cmovng bswap rdtsc setnge stos leasbb mul js jno jp cmova cmovnge bt sahf setnl test leaveclc sar jno jpe jecxz cmovb cmovnl btc scas setnle xlatnot ror jmp loope loopne cmovbe cmovnle brt seta setno cbwidiv rcr loop loopz loopnz cmovc cmovno bts setae setnp cwdexadd rol cmove cmovnp cbw setb setns cmpsadc rcl cmovp cmovns cdq setbe seto cmpxchgdec mul cmovpe cmovnz clc setc setp cmpxchg8bshr sbb cmovpo cmovo cld sete setpe cpuidsar cmovs cmovz cli setg setpo cwd
cltd setge sets cwdecmc setl setz cwt
Arthimetic Conditinal Jump Move Control
16
Supported 400 Windows APIs• Kernel32.dll: _lwrite, accept, bind, CloseHandle, closesocket, connect,
CopyFile, CreateFile, CreateFileMapping, CreateProcess, CreateThread DeleteFile, ExitProcess, FindClose, FindFirstFile, FindNextFile, FreeEnvironmentStrings, GetCommandLine, GetCurrentDirectory GetCurrentProcess, GetEnvironmentStrings, GetFileAttributes, GetFileSize, GetFileType, gethostbyname, gethostname, GetLastError GetLocalTime, GetModuleFileName, GetModuleHandle, GetProcAddress, GetStartupInfo, GetStdHandle, GetSystemDirectory GetSystemTime, GetTickCount, GetVersion, GetVersionEx, GetWindowsDirectory, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, IsDebuggerPresent, listen, LoadLibrary, lstrcat, lstrcmp, lstrcpy, lstrlen, MapViewOfFile, MoveFile, PeekMessageA, ReadFile, recv, RegCloseKey, RegOpenKeyEx, RegSetValueEx, send, , SetCurrentDirectory, SetEndOfFile, SetFileAttributes, SetFilePointer, SetHandleCount, shutdown, socket ,UnmapViewOfFile, VirtualAlloc, VirtualFree, WaitForSingleObject, WinExec, WriteFile, WSACleanup, WSAStartup...
• User32.dll: MessageBox, SendMessage, FindWindow, PostMessage.
17
Best Practice• Apply bread-first-search strategy to ask Z3 to
generate as much test-case as possible• Use JNA (Java Native Access) to simulate API
calling
18
Indirect Jump• Virus.Win32.Aztec
00401057 . B8 00100000 MOV EAX,10000040105C . 05 00004000 ADD EAX, 0040000000401061 . FFE0 JMP EAX
BE-PUMIDA Pro
20
Overlapping InstructionHLLW.Rolog.f
•Junk code modifies the return address.
00437002 E8 03000000 CALL 0043700A00437007 E9 EB045D45 JMP 45A074F7
00437002 CALL 0043700A
0043700D RETN
0043700A POP EBP 0043700B INC EBP0043700C PUSH EBP
Code
21
Demo
BE-PUM
IDA Pro
22
Self-Modifying Code
• Virus.Win32.Seppuku.1606 : Self-Modifying Code
00401646 E8 B5F9FFFF CALL 00401000
EDI = 401067
004010E5 MOV EAX,DWORD PTR SS:[EBP+401489]004010EB STOS DWORD PTR ES:[EDI]
00401646 E8 00000000 CALL 0040164B
23
Decryption
• Email-Worm.Win32.Kickin.d : Self-decryption
00609223 pop ebp00609224 push 3d00609226 mov byte ptr ds:[esi+9cccd0e5],dh0060922C retn 8d9e0060922F pxor mm5,mm300609232 dec ecx00609233 fiadd word ptr ds:[ecx+80a6b31]
Decryption loop
ecx was set to 0CAh0060933A mov ecx,0ca00609345 lods byte ptr ds:[esi]00609346 xor al,ah00609348 inc ah0060934A rol ah,20060934D add ah,9000609350 stos byte ptr es:[edi]00609351 loopd 00609345
00609223 call 0060922800609228 mov ebx, [ebp+402705]0060922E add ebx,2800609231 pop eax00609232 sub eax,ebx00609234 mov [ebp+40270d],eax
24
Demo
BE-PUM
IDA Pro
25
Comparison with others• BE-PUM current tool: precise models (CFG)
generated from real malwaresIndirect jumps (now)Self-modification (now)Decryption (now)SEH (now)Packer techniques (now)
• ExperimentsCompare the CFG with those generated by
Jakstab and IDA Pro
29
Experiment statistics
30
Supported Techniques in Packer
32
Related Works
33
Remarks• BE-PUM plays the roles of both model generation
and model emulator for binariesModel Generation: on-the-fly manner, with
concolic technique–Missing piece: Loop invariant (handled by
looping many many times if needed) Emulator
– A “symbolic sandbox”
34
Demo
36
Thank you for your attention