PowerPoint Template

PowerPoint Template

Class CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Static Analysis: Real-world Case Study

Si Chen ([email protected]) 6 Load PE file (Notepad.exe) into Memory Page 2

NT Header Page 3 https://docs.microsoft.com/en-us/wind winnt/

Page 4 PE Header Structure Page 5

IAT (Import Address Table) Page 6 Look up IAT Table with PEview Page 7

Two ways to Load DLL An executable file links to (or loads) a DLL in one of two ways: Implicit Linking (load-time dynamic linking) IAT Table

The operating system loads the DLL when the executable using it is loaded. Page 8 Implicit Linking and IAT (Import Address Table) Notepad.exe Call CreateFileW() Call 0x01001104 Call 0x7C810CD9

Call 0x01001104 Look up IAT Table Function Name IAT Address

Real Address 0x01001104 0x7C810CD9

CreateFileW() When the application was first compiled, it was designed so that all API calls will NOT use direct hardcoded addresses but rather work through a function pointer. This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded.

Page 9 IAT (Import Address Table) Why IAT? Page 10

IAT (Import Address Table) Support different Windows Version (9X, 2K, XP, Vista, 7, 8, 10) Call CreateFileW() --> Call 0x01001104 Look up XP

IAT Table Function Name IAT Address Real Address

0x01001104 0x7C810CD9 IAT Address Real Address

0x01001104 0x7C81FFFF CreateFileW()

Windows 7 Function Name CreateFileW()

Page 11 IAT (Import Address Table) Support DLL Relocation Page 12

Import Directory Table The Import Directory Table contains entries for every DLL which is loaded by the executable. Each entry contains, among other, Import Lookup Table (ILT) and Import Address Table (IAT) Page 13

Inspecting file imports with pefile library Page 14 Page 15 EAT (Export Address Table)

Similar to IAT, EAT data is stored in IMAGE_EXPORT_DIRECTORY EAT contains an RVA that points to an array of pointers to (RVAs of) the functions in the module. Page 16

Inspecting file export with pefile library Page 17 Real-world Case Study Page 18

16d6b0e2c77da2776a88dd88c7cfc672 (Trojan.Win32.Dllhijack.a) Page 19 16d6b0e2c77da2776a88dd88c7cfc672

Page 20 16d6b0e2c77da2776a88dd88c7cfc672 Page 21

16d6b0e2c77da2776a88dd88c7cfc672 https://www.hybrid-analysis.com/sample/037203d274cb66bad34559c0f42 6e9e1bf91a048155240581f4aa554be17925c?environmentId=100 Page 22

0fd6e3fb1cd5ec397ff3cdbaac39d80c Page 23 Page 24 6a764e4e6db461781d080034aab85aff

& cc3c6c77e118a83ca0513c25c208832c Page 25 Page 26

e0bed0b33e7b6183f654f0944b607618 Page 27 e0bed0b33e7b6183f654f0944b607618 Page 28

db8199eeb2d75e789df72cd8852a9fbb (Rootkit.Win32.blackken.b) Page 29 db8199eeb2d75e789df72cd8852a9fbb

Is this claim correct? If two export functions share the same address, its a malware. Page 30 1c1131112db91382b9d8b46115045097

Page 31 1c1131112db91382b9d8b46115045097 Page 32

Lab1 Create your own anti-malware system based on heuristic analysis. Check course website Page 33

Q&A Page 34

Recently Viewed Presentations

  • Amos 6:1-2 Woes from the Lord Woe to

    Amos 6:1-2 Woes from the Lord Woe to

    8 Be sober, be vigilant; because your adversary the devil walks about like a roaring lion, seeking whom he may devour. 9 Resist him, steadfast in the faith, knowing that the same sufferings are experienced by your brotherhood in the...
  • IES Conference DR - Trinity College, Dublin

    IES Conference DR - Trinity College, Dublin

    Pathways to Trinity: The Disabled Student Journey - a new transition model is emerging Alison Doyle, Declan Reilly, Declan Treanor Sample schedule for workshops Paper based transition assessment and planning tool, web version in development and part funded by Trinity...
  • Analyzing Literature: The Formalist Perspective

    Analyzing Literature: The Formalist Perspective

    The formalist perspective began in Russia in the early 1920s. In 1917, the Russian Revolution occurred. Prior to 1917, Russia romanticized literature and viewed literature from a religious perspective. After 1917, literature began to be observed and analyzed. The formalist...
  • Introduction to Quasi-Elastic Neutron Scattering (QENS) Presented to

    Introduction to Quasi-Elastic Neutron Scattering (QENS) Presented to

    Range of analytic function models. Useful for systematic comparisons. Close ties to theory - particularly Molecular Dynamics simulations. Complementary . Light spectroscopy, NMR, dielectric relaxation
  • Caisse d'économie solidaire Desjardins

    Caisse d'économie solidaire Desjardins

    Caisse d'économie solidaire Desjardins Avant-propos Reconnue au Québec comme le banquier de l'économie sociale et solidaire, la Caisse d'économie solidaire offre aux Québécoises et Québécois le pouvoir d'agir en citoyen et consommateur responsables en conciliant des valeurs éthiques à leur...
  • Table of Contents - dhs.state.mn.us

    Table of Contents - dhs.state.mn.us

    Adding a New HH MEMB. Eligibility is determined based on his/her living arrangement before entering the home. If the new member lived with other mandatory members, deeming and HH composition rules apply from the previous HH. The new member may...
  • Fahrenheit 451 - Mrs. Manley's classes

    Fahrenheit 451 - Mrs. Manley's classes

    Hugh Latimer, a British clergyman, spoke to his friend as they were both being burned as heretics: "Play the man, Master Ridley; we shall this day light such a candle, by God's grace, in England, as I trust shall never...
  • Administrative Details - Tel Aviv University

    Administrative Details - Tel Aviv University

    Pollards rho (ρ) method Imagine the following process mod pq: x0 - random xi+1 = xi2+1 mod pq This will loop only after (pq)1/2 steps (modulo pq) However, modulo p (or q) it will loop after p1/2 (or q1/2) steps...