Malware Functionality - Covert Malware Launching

Table of Contents

1. Notes
   1. Launchers
   2. Process Injection
      1. DLL injection
   3. Direct injection
   4. Process Replacement
   5. Hook Injection
      1. Keyloggers
      2. Using SetWindowsHookEx
   6. Detours
   7. APC Injection
      1. From User Space
      2. From Kernel Space
2. Labs
   1. Lab 1
   2. Lab 2
   3. Lab 3
   4. Lab 4

Notes

Launchers

Type of malware that sets itself or another piece of malware for immediate or future covert execution. Launchers will often store malware within the resource section. When the launcher is run, it extracts an embedded executable or DLL from the resource section before launching it.

Process Injection

This technique injects code into another running process, and that process unwittingly executes the malicious code. There are some functions linked to this technique, such as VirtualAllocEx function, that can be used to allocate space in an external process’s memory, and WriteProcessMemory that can be used to write data to that allocated space.

DLL injection

It is a form of process injection where a remote process is forced to load a malicious DLL, and it is the most commonly used covert loading technique. DLL injection works by injecting code into a remote process that calls LoadLibrary, thereby forcing a DLL to be loaded in the context of that process.

The typical pattern is as follows:

• CreateToolhelp32Snapshot, Process32First, and Process32Next to search the process list for the injection target.
• Retrieve the process identifier (PID) and obtain the handle via a call to OpenProcess.
• VirtualAllocEx and WriteProcessMemory.
• CreateRemoteThread with these parameters: the process handle (hProcess) obtained with OpenProcess, along with the starting point of the injected thread (lpStartAddress) and an argument for that thread (lpParameter).

Direct injection

It uses many of the same Windows API calls as DLL injection. The difference is that instead of writing a separate DLL and forcing the remote process to load it, direct injection malware injects the malicious code directly into the remote process. It is more flexible than DLL injection, but it requires a lot of customized code in order to run successfully without negatively impacting the host process. This technique can be used to inject compiled code, but more often, it’s used to inject shellcode.

Process Replacement

It overwrites the memory space of a running process with a malicious executable instead of inject code into a host program. Key to process replacement is creating a process in a suspended state (by passing CREATE_SUSPENDED (0x4) as the dwCreationFlags parameter when performing the call to CreateProcess). This means that the process will be loaded into memory, but the primary thread of the process is suspended. Once the process is created, the next step is to replace the victim process’s memory with the malicious executable, typically using ZwUnmapViewOfSection.

Hook Injection

There are two types of Windows hooks:

• Local hooks are used to observe or manipulate messages destined for an internal process.
• Remote hooks are used to observe or manipulate messages destined for a remote process (another process on the system).
  • High-level remote hooks. They require that the hook procedure be an exported function contained in a DLL.
  • Low-level remote hooks require that the hook procedure be contained in the process that installed the hook.

Keyloggers

Hook injection is frequently used in malicious applications known as keyloggers, which record keystrokes. Keystrokes can be captured by registering high- or low-level hooks using the WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types, respectively.

Using SetWindowsHookEx

The principal function call used to perform remote Windows hooking is SetWindowsHookEx, which has the following parameters:

• idHook. Specifies the type of hook procedure to install.
• lpfn. Points to the hook procedure.
• hMod. For high-level hooks, identifies the handle to the DLL containing the hook procedure defined by lpfn. For low-level hooks, this identifies the local module in which the lpfn procedure is defined.
• dwThreadId. Specifies the identifier of the thread with which the hook procedure is to be associated. If this parameter is zero, the hook procedure is associated with all existing threads running in the same desktop as the calling thread (tipically only a single thread will be injected in order to remain stealthy). This must be set to zero for low-level hooks.

The hook procedure can contain code to process messages as they come in from the system, or it can do nothing. Either way, the hook procedure must call CallNextHookEx.

Detours

Malware authors most commonly use Detours to add new DLLs to existing binaries on disk. The malware modifies the PE structure and creates a section named .detour, which is typically placed between the export table and any debug symbols. The .detour section contains the original PE header with a new import address table. The malware author then uses Detours to modify the PE header to point to the new import table, by using the setdll tool provided with the Detours library.

APC Injection

Instead of creating a thread, APCs (asynchronous procedure call) can direct a thread to execute some other code prior to executing its regular execution path. Whenever the thread calls functions like WaitForSingleObjectEx, WaitForMultipleObjectsEx, and Sleep, it can process the APCs.

From User Space

From user space, another thread can queue a function to be invoked in a remote thread, using the API function QueueUserAPC. Because a thread must be in an alertable state in order to run a user-mode APC, malware will look to target threads in processes that are likely to go into that state.

From Kernel Space

A malicious driver can build an APC and dispatch a thread to execute it in a user-mode process (most often svchost.exe). APCs of this type often consist of shellcode, and they make use of these two functions KeInitializeApc (if NormalRoutine parameter is non-zero in combination with the parameter ApcMode being set to 1, then we are looking at an usermode type) and KeInsertQueueApc.

Labs

Lab 1

1. What happens when you run the malware executable?

First of all, we retrieve the strings and imports from both files with FLOSS.

Lab12-01.exe	Lab12-01.dll

If we run the program, we will observe that the following pop-up windows appears again and again after a short period of time.

2. What process is being injected?

The following image shows the function call graph. As we can observe, it is clear that we are dealing with DLL injection, due to the pattern “OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread”.

There are two calls to OpenProcess, but we will take a look at the first one, located at 0x40104B.

We can see that it is inside a subroutine, and it checks if the process is explorer.exe.

3. How can you make the malware stop the pop-ups?

We can kill the thread in the process explorer.exe.

4. How does this malware operate?

It takes the process list, and it searches for explorer.exe. Once it is located, a typical process injection is performed, injecting Lab12-01.dll and creating a new thread that pop-ups a message every minute.

Lab 2

1. What is the purpose of this program?

Taking a look at the imports, we can observe some suspicious calls like VirtualAlloc, WriteProcessMemory or LoadResource.

If we take a look at the main function we can observe that the code is really simple: it manipulates the code from the resource section and follows the typical pattern of Process Replacement (creating a process in a suspended state by passing CREATE_SUSPENDED (0x4) as the dwCreationFlags parameter).

main	procReplacement function

2. How does the launcher program hide execution?

As we mentioned before, the program uses process replacement technique.

3. Where is the malicious payload stored?

It is stored in the resource section.

4. How is the malicious payload protected?

It is XOR-encoded with the key 0x41 in subroutine 0x40100.

5. How are strings protected?

It is XOR-encoded with the key 0x41.

Lab 3

1. What is the purpose of this malicious payload?

Taking a look at the imports and strings we notice something familiar, the practicalmalwareanalysis.log file and the hardcoded strings of keys. It is clear that we are dealing with a keylogger.

2. How does the malicious payload inject itself?

The program uses the Hook Injection technique. As we can observe, the parameter dwThreadId is 0, which indicates a low level hook.

3. What filesystem residue does this program create?

The file practicalmalwareanalysis.log, that saves the keystrokes.

Lab 4

1. What does the code at 0x401000 accomplish?

First of all, we take a look at imports and strings. We observe manipulation of the resource section and creation of files.

Imports	Strings

The subroutine calls OpenProcess with winlogon.exe as a parameter. Then, it compares the string “winlogon.exe” against “not real”.

2. Which process has code injected?

The process that has code injected is winlogon.exe.

3. What DLL is loaded using LoadLibraryA?

The library that is loaded is sfc_os.dll which stands for System File Checker utility for the Windows operating system.

4. What is the fourth argument passed to the CreateRemoteThread call?

The fourth argument is lpStartAddress.

5. What malware is dropped by the main executable?

After dumping the malware from the resource section with ResourceHacker, observing the strings and running it we can confirm that it a downloader that sends a request to the URL in order to get a second payload.

6. What is the purpose of this and the dropped malware?

As we mentioned before, the first stage of the malware injects code to winlogon.exe and disables sfc_os.dll. Apart from that, it contains a payload in its resource section. This payload is a downloader that queries “hxxp://www[.]practicalmalwareanalysis.com/updater.exe” to trojanize wupdmgr.exe.