# Reversing Malicious Code

* **Goal is to understand common malware characteristics at a code level**
* May include potential branches of execution with code analysis
* **Overview of the code lifecycle**
* Source code is translated into object code by a compiler
* Object code is then combined with libraries and an executable file is created
* To run the file, the operating system reads various information from the executable file, allocates memory, and loads required libraries into memory
* Control is transferred to the code to execute
* At this final stage is where we examine the code with a debugger
* Note: Libraries may be loaded during the programs execution

### Ghidra

* Developed by NSA
* Its decompiler produces a C representation of the code to speed up analysis
* Includes support for writing java and python scripts to automate analysis
* Help is accessed via F1 key
* Ghidra v10 includes a debugger
* <https://ghidra-sre.org/>

### **Create a new project**

* `File --> New Project`
* Choose the project type
* Click `Finish`
* Drag and drop the specimen into the project window
* Accept defaults in the `Imports` windows and click Ok

### **Launch the code browser and being the auto-analysis**

* Make sure to enable `WindowsPE x86 Propagate External Parameters` option
* Finally click the Analyze button and wait for Ghidra to finish
* Once auto analysis is completed an Auto Analysis summary will show any warnings or issues encountered during the process
* A common warning is that the file does not `contain debug information`
* This is common and not an issue

**Before Proceeding save the project and take a snapshot**

### Ghidra Overview

* Main window is the `Listing View` which presents the target programs code and data
* Will initially bring you to the beginning of the file in the `Listing View` --> notice the `MZ` string
* If you scroll down from there you can examine the programs header

**Program Tree**

* Window is in the top left and shows the different sections and headers
* Section names are typically:

```
.text - Contains executable code
.rdata - Contains read-only data
.data - Contains data 
.reloc - Contains relocation data to fix up addresses in the file if it is not loaded at the prefered address
```

* To jump to the `.text` section double click the `.text` node
* <https://docs.microsoft.com/en-us/windows/win32/debug/pe-format>

### **FUN in Ghidra**

* In Ghidra the `FUN_` prefix generically refers to a function while the numeric value refers to the address where the function is loaded into memory
* Original name of the function is normally lost during compilation
* Execution occurs linearly one instruction after the next
* On the far left you will have a 32 bit address such as `00401007` (hex)
* This address represents the location of code in memory after the program is loaded, not the address of a location on disk i.e. within a file hex editor
* On the right there are x86 assembly instructions
* **Note:** - This is the beginning of the `.text` section, not the beginning of the program, that occurs at the entry point

### **Function graph view provides a visual perspective on code**

* Click on the function you want i.e. `FUN_00401007`
* Browse to `Window --> Function Graph` menu item
* Helpful for visualizing loops and complex conditionals within a function but the `Listing view` is more compact nd easier for some people to navigate
* **The color of the arrows symbolize code flow**
* If the code block ends in a conditional jump green arrows indicate the path here execution will continue if the condition is met
* If the condition is not met a red arrow will show where execution continues
* If the arrow is blue the code ends in an unconditional jump
* **View Imports to review a programs external dependencies**
* The import address table (IAT) helps direct code analysis
* You can view imports in the Symbol Tree window but we will access this information via `Window --> Symbol References`
* Filter symbols by "`Imported`" to focus on dependencies

### **Look for API call patterns associated with malware behavior**

* We can examine imports to identify potential functionality associated with common malware characteristics
* **Learn more about an API call at microsoft.com**
* Types of API Calls:

```
A --> (ANSI)
W --> (Wide)
Ex --> (Extended)
```

* Refers to if the function supports ANSI (8 bit character)
* Wide refers to a two byte character representation (UTF-16)
* Extended is when MSFT updates a function and the new function is not compatible with the old one
* **Instructions reference registers, immediate values and memory**
* Instructions have two components: `operation and operand`
* Instructions can have 0-3 operands
* An Operand can be:

```
A register
A memory location 
An immediate value e.g. 0x6453)
```

* Consider `MOV EAX, 0x6453`
* EAX is the destination (first)
* 0x6453 is the source (second)
* You are setting EAX to the value 0x6453
* Operands may be implied

**Intel processor uses registers to track the state of computation as instructions are executed**

* Registers are on chip memory locations
* Instructions act on registers and memory locations
* A CPU has a series of registers

```
Some registers are general purpose
Some have a particular use
Some are both
```

* We monitor registers to track arguments, variables, and function return values
* **The x86 architecture uses the following general purpose registers to hold code and data**

```
EAX --> Used for addition, multiplication, and return values
ECX --> Used as a counter 
EBP --> Used to reference arguments and local variables
ESP --> Points to the last item on the stack 
ESI/EDI --> Used by memory to transfer instructions 
```

### **Special use registers hold flags and track program execution**

* `EIP` points to the next instruction to execute
* `EFLAGS` bit represents the outcome of computers and they control CPU operations

### **Segment registers include:**

```
CS - Code segment
DS - Data segment 
SS - Stack segment 
```

* **32 bit registers can also be accessed as 16 and 8 bit registers**
* On 32 bit arch, registers can be accessed by their default `dword` size
* To access a registers lower `16 bits` the leading `E` is omitted from the name e.g. `EAX` becomes `AX`
* **The naming scheme for `EAX EBX ECX EDX` is as followed**
* `E<letter>X` --> `dword` 32 bit value of the register
* `<letter>X` --> lower word 16 bit value of the register
* `<letter>H` --> high byte 8 bit of the `<letter>X` value of the register
* `<letter>L` --> low byte 8 bit of the `letterX>` value of the register

```
EAX means 32 bits 
AX means the low 16 bit value 
AH means the high 8 bytes of AX 
AL means the low 8 bits of AX
```

* **The length of a word, dword, and qword are 16, 32, and 64 bits**
* A `word` in assembly is the natural size for a unit of data
* `16 bit` processor has `16-bit` words
* Many tools consider a word to be 16 bits regardless of processor size
* Additional common data sizes:

```
8 bits --> 1 byte 
32 bits --> dword 
64 bits --> qword
```

* **The operand for one push instruction is a pointer to a string**
* A `pointer` is a variable that holds a memory address (it points to a memory location)
* When the address that the pointer points to is accessed it is called dereferencing because the pointer references another location in memory
* Pointers are more efficient, rather than copying around a data structure in memory its more efficient to copy the value of a pointer (4 bytes on 32 bit systems)
* A `PUSH` instruction before a `CALL` often represents arguments passed to the function specified by the `CALL`

### **Memory can be accessed directly by many assembly instructions**

* Example:

```
MOV EAX, [0x410230]
```

* Brackets mean fetch data at the specified address (dereference)
* This is direct addressing because we are dereferencing an immediate value
* The result is that 4 bytes of data at 0x410230 will be moved to `EAX`
* Some tools like `IDA` omit brackets for direct addresses (`IDA: dword_410230`)
* **Memory may also be addressed by reference indirectly**
* The address may be calculated or in a register
* This is called an `Effective Address` and it enables us to work efficiently with data structures
* Format: `Base + (Index * Scale) + Displacement`

```
BASE        Index   Scale       Displacement
(EAX EBX) + (EAX EBX  1)   +     (None)
(ECX EDX) + (ECX EDX  2)   +     (8 bit value)
(ESP EBP) + (EBP ESI  4)   +     (16 bit value)
(ESI EDI) + (EDI      8)   +     (32 bit value)
```

* **Indirect Referencing:** address of the destination is calculated or it resides in a register. The calculated address is called the effective address (EA)
* If the address sits in a register, it is still different from direct memory addressing where the register is the destination
* In indirect memory addressing the register holds the address of the destination.
* Large advantage of indirect memory addressing is the capability to efficiently work with data structures
* You can increment the value of a single register to step through fields of a data structure or the same field of an array of data structures
* If the scale is used and index register must also be used
* **Examples of indirectly addressing memory**
* `[EAX]` : Access dynamically allocated memory (base)
* `[EBP + 0x10]` : Access data on the stack (base + displacement)
* `[EAX + EBX * 8]` : Access an array with 8-byte structure ( base + index \* scale)
* `EAX +EBX + 0xC]` : Access fields of a two dimensional array of structures (base + index + displacement)
* Indirect memory addressing may pose challenges for static code analysis because registers are not populated until runtime
* **Strings are an example of a data structure**
* Data structures groups simple variables into more complex types
* Examples of data structures include: strings, linked lists, sockets, and file handles
* When reversing determine the type of data structure by usage
* Data structures enable us to group bytes and advance our understanding of the code

### \*\*Code vs Data \*\*

* Context determines the answer
* `RegOpenKeyExA` Example
* The API call will have to have a symbolic constant i.e. `PUSH 0x80000001`
* During compilation it will be changed from the symbolic constant into the hex representation
* Right click the hex value, choose `Set Equate` and then choose `HKEY_CURRENT_USER` to change it back to the symbolic constant
* Will bring clarity to the code

### **Branch instructions direct code execution to another location**

* The flow of execution i.e. control flow is sequential until a branching instruction is reached
* Then the `EIP` is updated and execution is transferred to another location in memory
* **The code under review contains two types of jumps**
* Jumps are an example of a branching instruction
* Unconditional jumps always perform a jump `JMP, CALL, RET`
* Conditional jumps only jump if a condition is met: `JCC, Loop`
* Conditional jump represents a decision point
* **Conditional jumps require that we review multiple instructions**
* To evaluate whether a conditional is true, arithmetic instructions and Boolean are used
* `sub ecx, 8` Will test if ECX is equal to 8
* `and eax, eax` will test if EAX is equal to zero
* If the result of zero then the `ZF` bit is set in the flags register

### Jumps

* A `Jcc` instruction will be performed if a jump condition is met
* Form: `Jcc`

```
A --> jump if Above 
B --> jump if Below
E --> jump if jmp if equal 
G --> jump if greater 
L --> jump if less than 
Z --> jump if if zero 
N --> jump if not condition JNZ jump if not zero 
```

### Comments

* Use the `;` key to add a comment
* Can add EOL comments, Pre, Post or other types of comments

### HTTP Command and Control

* These APIS enable HTTP C2

```
InternetOpen, InternetConnect --> Create an HTTP connection
HttpOpenRequest, HttpAddRequestHeaders (Optional) --> Build an HTTP request
HttpSendRequest --> Send an HTTP request
InternetReadFile --> Read a response 
```

* To view the API calls

```
Window --> Symbol References --> Locate API's of interest in the Symbol Table
```

* **The code references variables, which holds code or data not known at compile time**
* Local variables are relevant for the current function and are not saved
* Local variables are stored on the stack relative to `ESP` and `EBP`
* Global variables are accessible from all functions e.g. `DAT_00403374`
* Also static variables can be only used from within the function that allocates it, but unlike local variables it does not get marked for reuse when the function exists

### Viewing Function Call Trees

* `Window --> Function Call Tree`
* View the outgoing calls on the right side
* View is ideal for determining which functions are called from the current function
* Once you determine what the current function is being used for make sure to `Rick Click --> Edit Label` and give it a meaningful name

### GetTempFileNameW

* Creates a file name for a temp file
* Can explore other function references to find new IOCs
* Look for a `PUSH` to `lpPrefixString_XXXXXX`
* MSFT documentation states the first three characters make up the temp file name prefix
* To assist Ghidra:

```
Right click on the lpPrefixString --> Click data --> terminate Unicode
```

### Functions

* A function is a group of instructions that performs a specific task (read, write files, send network data, log keystrokes)
* Three Basic Components

```
Input: values passed int
Body: code to perform tasks
Return: value passed back
```

* Calling a function involves a jump to another memory location
* After the function is done execution continues at the instruction after the original function call
* **Calling a function involves two control transfers**
* Function format: `return = function(arg0, arg1)`
* Specific events occur when calling a function

```
Pass in parameters (stack/register)
Save the return pointer 
Transfer control to the funciton 
```

* Specific events occur when returning from a function

```
Set up a return value (typically EAX)
Clean up the stack and restore registers 
Transfer control to the saved return pointer
```

* **Within a function, the prologue and epilogue perform setup and cleanup activities**
* Most functions contain a standard prologue and epilogue
* The prologue occurs at the start of the function

```
Allocates space for variables
Saves resisters that will be reused in the function body
```

* Function epilogue occurs at the end of the function

```
It cleans up the stack e.g. POP allocated variables
It restores registers
```

* **The stack is a section in memory used to store saved registers, local variables and function parameters**
* The stack is LIFO Last in First out
* `PUSH` adds an element and `POP` removes one
* `ESP` points to the next item on the stack and changes with instructions like `PUSH POP CALL LEAVE RET`
* `EBP a.k.a frame pointer` serves as an unchanging reference
* `EBP - value = local variable` registers may also be used
* `EBP + value = parameter`
* When `EBP` is set up in the function prologue in this manner, it means that when you see code reference `EBP` minus some value i.e. `[EBP -8]` it is accessing a local variable
* When its `EBP` plus some value i.e. `[EBP +8]` it is referencing a parameter that was passed in
* When cleaning up the stack compilers use some tricks
* Compilers may `POP` off a value i.e. `POP EDX` which has the result of adding four to `ESP`
* It is also very common to see a value added to `ESP` the used of the `RET` (which can also pop stuff off the stack, and the `leave` instruction

### Functions are called according to calling conventions

* The convention describes how data is passed into and out of functions
* The implementation of the convention may vary by compiler
* The `cdecl` convention (most common) has these characteristics

```
The arguments are placed onto the stack right to left
The return value is placed into EAX
The caller cleans up the stack (removes the arguments)
```

* The `stdcall` convention has the following characteristics

```
Similar to cdecl but the callee cleans up the stack 
This is the convention used in !IN32 APIs
```

* **Additional calling conventions include fastcall and thiscall**
* `fastcall`
* Arguments are stored in registers
* Any extra arguments are placed on the stack
* The callee cleans up arguments on the stack
* `thiscall`
* Used in C++ code (member functions)
* This convention includes a reference to this pointer
* For MSFT compilers, ECX holds the "this" pointer and the callee cleans up the arguments on the stack
* For GNU compilers the "this" pointer is pushed onto the stack last and the caller cleans up
* **Reviewing strings reveals filenames and directories of interest**
* To Locate a reference to a string right click on it and choose to show references

### Loops in malware

* Used to encrypt and decrypt network traffic --> loop over each character in the string to send
* Attempt to connect to C2 server --> loop over a lists of servers
* Perform a port scan --> try to connect to a port 1-65535
* Log keystrokes --> Check state for each key code 0...92
* Similar to JCC the Cs in `LOOPcc` represent the conditional code that must be met for the loop instruction to branch to the address specified
* The conditions are:

```
Z --> Loop if zero 
E --> Loop if equal
N --> Inverts the logic of the looping condition
```

### Reviewing imports to direct our code analysis

* The import table lists functions used to access the resource section

```
FindResourceW --> determine the location of a resource
SizeofResource --> obtain the size of a resource
LockResource --> obtain a pointer to a resource
```

* The resource `.rsrc` section is often used to store information like icons, dialog boxes, and version information
* However malware may hide executables here
* Malware that drops files is called a `dropper`

### CreateMutexA

* `CreateMutexA` --> creates or opens a mutex object
* Malware authors often use a mutex to avoid re-infecting a machine

### Keylogging

* `GetKeyState` and `GetAsyncKeyState` --> Determine if a particular key is pressed
* `GetWindowText` --> Retrieves text from a windows title bar
* `OpenClipboard`, `GetClipboardData`, and `CloseClipboard` --> Opens the clipboard for access, gathers data, and then closes the clipboard
* `GetWindowText` --> obtains the text of a windows title bar, combined with the two previous APIs an attacker could learn about what keys are pressed and what the application context is.
* `GetAsyncKeyState` determines if a key is currently up or down or if it was pressed since the last call to the API

### 64 Bit Malware

* Vast majority is 32 bit
* We will see more 64 bit in the future as they become the standard
* Two types of 64 bit malware have been common

```
Browser Helper Objects for 64 bit Internet Explorer
Device Drivers (rootkits) for Windows x64
```

### **Analyze 32-bit malware on 64-bit OS with caution**

* 32 bit code running on a 64 bit operating systems runs in the `WOW64 Subsystem`
* 32 bit executables load 32 bit dlls
* 32 bit dlls are located in `%SystemRoot%\Syswow64`
* 32 bit processes reference Software hive registry values in `Wow6432Node` using registry redirection
* Some executables run subtly different under WoW64 than on a native 32 bit OS

### 64-Bit Assembly Differences

* All general purpose registers are expanded to 64 bits
* `EAX` --> `RAX`
* There are eight new general purpose registers `R8 --> R15`
* Special use registers are exted and renamed `EIP --> RIP`
* `RSP` not `RBP` is often used to access parameters and variables
* Calling convention resembles `fastcall` (parameters via registers)

```
First four parameters are passed in RCX RDX R8 R9
Additional parameters are stored on the stack 
```

* There is a new addressing mode (`RIP` + displacement)