1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows System

Transcription

1 Computer Security Symposium October 2013 Alkanet {takimoto, BitVisor Alkanet API DLL A Method for Identifying System Call Invoker in Dynamic Link Library Yuto Otsuki Eiji Takimoto Shoichi Saito Koichi Mouri Ritsumeikan University Nojihigashi, Kusatsu, Shiga Japan [email protected], {takimoto, mouri}@cs.ritsumei.ac.jp Nagoya Institute of Technology Gokiso-cho, Showa-ku, Nagoya, Aichi, Japan [email protected] Abstract Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. We are developing Alkanet, a system call tracer for malware analysis that uses a virtual machine monitor based on BitVisor. In this paper, we describe a method for identifying system call invoker in dynamic link library by using stack tracing. The method make it possible to identify the system call invoker in dynamic link library or memory area. It is effective to analyze malware such as executable codes generated in runtime, or malicious libraries mapped in a legitimate application

2 1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows SystemCall Analyzer Log Alkanet BitVisor 1: Alkanet ロギング 用 LogAnalyzer ログ 分 析 挙 動 抽 出 保 存 Logger Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS VMM Intel CPU Intel VT (Intel Virtualization Technology) Windows OS 32bit Windows XP Service Pack 3 sysenter sysexit Alkanet PC IEEE DLL

3 Windows API stdcall[4] FPO (Frame-Pointer Omission) EBP 4 4 Windows XP Service Pack 2 Windows DLL FPO [5] FPO Windows API API 関 数 (2) ー A 関 数 (1) ー (3) B (5) (4) スタブへの 戻 りアドレス 関 数 Aへの 戻 りアドレス システムコールへの 第 1 引 数 システムコールへの 第 2 引 数 システムコールへの 最 後 の 引 数 関 数 Aのローカル 変 数 ベースポインタ 関 数 Bへの 戻 りアドレス 関 数 Aへの 第 1 引 数 関 数 Aへの 最 後 の 引 数 ベースポインタ 関 数 Cへの 戻 りアドレス スタックの 先 頭 アドレス sysenter 時 : EDX sysexit 時 : ECX EBP (7) 成 長 方 向 2: (6) A ( 2 (2)) ( 2 (3)) call A ( 2 (4)) EAX KiFastSystemCall call ( 2 (5))KiFastSystemCall EDX ESP sysenter sysenter KiFastSystemCall Windows ntdll.dll ntdll.dll KiFastSystem- Call 2 C B A KiFastSystemCall B ( 2 (1)) 3.3 Alkanet KiFast- SystemCall ESP EDX sysexit ECX ESP sysenter EDXsysexit

4 ECX ( 2 (6)) ( 2 (5)) A ( 2 (4)) 2 (3) AB sysenter sysexit EBP EBP EBP A ( 2 (7))EBP B B, C Windows Windows VAD PTE VAD VAD VAD VAD DLL API 4 3 VAD () (PTE) DLL 4.1 Windows VAD (Virual Address Descriptor) [6]VAD VAD 4.2 NtAllocateVirtualMemory VAD NtProtectVirtualMemory VAD VAD PTE NtProtect- VirtualMemory PTE PTE

5 Windows Writable (1 ) Dirty (6 ) NtProtectVirtualMemory Alkanet Conficker.dll No. Note [2] Stack- Trace No. Time CPU Cid ID ID Name Type sysenter sysexit Ret (sysexit ) SNo. Note StackTrace StackTrace 1 SP StackBase StackLimit TIB (Thread Information Block) 2 [] 3 EBP [00] [01] 4 API API API - Writable Dirty VAD VAD VAD 3 StackTrace 23 [00] 0x7c94d6dc 0x7ed40 0x7c x7c9dc000 VAD (ImageMap: 1) \WINDOWS\system32\ntdll.dll ntdll.dll NtProtectVirtualMemory API +0xc 5.2 Conficker CCC Dataset 2013[7] DLL

6 No. : Time: Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 89 (NtProtectVirtualMemory) Cid : 1a4.1a8 Name: rundll32.exe Note: Pid: 1a4, Name: rundll32.exe NewProtect: PAGE_EXECUTE_READWRITE, OldProtect: PAGE_READWRITE BaseAddress: , AllocationSize: 0xe000 (Range: a0000) StackTrace: SP: 7ed40, StackBase: 80000, StackLimit: [00]7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0, VAD:{7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 7ed40 [01]7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0, VAD:{7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: 7ed44 [02]7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0, VAD:{7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7ed64 [03] e (API: -, Writable: 0, Dirty: 0, VAD:{ , ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7ed80 [04] b (API: -, Writable: 0, Dirty: 0, VAD:{ , ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7f184 [05]7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0, VAD:{7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), BP: 7f1a4... [10]7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0, VAD:{7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7f888 [11] (API: -, Writable: 0, Dirty: 0, VAD:{ b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}), BP: 7f89c... 3: Conficker.dll Conficker.dll rundll32.exe Conficker.dll rundll32.exe Conficker.dll NtLoadDriver Alkanet NtLoadDriver 3 rundll32.exe NtProtectVirtualMemory 0x x9a0000 PAGE EXECUTE READWRITE Alkanet Stack- Trace Conficker.dll Conficker.dll rundll32.exe StackTrace rundll32.exe Conficker.dll LoadLibraryW ( 3 [10][11])Conficker.dll ( 3 [05] ) DLL DLL 4 rundll32.exe NtCreateThread svchost.exe ID 1a8 4 [08][14] Conficker.dll rundll32.exe Conficker.dll [05] 3 VAD (ImageMap: 0) (Writable: 1) (Dirty: 1) [02][04] 4 Conficker.dll

7 No. : Time: Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 35 (NtCreateThread) Cid : 1a4.1a8 Name: rundll32.exe Note: Cid: 434.1b0, Name: svchost.exe, EIP: 0x7c8106e9, Suspended: 0x1 StackTrace: SP: 7e640, StackBase: 80000, StackLimit: [00]7c94d19c (API: NtCreateThread+0xc, Writable: 0, Dirty: 0, VAD:{7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 7e640 [01]7c (API: CreateRemoteThread+0xc9, Writable: 0, Dirty: 0, VAD:{7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: 7e644 [02]98bd46 (API: -, Writable: 1, Dirty: 1, VAD:{ a1000, ImageMap: 0}), BP: 7ea94 [03] (API: -, Writable: 1, Dirty: 1, VAD:{ a1000, ImageMap: 0}), BP: 7eb00 [04]987c5f (API: -, Writable: 1, Dirty: 1, VAD:{ a1000, ImageMap: 0}), BP: 7ed38 [05]99721c (API: -, Writable: 1, Dirty: 1, VAD:{ a1000, ImageMap: 0}), BP: 7ed64 [06] (API: -, Writable: 0, Dirty: 0, VAD:{ , ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7ed84 [07] b (API: -, Writable: 0, Dirty: 0, VAD:{ , ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7f184 [08]7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0, VAD:{7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), BP: 7f1a4... [13]7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0, VAD:{7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7f888 [14] (API: -, Writable: 0, Dirty: 0, VAD:{ b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}), BP: 7f89c... 4: 5.3 PDF D3M Dataset 2013[7] PDF Alkanet PDF 5 PDF AcroRd32.exe Nt- ProtectVirtualMemory StackBase StackLimit [03] [03] NtProtectVirtualMemory PAGE EXECUTE READWRITE. 0x x PDF AcroRd32.exe 6 VAD PEB LDR DATA[8] Volatility Framework[9] dlllist API VAD Alkanet VAD MAT (Module-based Analysis Tool) [10] DLL MAT Windows

8 No. : Time: Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 89 (NtProtectVirtualMemory) Cid : Name: AcroRd32.exe Note: Pid: 564, Name: AcroRd32.exe NewProtect: PAGE_EXECUTE_READWRITE, OldProtect: PAGE_EXECUTE_READWRITE BaseAddress: , AllocationSize: 0x1000 (Range: ) StackTrace;: SP: f601ff8, StackBase: , StackLimit: 11d000 [00] 7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0, VAD:{7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: f601ff8 [01] 7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0, VAD: {7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: f601ffc [02] 7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0, VAD:{7c c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: f60201c [03] 42700c7 (API: -, Writable: 1, Dirty: 1, VAD:{ , ImageMap: 0}), BP: f : PDF Alkanet Windows VMM MAT Alkanet 7 API DLL [11] [1] Y. Otsuki at el.: Alkanet: A Dynamic Malware Analyzer based on Virtual Machine Monitor, In World Congress on Engineering and Computer Science 2012 (WCECS 2012), Vol. 1, pp (2012). [2] :, 2011, 2011, pp (2011). [3] T. Shinagawa at el.: BitVisor: a thin hypervisor for enforcing i/o device security, In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp (2009) [4] Microsoft: stdcall, microsoft.com/en-us/library/zxk0tw93. aspx (2013). [5] A. Glaister:, library/bb694540(v=vs.85).aspx (2007). [6] B. Dolan-Gavitt: The VAD tree: A processeye view of physical memory, Digital Investigation, Vol. 4, pp (2007). [7] : MWS Datasets 2013, 2013 (MWS2013) (2013). [8] Microsoft: PEB LDR DATA structure (Windows), com/en-us/library/windows/desktop/ aa813708(v=vs.85).aspx (2013). [9] volatility - An advanced memory forensics framework - Google Project Hosting, https: //code.google.com/p/volatility/ (2013). [10] F. Jianming at el.: Malware Behavior Capturing Based on Taint Propagation and Stack Backtracing, In Trust, Security and Privacy in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on, pp (2011). [11] J. Butler at el.: Bypassing 3rd Party Windows Buffer Overflow Protection, Phrack 62, Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x10, html?issue=62&id=5#article (2004)