Computer Security Symposium 2013 21-23 October 2013 Alkanet 525-8577 1-1-1 yotuki@asl.cs.ritsumei.ac.jp, {takimoto, mouri}@cs.ritsumei.ac.jp 466-8555 shoichi@nitech.ac.jp BitVisor Alkanet API DLL A Method for Identifying System Call Invoker in Dynamic Link Library Yuto Otsuki Eiji Takimoto Shoichi Saito Koichi Mouri Ritsumeikan University 1-1-1 Nojihigashi, Kusatsu, Shiga 525-8577 Japan yotuki@asl.cs.ritsumei.ac.jp, {takimoto, mouri}@cs.ritsumei.ac.jp Nagoya Institute of Technology Gokiso-cho, Showa-ku, Nagoya, Aichi, 466-8555 Japan shoichi@nitech.ac.jp Abstract Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. We are developing Alkanet, a system call tracer for malware analysis that uses a virtual machine monitor based on BitVisor. In this paper, we describe a method for identifying system call invoker in dynamic link library by using stack tracing. The method make it possible to identify the system call invoker in dynamic link library or memory area. It is effective to analyze malware such as executable codes generated in runtime, or malicious libraries mapped in a legitimate application. - 753 -
1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows SystemCall Analyzer Log Alkanet BitVisor 1: Alkanet ロギング 用 LogAnalyzer ログ 分 析 挙 動 抽 出 保 存 Logger Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS VMM Intel CPU Intel VT (Intel Virtualization Technology) Windows OS 32bit Windows XP Service Pack 3 sysenter sysexit Alkanet PC IEEE 1394 3 3.1 DLL - 754 -
Windows API stdcall[4] FPO (Frame-Pointer Omission) EBP 4 4 Windows XP Service Pack 2 Windows DLL FPO [5] FPO Windows API API 関 数 (2) ー A 関 数 (1) ー (3) B (5) (4) スタブへの 戻 りアドレス 関 数 Aへの 戻 りアドレス システムコールへの 第 1 引 数 システムコールへの 第 2 引 数 システムコールへの 最 後 の 引 数 関 数 Aのローカル 変 数 ベースポインタ 関 数 Bへの 戻 りアドレス 関 数 Aへの 第 1 引 数 関 数 Aへの 最 後 の 引 数 ベースポインタ 関 数 Cへの 戻 りアドレス スタックの 先 頭 アドレス sysenter 時 : EDX sysexit 時 : ECX EBP (7) 成 長 方 向 2: (6) A ( 2 (2)) ( 2 (3)) call A ( 2 (4)) EAX KiFastSystemCall call ( 2 (5))KiFastSystemCall EDX ESP sysenter sysenter KiFastSystemCall 3.2 2 Windows ntdll.dll ntdll.dll KiFastSystem- Call 2 C B A KiFastSystemCall B ( 2 (1)) 3.3 Alkanet KiFast- SystemCall ESP EDX sysexit ECX ESP sysenter EDXsysexit - 755 -
ECX ( 2 (6)) 3.2 2 ( 2 (5)) A ( 2 (4)) 2 (3) AB sysenter sysexit EBP EBP EBP A ( 2 (7))EBP B B, C Windows Windows VAD PTE VAD VAD VAD VAD DLL API 4 3 VAD () (PTE) DLL 4.1 Windows VAD (Virual Address Descriptor) [6]VAD VAD 4.2 NtAllocateVirtualMemory VAD NtProtectVirtualMemory VAD VAD PTE NtProtect- VirtualMemory PTE PTE - 756 -
Windows Writable (1 ) Dirty (6 ) NtProtectVirtualMemory Alkanet 5 5.1 3 5.2 Conficker.dll No. Note [2] Stack- Trace No. Time CPU Cid ID ID Name Type sysenter sysexit Ret (sysexit ) SNo. Note StackTrace StackTrace 1 SP StackBase StackLimit TIB (Thread Information Block) 2 [] 3 EBP [00] [01] 4 API API API - Writable Dirty VAD VAD VAD 3 StackTrace 23 [00] 0x7c94d6dc 0x7ed40 0x7c940000 0x7c9dc000 VAD (ImageMap: 1) \WINDOWS\system32\ntdll.dll ntdll.dll NtProtectVirtualMemory API +0xc 5.2 Conficker CCC Dataset 2013[7] DLL - 757 -
No. : 14335 Time: 516777148 Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 89 (NtProtectVirtualMemory) Cid : 1a4.1a8 Name: rundll32.exe Note: Pid: 1a4, Name: rundll32.exe NewProtect: PAGE_EXECUTE_READWRITE, OldProtect: PAGE_READWRITE BaseAddress: 992000, AllocationSize: 0xe000 (Range: 992000--9a0000) StackTrace: SP: 7ed40, StackBase: 80000, StackLimit: 74000 [00]7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 7ed40 [01]7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: 7ed44 [02]7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7ed64 [03]1000220e (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7ed80 [04]1000401b (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7f184 [05]7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), BP: 7f1a4... [10]7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7f888 [11]1001792 (API: -, Writable: 0, Dirty: 0, VAD:{1000000--100b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}), BP: 7f89c... 3: Conficker.dll Conficker.dll rundll32.exe Conficker.dll rundll32.exe Conficker.dll NtLoadDriver Alkanet NtLoadDriver 3 rundll32.exe NtProtectVirtualMemory 0x992000 0x9a0000 PAGE EXECUTE READWRITE Alkanet Stack- Trace Conficker.dll Conficker.dll rundll32.exe StackTrace rundll32.exe Conficker.dll LoadLibraryW ( 3 [10][11])Conficker.dll ( 3 [05] ) DLL DLL 4 rundll32.exe NtCreateThread svchost.exe ID 1a8 4 [08][14] Conficker.dll rundll32.exe Conficker.dll [05] 3 VAD (ImageMap: 0) (Writable: 1) (Dirty: 1) [02][04] 4 Conficker.dll - 758 -
No. : 14509 Time: 516811998 Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 35 (NtCreateThread) Cid : 1a4.1a8 Name: rundll32.exe Note: Cid: 434.1b0, Name: svchost.exe, EIP: 0x7c8106e9, Suspended: 0x1 StackTrace: SP: 7e640, StackBase: 80000, StackLimit: 74000 [00]7c94d19c (API: NtCreateThread+0xc, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 7e640 [01]7c810585 (API: CreateRemoteThread+0xc9, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: 7e644 [02]98bd46 (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7ea94 [03]987500 (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7eb00 [04]987c5f (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7ed38 [05]99721c (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7ed64 [06]10002639 (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7ed84 [07]1000401b (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7f184 [08]7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), BP: 7f1a4... [13]7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7f888 [14]1001792 (API: -, Writable: 0, Dirty: 0, VAD:{1000000--100b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}), BP: 7f89c... 4: 5.3 PDF D3M Dataset 2013[7] PDF Alkanet PDF 5 PDF AcroRd32.exe Nt- ProtectVirtualMemory StackBase StackLimit [03] [03] NtProtectVirtualMemory PAGE EXECUTE READWRITE. 0x4270000 0x4271000 PDF AcroRd32.exe 6 VAD PEB LDR DATA[8] Volatility Framework[9] dlllist API VAD Alkanet VAD MAT (Module-based Analysis Tool) [10] DLL MAT Windows - 759 -
No. : 39277 Time: 1195072803 Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 89 (NtProtectVirtualMemory) Cid : 220.510 Name: AcroRd32.exe Note: Pid: 564, Name: AcroRd32.exe NewProtect: PAGE_EXECUTE_READWRITE, OldProtect: PAGE_EXECUTE_READWRITE BaseAddress: 4270000, AllocationSize: 0x1000 (Range: 4270000--4271000) StackTrace;: SP: f601ff8, StackBase: 130000, StackLimit: 11d000 [00] 7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: f601ff8 [01] 7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0, VAD: {7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: f601ffc [02] 7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: f60201c [03] 42700c7 (API: -, Writable: 1, Dirty: 1, VAD:{4270000--4271000, ImageMap: 0}), BP: f602038 5: PDF Alkanet Windows VMM MAT Alkanet 7 API DLL [11] [1] Y. Otsuki at el.: Alkanet: A Dynamic Malware Analyzer based on Virtual Machine Monitor, In World Congress on Engineering and Computer Science 2012 (WCECS 2012), Vol. 1, pp. 36 44 (2012). [2] :, 2011, 2011, pp. 95 100 (2011). [3] T. Shinagawa at el.: BitVisor: a thin hypervisor for enforcing i/o device security, In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp. 121 130 (2009) [4] Microsoft: stdcall, http://msdn. microsoft.com/en-us/library/zxk0tw93. aspx (2013). [5] A. Glaister:, http://msdn.microsoft.com/ja-jp/ library/bb694540(v=vs.85).aspx (2007). [6] B. Dolan-Gavitt: The VAD tree: A processeye view of physical memory, Digital Investigation, Vol. 4, pp. 62 64 (2007). [7] : MWS Datasets 2013, 2013 (MWS2013) (2013). [8] Microsoft: PEB LDR DATA structure (Windows), http://msdn.microsoft. com/en-us/library/windows/desktop/ aa813708(v=vs.85).aspx (2013). [9] volatility - An advanced memory forensics framework - Google Project Hosting, https: //code.google.com/p/volatility/ (2013). [10] F. Jianming at el.: Malware Behavior Capturing Based on Taint Propagation and Stack Backtracing, In Trust, Security and Privacy in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on, pp. 328 335 (2011). [11] J. Butler at el.: Bypassing 3rd Party Windows Buffer Overflow Protection, Phrack 62, Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x10, http://www.phrack.org/issues. html?issue=62&id=5#article (2004). - 760 -