MindTheSec 2015 Forum Brazil – GPU Malware presentation

Dear readers, how are you? It follows the slides of my simple presentation on MindTheSec 2015 Forum Brazil (http://mindthesec.com.br/alexandre-borges) about GPU Malwares:

http://alexandreborgesbrazil.files.wordpress.com/2015/09/2015-mindthesec-alexandre_borges1.pdf

Enjoy it!

I hope you have a nice day and feel free to comment about the slides.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

Finding few details of a process by using WinDbg

Eventually my students talk about processes on Windows as they are running, but I need to remember them that are threads that run on the system. Indeed, each Windows process is represented by an EPROCESS
structure (it exists in system address space) and each process has one or more running threads that are represented by TEB (Thread Execution Block)
structure, which stores all information related to it. Additionally, there is another structure named PEB (Process Environment Block) that exists in the process address space and it contain information that is accessed by the user code (application).

The EPROCESS structure is listed by executing the following command:

lkd> dt nt!_eprocess

+0x000 Pcb : _KPROCESS

+0x160 ProcessLock : _EX_PUSH_LOCK

+0x168 CreateTime : _LARGE_INTEGER

+0x170 ExitTime : _LARGE_INTEGER

+0x178 RundownProtect : _EX_RUNDOWN_REF

+0x180 UniqueProcessId : Ptr64 Void

+0x188 ActiveProcessLinks : _LIST_ENTRY

+0x198 ProcessQuotaUsage : [2] Uint8B

+0x1a8 ProcessQuotaPeak : [2] Uint8B

+0x1b8 CommitCharge : Uint8B

+0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK

+0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK

+0x1d0 PeakVirtualSize : Uint8B

+0x1d8 VirtualSize : Uint8B

(truncated output)

At the same way, we can examine the TEB structure by using a similar command:

lkd> dt nt!_teb

+0x000 NtTib : _NT_TIB

+0x038 EnvironmentPointer : Ptr64 Void

+0x040 ClientId : _CLIENT_ID

+0x050 ActiveRpcHandle : Ptr64 Void

+0x058 ThreadLocalStoragePointer : Ptr64 Void

+0x060 ProcessEnvironmentBlock : Ptr64 _PEB

+0x068 LastErrorValue : Uint4B

+0x06c CountOfOwnedCriticalSections : Uint4B

+0x070 CsrClientThread : Ptr64 Void

+0x078 Win32ThreadInfo : Ptr64 Void

+0x080 User32Reserved : [26] Uint4B

+0x0e8 UserReserved : [5] Uint4B

Sure, even threads being the running object, it is still important to know how to list processes that are running on the system. Thus, we could acquire a list by executing the following command on the WinDbg:

lkd> !process 0 0

**** NT ACTIVE PROCESS DUMP ****

PROCESS fffffa8018dcb720

SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000

DirBase: 00187000 ObjectTable: fffff8a0000016d0 HandleCount: 597.

Image: System

PROCESS fffffa80194e9930

SessionId: none Cid: 0100 Peb: 7fffffd5000 ParentCid: 0004

DirBase: 2a3cf000 ObjectTable: fffff8a0005ddef0 HandleCount: 29.

Image: smss.exe

PROCESS fffffa8019f68b10

SessionId: 0 Cid: 0158 Peb: 7fffffda000 ParentCid: 0150

DirBase: 1b7d1000 ObjectTable: fffff8a00162d970 HandleCount: 517.

Image: csrss.exe

…………………………

PROCESS fffffa801a9deb10

SessionId: 1 Cid: 04d0 Peb: fffdf000 ParentCid: 06d8

DirBase: 3450a000 ObjectTable: fffff8a00314b9a0 HandleCount: 704.

Image: chrome.exe

PROCESS fffffa801a95ab10

SessionId: 1 Cid: 0e98 Peb: fffdf000 ParentCid: 04d0

DirBase: 30fd2000 ObjectTable: fffff8a002cc9670 HandleCount: 147.

Image: chrome.exe

PROCESS fffffa801a6c8b10

SessionId: 1 Cid: 0824 Peb: fffdf000 ParentCid: 04d0

DirBase: 2c471000 ObjectTable: fffff8a002d9c370 HandleCount: 162.

Image: chrome.exe

(truncated output)

Make simple interactions on your system. For example, examine details about the chrome.exe process by running the following command:

lkd> !process chrome.exe

PROCESS fffffa801a7d4610

SessionId: 1 Cid: 0f38 Peb: 7fffffdd000 ParentCid: 06d8

DirBase: 3c1b1000 ObjectTable: fffff8a0000ba900 HandleCount: 152.

Image: windbg.exe

VadRoot fffffa801a824c80 Vads 114 Clone 0 Private 5078. Modified 403. Locked 1.

DeviceMap fffff8a002138700

Token fffff8a002784060

ElapsedTime 01:04:44.995

UserTime 00:00:00.015

KernelTime 00:00:00.000

QuotaPoolUsage[PagedPool] 212224

QuotaPoolUsage[NonPagedPool] 14136

Working Set Sizes (now,min,max) (9427, 50, 345) (37708KB, 200KB, 1380KB)

PeakWorkingSetSize 9592

VirtualSize 122 Mb

PeakVirtualSize 126 Mb

PageFaultCount 15826

MemoryPriority BACKGROUND

BasePriority 8

CommitCharge 5517

THREAD fffffa801a6a6060 Cid 0f38.0efc Teb: 000007fffffde000 Win32Thread: fffff900c1eb4010 WAIT: (WrUserRequest) UserMode Non-Alertable

fffffa801a8174a0 SynchronizationEvent

THREAD fffffa801972f060 Cid 0f38.0f34 Teb: 000007fffffdb000 Win32Thread: fffff900c26c0c10 RUNNING on processor 0

THREAD fffffa8018eb5890 Cid 0f38.0368 Teb: 000007fffffd9000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable

fffffa801a8d2060 SynchronizationTimer

fffffa8018e78de0 SynchronizationTimer

fffffa801a6572f0 SynchronizationEvent

fffffa801a4e35b0 SynchronizationEvent

fffffa801a61b8e0 SynchronizationEvent

fffffa801a730d90 SynchronizationEvent

fffffa801a64fe90 SynchronizationEvent

fffffa801a9d1060 SynchronizationTime

THREAD fffffa8019730060 Cid 0f38.0e34 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable

fffffa801a5e0ac0 QueueObject

The PEB (Process Enviroment Block) is at address 7fffffdd000, so it’s time to get more details about it by executing the following command:

lkd> dt nt!_peb 7fffffdd000

+0x000 InheritedAddressSpace : 0 ”

+0x001 ReadImageFileExecOptions : 0 ”

+0x002 BeingDebugged : 0 ”

+0x003 BitField : 0x8 ”

+0x003 ImageUsesLargePages : 0y0

+0x003 IsProtectedProcess : 0y0

+0x003 IsLegacyProcess : 0y0

+0x003 IsImageDynamicallyRelocated : 0y1

+0x003 SkipPatchingUser32Forwarders : 0y0

+0x003 SpareBits : 0y000

+0x008 Mutant : 0xffffffff`ffffffff Void

+0x010 ImageBaseAddress : 0x00000001`3fc00000 Void

+0x018 Ldr : 0x00000000`76dee640 _PEB_LDR_DATA

+0x020 ProcessParameters : 0x00000000`00111f90 _RTL_USER_PROCESS_PARAMETERS

+0x028 SubSystemData : (null)

+0x030 ProcessHeap : 0x00000000`00110000 Void

+0x038 FastPebLock : 0x00000000`76df6b20 _RTL_CRITICAL_SECTION

+0x040 AtlThunkSListPtr : (null)

(truncated output)

The loader member (Ldr) contains valuable information about which DLLs are loaded into the process space. To find these DLLs out, execute:

lkd> dt nt!_PEB_LDR_DATA 0x00000000`76dee640

+0x000 Length : 0x58

+0x004 Initialized : 0x1 ”

+0x008 SsHandle : (null)

+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`00112af0 – 0x00000000`0017a8b0 ]

+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`00112b00
– 0x00000000`0017a8c0 ]

+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`00112c00
– 0x00000000`0017a8d0 ]

+0x040 EntryInProgress : (null)

+0x048 ShutdownInProgress : 0 ”

+0x050 ShutdownThreadId : (null)

Some explanation is necessary here:

  • PEB_LDR_DATA
    à contains the heads of linked list that are used to enumerate all DLLs loaded into the process.
  • InLoadOrderModuleList
    à contains a linked list that includes all DLLs used by the process (according to their loading order).
  • InMemoryOrderModuleList
    à contains a linked list that includes all DLLs used by the process (according to their memory address).
  • InInitializationOrderModuleList à contains a linked list that includes all DLLs used by the process (according to their initialization order). We should remember that a DLL is initialized only when its import is finished.

Starting by InInitializationOrderModuleList, examine its content by running the following command:

lkd> dd 0x00000000`00112c00

00000000`00112c00 001130f0 00000000 76dee670 00000000

00000000`00112c10 76cc0000 00000000 00000000 00000000

00000000`00112c20 001a9000 00000000 003c003a 00000000

00000000`00112c30 00112a60 00000000 00140012 00000000

00000000`00112c40 76dd13d8 00000000 00004004 0000ffff

00000000`00112c50 00128b20 00000000 76df6320 00000000

00000000`00112c60 556366f2 00000000 00000000 00000000

00000000`00112c70 00000000 00000000 00112c78 00000000

By verifying the first member, we have the following information:

lkd> dd 001130f0

00000000`001130f0 00112f80 00000000 00112c00 00000000

00000000`00113100 fcd50000 000007fe fcd52780 000007fe

00000000`00113110 0006c000 00000000 00460044 00000000

00000000`00113120 00113080 00000000 001e001c 00000000

00000000`00113130 001130a8 00000000 00084004 0000ffff

00000000`00113140 00128850 00000000 76df6340 00000000

00000000`00113150 556366fd 00000000 00000000 00000000

00000000`00113160 00000000 00000000 00113168 00000000

That is nice! We can state that we are handling a linked list because 00112c00 00000000 (remember: the address is inverted) is a pointer to our previous linked list (at 0x00000000`00112c00). If we continue examining all structures, we will find another relevant stuff:

lkd> db 76cc0000

00000000`76cc0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ…………..

00000000`76cc0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ……..@…….

00000000`76cc0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….

00000000`76cc0030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 …………….

00000000`76cc0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ……..!..L.!Th

00000000`76cc0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno

00000000`76cc0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS

00000000`76cc0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode….$…….

It is amazing again! The address (00000000`76cc0000) is the start address of a PE executable (pay attention on “MZ” characters).

Repeating the “dd” command to gather information from InInitializationOrderList we have:

lkd> dd 0x00000000`00112c00

00000000`00112c00 001130f0 00000000 76dee670 00000000

00000000`00112c10 76cc0000 00000000 00000000 00000000

00000000`00112c20 001a9000 00000000 003c003a 00000000

00000000`00112c30 00112a60 00000000 00140012 00000000

00000000`00112c40 76dd13d8 00000000 00004004 0000ffff

00000000`00112c50 00128b20 00000000 76df6320 00000000

00000000`00112c60 556366f2 00000000 00000000 00000000

00000000`00112c70 00000000 00000000 00112c78 00000000

lkd> du 00112a60
00000000`00112a60 “C:\Windows\SYSTEM32\ntdll.dll”

lkd> dd 001130f0

00000000`001130f0 00112f80 00000000 00112c00 00000000

00000000`00113100 fcd50000 000007fe fcd52780 000007fe

00000000`00113110 0006c000 00000000 00460044 00000000

00000000`00113120 00113080 00000000 001e001c 00000000

00000000`00113130 001130a8 00000000 00084004 0000ffff

00000000`00113140 00128850 00000000 76df6340 00000000

00000000`00113150 556366fd 00000000 00000000 00000000

00000000`00113160 00000000 00000000 00113168 00000000

lkd> du 00113080

00000000`00113080 “C:\Windows\system32\KERNELBASE.d”

00000000`001130c0 “ll”

So far we have found two important DLLs. Nonetheless, let’s check the PEB’s loader structure again:

lkd> dt nt!_PEB_LDR_DATA 0x00000000`76dee640

+0x000 Length : 0x58

+0x004 Initialized : 0x1 ”

+0x008 SsHandle : (null)

+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`00112af0 – 0x00000000`0017a8b0 ]

+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`00112b00
– 0x00000000`0017a8c0 ]

+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`00112c00
– 0x00000000`0017a8d0 ]

+0x040 EntryInProgress : (null)

+0x048 ShutdownInProgress : 0 ”

+0x050 ShutdownThreadId : (null)

Instead of keeping verifying the InInitializationOrderModuleList, change the focus to the InMemoryOrderModuleList and execute the following command:

lkd> dd 00112b00

00000000`00112b00 00112bf0 00000000 76dee660 00000000

00000000`00112b10 00000000 00000000 00000000 00000000

00000000`00112b20 3fc00000 00000001 3fc534a0 00000001

00000000`00112b30 00091000 00000000 00820080 00000000

00000000`00112b40 00112830 00000000 00160014 00000000

00000000`00112b50 0011289c 00000000 00004000 0000ffff

00000000`00112b60 0017a560 00000000 76df62f0 00000000

00000000`00112b70 544af449 00000000 00000000 00000000

lkd> du 00112830

00000000`00112830 “C:\Program Files (x86)\Windows K”

00000000`00112870 “its\8.1\Debuggers\x64\windbg.exe”

00000000`001128b0 “”

lkd> dd 00112bf0

00000000`00112bf0 00112f70 00000000 00112b00 00000000

00000000`00112c00 001130f0 00000000 76dee670 00000000

00000000`00112c10 76cc0000 00000000 00000000 00000000

00000000`00112c20 001a9000 00000000 003c003a 00000000

00000000`00112c30 00112a60 00000000 00140012 00000000

00000000`00112c40 76dd13d8 00000000 00004004 0000ffff

00000000`00112c50 00128b20 00000000 76df6320 00000000

00000000`00112c60 556366f2 00000000 00000000 00000000

lkd> du 00112a60
00000000`00112a60 “C:\Windows\SYSTEM32\ntdll.dll”

lkd> dd 00112f70

00000000`00112f70 001130e0 00000000 00112bf0 00000000

00000000`00112f80 00113f50 00000000 001130f0 00000000

00000000`00112f90 76ba0000 00000000 76bb5340 00000000

00000000`00112fa0 0011f000 00000000 00420040 00000000

00000000`00112fb0 00112f10 00000000 001a0018 00000000

00000000`00112fc0 00112f38 00000000 00084004 0000ffff

00000000`00112fd0 00125a40 00000000 76df62a0 00000000

00000000`00112fe0 556366fc 00000000 00000000 00000000

lkd> du 00112f10
00000000`00112f10 “C:\Windows\system32\kernel32.dll”
00000000`00112f50 “”

lkd> dd 001130e0

00000000`001130e0 00113e00 00000000 00112f70 00000000

00000000`001130f0 00112f80 00000000 00112c00 00000000

00000000`00113100 fcd50000 000007fe fcd52780 000007fe

00000000`00113110 0006c000 00000000 00460044 00000000

00000000`00113120 00113080 00000000 001e001c 00000000

00000000`00113130 001130a8 00000000 00084004 0000ffff

00000000`00113140 00128850 00000000 76df6340 00000000

00000000`00113150 556366fd 00000000 00000000 00000000

lkd> du 00113080

00000000`00113080 “C:\Windows\system32\KERNELBASE.d”

00000000`001130c0 “ll”

lkd> dd 00113e00

00000000`00113e00 00113f40 00000000 001130e0 00000000

00000000`00113e10 00125060 00000000 001143e0 00000000

00000000`00113e20 fde90000 000007fe fdeb4e20 000007fe

00000000`00113e30 000db000 00000000 00420040 00000000

00000000`00113e40 00113da0 00000000 001a0018 00000000

00000000`00113e50 00113dc8 00000000 00084004 0000ffff

00000000`00113e60 76df6360 00000000 76df6360 00000000

00000000`00113e70 556365e3 00530055 00000000 00000000

lkd> du 00113da0

00000000`00113da0 “C:\Windows\system32\ADVAPI32.dll”

00000000`00113de0 “”

I’m sure the reader has understood that we can enumerate all DLLs from a process by using this method. :)

Honestly, I hope you have an opportunity to reserve some time to play with WinDbg. Certainly, you will be finding very interesting things on your tests.

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

Speaking about Malwares: a public initiative

Dear readers, good morning. How are you? Several companies have sent me messages asking about the possibility of making lectures on IT Security (Malware Analysis in special). Therefore, I made a decision and I am available for universities and companies to give lectures talking about Malware Analysis and all their consequences.

The most interesting part of this initiative: no costs. The main goal is to warn everybody about the risks, consequences and concepts of Malwares attacks. Furthermore, these lectures will show you fundamentals on Malware Analysis.

Are you interested? Send me an e-mail to alexandreborges [at] alexandreborges [dot] org

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

Device profiling and Firefox anonymity

Dear readers, how are you? Two interesting articles for your reading follow below. The first one comes from SANS (by Chad Tilbury) and it explains about Device Profiling. The second one is about security, privacy and anonymity in Firefox (by agilob):

https://digital-forensics.sans.org/blog/2015/08/19/device-profiling-with-windows-prefetch

http://b.agilob.net/better-security-privacy-and-anonymity-in-firefox/

Have a nice day and enjoy it.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

First information about my Malware Analysis courses

Dear friends, how are you? A few weeks ago I announced that I am delivering some courses for next year. Honestly, I have been hardly writing course by course and I hope next year all them are ready. Nonetheless, I would like to show you a small part of TOC (Table of Contents) from Malware’s courses. Doubtless, there are more items to be added.

Another good point: I still don’t know which items will be presented in the first course and second course. Likely, the decision depends from number of pages and the following TOC can be changed.

Malware Analysis (part 1 and 2)

  • Introducing to Malwares
  • Building a physical and virtual lab for Malware Analysis
  • Profiling Malwares
  • Static Analysis: basics
  • Dynamic Analysis: basics
  • Analyzing malicious documents such as HTML pages, PDF and .docx
  • Assembly: a solid approach
  • Reversing C: how to reverse the most known constructions
  • IDA Pro: a crash course
  • Python: another crash course
  • Windows Internals and Exception Handling: only the necessary information
  • Debugging concepts, OllyDbg and Immunity
  • How to handle malicious DLLs
  • DLL Injection and API Hooking: the game starts
  • Analyzing the malware network traffic
  • WinDbg (part 1) – analyzing simple crash dumps and Windows structures
  • WinDbg (part 2) – debugging the Kernel
  • WinDbg (part 3) – finding malware tracks
  • First tricks used by malwares
  • Anti-Forensics Malware Methods
    • Process Injection, APC Injection, Process Replacement
    • User-mode Rootkits
    • Encoding/Decoding
    • Anti-Debugging
    • Anti-Disassembly
    • Anti-VM
    • Patching Executable
    • Handling malwares that uses shellcode
  • Packers – an extensive approach
  • IDA scripting
  • C++ and x64-Malwares

There are another course about Malwares (part 3), but I will release more information in the next weeks.

Finally, soon I will post the first information about Hacking course (part 1, 2 and 3) and Digital Forensics. Stay tuned!

The e-mail address for additional information is: training [at] alexandreborges [dot] org

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

Mandiant APT1 Report (it is still interesting)

Dear readers, although the document below (Mandiant APT1 Report) is from 2013, it is still interesting:

https://alexandreborgesbrazil.files.wordpress.com/2015/08/mandiant_apt1_report.pdf

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)