Unintended Results » pyew http://joxeankoret.com/blog Or maybe not Sun, 04 Dec 2011 17:55:48 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Analyzing PDF exploits with Pyew http://joxeankoret.com/blog/2010/02/21/analyzing-pdf-exploits-with-pyew/ http://joxeankoret.com/blog/2010/02/21/analyzing-pdf-exploits-with-pyew/#comments Sun, 21 Feb 2010 14:46:23 +0000 joxean http://joxeankoret.com/blog/?p=95 Something I really hate to do when analyzing PDF malware exploits is to manually extract the streams and manually decode them to see the, typically, hidden JavaScript code, so I decided to extend the PDF plugin for Pyew to automatically see them. Now, with the new version of the plugin (download it from the Mercurial repository) we can see what filters are used in the exploit and, the most important thing, we can see the decoded streams, independently of how many filters are being used.

Example

For example, I will take one obfuscated PDF exploit (SHA256 6a8204ee7b703f96f811f32f903ac9df4045b05910d633fc34fed89e2e0a7576). I will open it in Pyew to see what is inside so, simply, run the command "pyew pdf.file":

$ pyew sample.pdf
PDF File

PDFiD 0.0.9_PL 6a8204ee7b703f96f811f32f903ac9df4045b05910d633fc34fed89e2e0a7576
PDF Header: %PDF-1.1
obj 4
endobj 4
stream 1
endstream 1
xref 1
trailer 1
startxref 1
/Page 1
/Encrypt 0
/ObjStm 0
/JS 1
/JavaScript 1
/AA 0
/OpenAction 1
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Colors > 2^24 0
%%EOF 1
After last %%EOF 0
Total entropy: 4.293999 ( 5547 bytes)
Entropy inside streams: 3.669587 ( 4773 bytes)
Entropy outside streams: 5.132696 ( 774 bytes)

(...)

[0x00000000]> p
%PDF-1.1
%вгПУ
1 0 obj
<<
/Type /Catalog
/OpenAction <<
/JS 4 0 R
/S /JavaScript
>>
/Pages 2 0 R
>>
endobj
2 0 obj
<<
/Type /Pages
/Kids [ 3 0 R ]
/Count 1
>>
endobj
3 0 obj
<<
/Type /Page
/Parent 2 0 R
/Resources <<
/Font <<
/F1 <<
/Type /Font
/Name /F1
/Subtype /Type1
/BaseFont /Helvetica
>>
>>
>>
/MediaBox [ 0 0 795 842 ]
>>
endobj
4 0 obj
<<
/Length 4769
/Filter [/ASCIIHexDecode /ASCII85Decode /#4c

What we see in Pyew? The output of PDFId (a great tool by Didier Stevens) as well as the hexadecimal output of the first block (512 bytes). Taking a brief look to the 1st block of data we see one "OpenAction" to execute JavaScript. Surprise. The code "/JS 4 0 R" specifies that the JavaScript code to be executed is the object number 4. Seeking to the offset where the object #4 is and printing the buffer (in ASCII) we will find the following:

[0x000001b7]> s 0x1b7
[0x000001b7]> p
4 0 obj
<<
        /Length 4769
        /Filter [/ASCIIHexDecode /ASCII85Decode /#4c#5a#57De#63#6fde /R#75nLen#67t#68#44ecod#65 /FlateDecode ]
>>stream
4A2E3539605651222D714E634326304C5A47725A236A63494B26682C323A4E532...

The object is multiple times encoded and, which is more, the strings to specify what filters must be used in order to decode the stream are encoded too. It's perfectly legal according to the PDF specifications, although pretty suspicious. Pyew does a good job decoding both the encoded strings and the multiple times encoded stream. To see the streams just type "pdfvi" to see the encoded streams in the console:

eval(unescape("%76%61%72%20%56%68%4C%66%4E%20%3D..."))

Wow! it's a small chunk of JavaScript data ;) Pyew automagically applied all the filters needed (ASCIIHexDecode, ASCII85Decode, LZWDecode, RunLengthDecode and FlateDecode) and printed out the obfuscated code. We can see it, too, in a graphical user interface. Instead of typing "pdfvi" execute the command "pdfview". You will see the following screen:

Obfuscated Stream View

Obfuscated Stream View

More Examples

OK, so we can see now the encoded stream but, what if there are a lot of encoded streams and we must check them all or if we want to see just one of them? For this purpose, and also to show the Pyew's APIs, I created an example usage of the PDF API. The example reads all the streams and shows a list of all the encoded streams as you may see in the following snapshot:

Usage example of the PDF API

Usage example of the PDF API

Using this simple screen we can see all the streams or just one specific (encoded) stream. This is the code of this example usage of the Pyew's API for the PDF format:

#!/usr/bin/env python
  1.  
  2. import os
  3. import sys
  4.  
  5. from pyew_core import CPyew
  6. from easygui import choicebox, fileopenbox, msgbox
  7.  
  8. def main(filename=None):
  9.     if filename is None:
  10.         filename = fileopenbox(msg="Select PDF file", default="*.pdf", filetypes=["*.pdf"])
  11.         if filename is None:
  12.             return
  13.  
  14.     pyew = CPyew(batch=True)
  15.     pyew.loadFile(filename)
  16.  
  17.     streams = pyew.plugins["pdfilter"](pyew, doprint=True)
  18.     if len(streams) == 0:
  19.         msgbox(title="PDF Streams",msg="No encoded streams found")
  20.  
  21.     l = []
  22.     l.append("About PDF Streams Viewer")
  23.     l.append("See all streams (both encoded and unencoded)")
  24.     for x in streams:
  25.         l.append("Stream %d encoded with %s" % (x, streams[x]))
  26.     l.append("Quit")
  27.  
  28.     while 1:
  29.         c = choicebox(msg="Select one stream to view it decoded", title="Stream Viewer", choices=l)
  30.         if c is None:
  31.             break
  32.         elif c.lower() == "quit":
  33.             break
  34.         elif c.lower().startswith("about"):
  35.             msgbox(title="About PDF Streams Viewer",
  36.                    msg="Example usage of the Pyew APIs to see PDF streams. Written by Joxean Koret")
  37.         elif c.lower().startswith("see all"):
  38.             pyew.plugins["pdfview"](pyew, doprint=False, stream_id=-1)
  39.         else:
  40.             stream_id = int(c.split(" ")[1])
  41.             pyew.plugins["pdfview"](pyew, stream_id=stream_id)
  42.  
  43. if __name__ == "__main__":
  44.     if len(sys.argv) == 1:
  45.         main()
  46.     else:
  47.         main(sys.argv[1])

And, that's all for the moment. I hope you like the new Pyew's features ;)

]]> http://joxeankoret.com/blog/2010/02/21/analyzing-pdf-exploits-with-pyew/feed/ 3 Malware Tricks I http://joxeankoret.com/blog/2009/12/02/malware-tricks-i/ http://joxeankoret.com/blog/2009/12/02/malware-tricks-i/#comments Wed, 02 Dec 2009 21:57:42 +0000 joxean http://joxeankoret.com/blog/?p=76 Today, while analyzing a family of malwares (the familiy called by some vendors as "Krap") I noticed a good and new, at least for me, antiemulation technique. What do you think this sample code does?

some_func:
  1.   ; Do stuff...
  2.  
  3. start:
  4.    push offset some_func
  5.    jmp edx


What is this? We're pushing the address of the function some_func in the stack and, after this, jumping unconditionally to the address contained at EDX. The question here is: What value has the EDX register before executing your first line of assembly code? You have the address of ntdll!KiFastSystemCallRet:

So, basically, we're jumping to a return only function (see a detailed description of KiFastSystemCallRet) efectively returning into the "some_func" function. The emulators I tested, as in example, the Bochs Debugger module that comes with IDA Pro, initialize all the registers to 0: a cool trick! And the first time I see this.

The tricks I typically find in malware are undocumented (or non typical) API calls mixed with junk code, as the following example extracted from a Mebroot downloader:

  1. 000013a7 PUSH 0x74327ebc
  2. 000013ac CALL KERNEL32.dll!WriteFile
  3. 000013b2 TEST EAX, EAX
  4. 000013b4 JZ 0x000013bb      ; 1
  5. 000013b6 JMP 0x0000108e     ; 2
  6. 000013bb PUSH 0x0
  7. 000013bd CALL KERNEL32.dll!DisconnectNamedPipe

Junk code using APIs relatively commons:

  1. 00001c1f PUSH 0x0
  2. 00001c21 PUSH 0x0
  3. 00001c23 CALL SHLWAPI.dll!SHDeleteKeyA
  4. 00001c29 PUSH 0x100
  5. 00001c2e CALL msvcrt.dll!malloc
  6. 00001c34 ADD ESP, 0x4
  7. 00001c37 PUSH EAX
  8. 00001c38 CALL msvcrt.dll!free
  9. 00001c3e ADD ESP, 0x4
  10. 00001c41 PUSH 0x0
  11. 00001c43 CALL WINMM.dll!timeKillEvent
  12. 00001c49 PUSH 0x10005129
  13. 00001c4e LEA EAX, [EBP-0x20]
  14. 00001c51 PUSH EAX
  15. 00001c52 CALL USER32.dll!wsprintfA
  16. 00001c58 ADD ESP, 0x8
  17. 00001c5b PUSH 0x0
  18. 00001c5d CALL ADVAPI32.dll!RegCloseKey
  19. 00001c63 CALL ole32.dll!OleUninitialize

Very simple API calls not commonly emulated (extracted from the dropper of the rootkit TDSS):

  1. 00000813 XOR ESI, ESI
  2. 00000815 PUSH ESI
  3. 00000816 MOV EAX, [0x40600c]        ; kernel32.dll!GetModuleHandleA
  4. 0000081d CALL EAX
  5. 0000081f (PUSH 0x74
  6. 00000821 MOV EAX, [0x406080]        ; msvcrt.dll!iscntrl
  7. 00000827 CALL EAX
  8. 00000829 POP ECX
  9. 0000082a TEST EAX, EAX
  10. 0000082c JNZ 0x000008ad     ; 1
  11. 00000832 PUSH 0x6d
  12. 00000834 PUSH 0x68
  13. 00000836 MOV EAX, [0x40607c]        ; msvcrt.dll!is_wctype
  14. 0000083d CALL EAX

Or strange x86 assembly instructions like multibyte NOPs with redundant prefixes and so on (found in some variants of Sality):

  1. f30f1f90909090. rep nop [eax+0x66909090]

I know it's just one antiemulation trick and there are thousands of them but this trick is new (at least for me), special and cool!

]]> http://joxeankoret.com/blog/2009/12/02/malware-tricks-i/feed/ 0