Malware Anti-Analysis Techniques-TLS and Process Hallowing
In continuation to previous articles, this article will also show a more sophisticated approach used by malware to thwart anti-analysis techniques.
Let's start the analysis of sampleTLS.exe
Become a certified reverse engineer!
As soon as I load the sample into OllyDBG for debugging, it is in paused state, but when I look into process hacker, there is an instance already started running. See below sample is in paused state
However, then in process hacker below, we can see the instance as already running.
What is causing the sample to launch even before WinMain() is hit.
Well, it is about TLS callback which is executed before the Entry Point WinMain().On loading this sample in IDAPro, we can see that there are a couple of entry points:
Let's configure OllyDBG to pause at TLS callbacks instead of WinMain.
Now let's load the sample again in OllyDBG after the above configuration. We can see that now only one process is running under OllyDBG under process hacker. Below is the code of TLS callback function.
Now since we have overcome the entry point and the hidden TLS callback in the sample, let's begin the normal analysis. Let's see the function calls embedded in the sample. Below is the snippet of the embedded function calls that the specimen is utilizing.
Well, can you think we can we see CreateProcess, NTUnmapViewOfSection, ReadProcessMemory, WriteProcessMemory, etc.? If you are thinking Process Hallowing, let's keep it as our assumption for now.
Let's see how we can track our assumption in the following section. Let's search for function with what Process Hallowing starts i.e. CreateProcess
Let's keep a breakpoint there when the CreateProcess is about to begin and analyze the parameters on the stack.
The top one is the address of the next instruction where this function will return to. Let's look at other important function parameters like:
- At 00411010: The process that needs to be created. This means that the sampleTLS.exe is creating a child process of its own as we have already seen in the process hacker screenshot earlier.
- The other important parameter is the 6th parameter which is CreationFlag. Its value is set to 4. This corresponds to the create the process in 'suspended' state. This is an important indicator of our assumption around Process Hallowing.
Ok, let's run this sample and 'analyze till user code' to hit the location where this function was called from.
Here call EAX points to call to CreateProcess, and we can see the parameter that is passed to the function. Note the CREATE_SUSPENDED flag also there.
Also notice the SUB ESP,28 which is a stack clean up act.
Now lets' step through the user code until we reach Write Process as we are interested I what is written to the hallowed process. On the way, you might see other function calls as well like VirtualAlloc, VirtualAllocEx, NtUnmapViewOfSection
Below we can see the ReadProcessMemory when the sample is reading the attributes of the process to be followed like the handle, baseaddress, etc.
Below is the code section for WriteProcessMemory
Here we can see that buffer attributes that is to be written to the hollowed process. And following are the contents of what's inside the buffer. Notice the MZ header in the buffer.
Let's dump this file memory section to a file on disk by name sampleTLS_dump.exe and let's start analyzing that file now.
First, let's load the file to view if it is still packed or not. It turns out that the dumped file is packed with UPX packer.
It is easy for us now to unpack it since it is packed with a known packer. Let's unpack it
Now let's start analyzing the unpacked binary which indeed has the malicious characteristics. Below we can see various API calls related to internet access, reading file, etc.
Below are some of the strings that can be extracted from the unpacked file. We can see URLs and their file fetch records inside strings.
Since there are too many fuzzed up strings, let's try to see if it is encoded or not. Let's try to brute force decode it with 1 byte XOR keys, and we can see that a new URL can be seen like atomportal.
And this is the domain which the original sample(sampleTLS.exe) is trying to communicate with and download the get.php file when we provide it fake DNS and run a httpd port.
The result of this get.php file is that it will overtake the victim screen.