Dynamic binary instrumentation (DBI) is a technique for analysing the behaviour of a binary application at runtime through the injection of instrumentation code. This instrumentation code is designed to be transparent towards the instrumented application and it executes as a part of the normal execution flow without significant runtime overhead. Moreover, there are no limitations for the instrumentation code - a user can implement even a complex logic to observe execution flow, memory layout, etc. Certainly, such a flexible and powerful technique can and should be used for malware analysis. However, while there are several open-source tools (PoCs) implemented on top of DBI frameworks, their application for malware analysis is very limited. In the talk the author will discuss the pros and cons of malicious code instrumentation and his experience of how DBI can be used to perform investigation of sophisticated banking trojans such as Gootkit and EmbusteBot as well as dozens of other malicious samples in practice. Moreover, the author will release a new tool for transparent and lightweight dynamic malware analysis and will demonstrate, using examples, how this tool can help researchers to easily reveal important behaviour details of sophisticated malicious samples. EmbusteBot (a new banking trojan from Brazil found and reported by the author in 2017) was investigated using only this tool without even starting a debugger or disassembler.

1. Tricky Sample ? Hack it easy! Applying dynamic binary
instrumentation to light-weight malware behavior analysis
Maksim Shudrak

2. About Me
BIO
2018 – present: Senior Offensive Security Researcher
2016: Defended PhD (Vulns Hunting) in Tomsk, Russia
2015-2017: Researcher, IBM Research, Haifa, Israel
2011-2015: Security Researcher, PhD student
Interests
Vulnerabilities Hunting
Fuzzing
Reverse-engineering
Malware Analysis
Dynamic Binary Instrumentation
Projects
Drltrace – transparent API-calls tracing for malware analysis
https://github.com/mxmssh/drltrace
WinHeap Explorer – PoC for heap-based bugs detection in x86 code
https://github.com/WinHeapExplorer/WinHeap-Explorer
IDAMetrics – IDA plugin for machine code complexity assessment
https://github.com/mxmssh/IDAmetrics

3. Outline
● Why Dynamic Analysis?
● Current approaches
● Runtime Overhead vs Visibility
● Dynamic Binary Instrumentation
● Technique Overview
● DBI Frameworks Comparison
● DrLtrace
● How Does It Work ?
● Usage
● Examples & Demo
3

4. Why dynamic ?
● Obfuscated & packed
code hard for
static analysis.
● In some cases, we
need only a high-
level view on
malware behavior.
4

5. Current Situation in Dynamic Analysis
Runtime overhead
Visibility
Library Calls Tracing
(e.g. APIMonitor)
Emulation
(e.g. QEMU+PANDA)
Syscalls Tracing
(e.g. ProcMon)
5

6. Emulation. Visibility Example
6

7. Runtime Overhead. Stalling Code
7

8. 10 min on CPU = 1d08h in emulator
8

9. Emulation. Visibility Example
9

10. Syscalls Tracing. Visibility Example
10

11. API Tracing. Visibility Example
11

12. Ltrace for Linux
12

13. Current Situationin Dynamic Analysis
Runtime overhead
Visibility
Library Calls Tracing
(e.g. APIMonitor)
Emulation
(e.g. QEMU+PANDA)
Syscalls Tracing
(e.g. ProcMon)
?
13

14. Current Situationin Dynamic Analysis
Runtime overhead
Visibility
Library Calls Tracing
(e.g. APIMonitor)
Emulation
(e.g. QEMU+PANDA)
Syscalls Tracing
(e.g. ProcMon)
Dynamic Binary Instrumentation
(e.g. Intel Pin)
14

15. Dynamic Binary Instrumentation (DBI) is a
technique of analyzing the behavior of a binary
application at runtime through the injection of
instrumentation code.
15

16. Modern DBI Frameworks
DynamoRIO Intel PIN
Redistribution
model
Open-source, BSD – license Proprietary
Supported
architectures
x86, x86-64, ARM, AArch64 x86, x86-64
Supported
Platforms
Linux, Windows, MacOS,
Android
Linux, Windows, MacOS,
Android
Average
runtime overhead
108% (no tool)
139% (BBs counter)
130% (no tool)
162% (BBs counter)
Language C/C++ C/C++ (some Python
wrappers available)
Technology Binary code transformation callout/trampolines
16

17. How Does DynamoRIO Work ? (10000 foot view)
Target applicationLauncher
DynamoRIO Application in memory
Kernel
shared system libs
17

18. How Does DynamoRIO Work ? (10000 foot view)
Target applicationLauncher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
shared system libs
.
.
18

19. How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(2)
Inject instrumentation
library
Target application
shared system libs
19

20. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
20

21. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
ins2
basic block
ins3
ins1
Takefirstbasicblock
(4)
21

22. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
ins2
basic block
transformation
(5)
ins1
ins2
DR’s ins6
ins3
ins1
Code cache
DR’s ins1
DR’s ins2
DR’s ins3
DR’s ins4
DR’s ins5
ins3
(4)
Takefirstbasicblock
22

23. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
Takefirstbasicblock
(4)
ins2
basic block
transformation
(5)
ins1
ins2
DR’s ins6
ins3
ins1
Code cache
DR’s ins1
DR’s ins2
DR’s ins3
DR’s ins4
DR’s ins5
ins3
Takenextbasicblock
(6)
23

24. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
24

25. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
25
InstrumentLoadLibrarycall
Setcallback
(1)
(1.1)

26. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
26
InstrumentLoadLibrarycall
Setcallback
(1)
(1.1)
LoadLibrary(msvcrt.dll)(2)

27. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
27
InstrumentLoadLibrarycall
Setcallback
(1)
(1.1)
LoadLibrary(msvcrt.dll)(2)
msvcrt.dll (being loaded)
Instrumentexportedfunctions
(3)

28. DynamoRIO and Drltracelib in The Memory of Calculator
28

29. Usage
drltrace.exe –logdir . – malware.exe

30. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
30

31. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
31

32. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
32

33. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
33

34. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
34

35. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
● External configuration file to add new API calls.
35

36. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
● External configuration file to add new API calls.
● Easy-to-use (no additional dependencies, no heavy-
weight GUI).
36

37. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
● External configuration file to add new API calls.
● Easy-to-use (no additional dependencies, no heavy-
weight GUI).
● Open-source (BSD-license).
37

38. Runtime Overhead
PowerPoint Word Calculator Internet Explorer VMWare IDA PRO StarCraft II
Launcher
Dropbox Chrome Notepad++ 38
14,7
16,5
20,2
37,2
10
22
44,6
25,6
43,3
32
0
5
10
15
20
25
30
35
40
45
50
RUNTIMEOVERHEAD

39. Example 1. EmbusteBot
● Type - Brazilian BankingTrojan
● Language - Delphi
● Main Functionality – Keylogger,Screenshotscapturing
● Obfuscation – time-based anti-researchchecks,encryptionof sensitivestrings,no code packing
● Operation period – (2017 – present)
Report- https://securityintelligence.com/brazilian-malware-never-sleeps-meet-embustebot/
More details - https://github.com/mxmssh/drltrace/wiki/Malware-Analysis-Examples
39

40. Example 1. EmbusteBot
drltrace.exe -logdir . -print_ret_addr – vdeis.exe
40

41. Example I. EmbusteBot. Searching for Tab with Bank Name
41

42. Example I. EmbusteBot. Screenshots Capturing and Keylogging API Calls
42

43. Example I. EmbusteBot. Trigger
43

44. Example II. Gootkit Loader
● Type : Banking Trojan
● Language : C
● Main Functionality:Unpack actual payload loader, deliver Gootkit malware on victim’s machine
● Obfuscation: anti-VM, anti-debugging, anti-emulation,time-based anti-research, packed payload, machine-
code obfuscation, anti-sandboxing.
● Operation period: (2014 – present)
Technical report - https://drive.google.com/file/d/0BzFSoGMCVlTORUExdF9RTklpX3c/view
More details - https://github.com/mxmssh/drltrace/wiki/Malware-Analysis-Examples 44

45. Example II. Gootkit Loader
drltrace.exe -logdir . -print_ret_addr -- 477c305~f01.exe
45

46. Example II. Gootkit Loader. Unpacking
46

47. Example II. Gootkit Loader. Process Hollowing. New Process Creation
47

48. Example II. Gootkit Loader. Process Hollowing. New Section
48

49. Example II. Gootkit Loader. Process Hollowing. Write & Resume
49

50. Example II. Gootkit Loader
50

51. Example II. Gootkit Loader
51

52. Example II. Gootkit Loader
52

53. DEMO. NotPetya/PetrWrap
53

54. 54

55. Drltrace. API calls visualization script
python api_calls_vis.py -i wannacry.jpeg -gr -t drltrace_log_wannacry.log
55

56. Drltrace. API calls visualization script
python api_calls_vis.py -ht wannacry.html -gr -t drltrace_log_wannacry.log
56

57. Future Work
● Make DynamoRIO more resistant against anti-DBI
tricks.
● Add heuristics to search for certain (YARA
rules?) malicious patterns in logs.
● ARM and macOS.
● Attach drltrace into running process
57

58. Conclusion
● Dynamic binary instrumentation is a reasonable trade-off for
dynamic malware analysis.
● Drltrace is the first efficient and light-weight solution for
API calls tracing in modern sophisticated malicious samples
based on DBI technique.
● The solution allowed to revel in several minutes a lot of
internal technical details about malicious sample without even
starting IDA or debugger.
58

59. Thank you!
https://github.com/mxmssh/drltrace
https://www.linkedin.com/in/mshudrak
https://twitter.com/MShudrak