Dynamic binary instrumentation (DBI) is a technique for analysing the behaviour of a binary application at runtime through the injection of instrumentation code. This instrumentation code is designed to be transparent towards the instrumented application and it executes as a part of the normal execution flow without significant runtime overhead. Moreover, there are no limitations for the instrumentation code - a user can implement even a complex logic to observe execution flow, memory layout, etc. Certainly, such a flexible and powerful technique can and should be used for malware analysis. However, while there are several open-source tools (PoCs) implemented on top of DBI frameworks, their application for malware analysis is very limited.
In the talk the author will discuss the pros and cons of malicious code instrumentation and his experience of how DBI can be used to perform investigation of sophisticated banking trojans such as Gootkit and EmbusteBot as well as dozens of other malicious samples in practice.
Moreover, the author will release a new tool for transparent and lightweight dynamic malware analysis and will demonstrate, using examples, how this tool can help researchers to easily reveal important behaviour details of sophisticated malicious samples. EmbusteBot (a new banking trojan from Brazil found and reported by the author in 2017) was investigated using only this tool without even starting a debugger or disassembler.
15. Dynamic Binary Instrumentation (DBI) is a
technique of analyzing the behavior of a binary
application at runtime through the injection of
instrumentation code.
15
16. Modern DBI Frameworks
DynamoRIO Intel PIN
Redistribution
model
Open-source, BSD – license Proprietary
Supported
architectures
x86, x86-64, ARM, AArch64 x86, x86-64
Supported
Platforms
Linux, Windows, MacOS,
Android
Linux, Windows, MacOS,
Android
Average
runtime overhead
108% (no tool)
139% (BBs counter)
130% (no tool)
162% (BBs counter)
Language C/C++ C/C++ (some Python
wrappers available)
Technology Binary code transformation callout/trampolines
16
17. How Does DynamoRIO Work ? (10000 foot view)
Target applicationLauncher
DynamoRIO Application in memory
Kernel
shared system libs
17
18. How Does DynamoRIO Work ? (10000 foot view)
Target applicationLauncher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
shared system libs
.
.
18
19. How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(2)
Inject instrumentation
library
Target application
shared system libs
19
20. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
20
21. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
ins2
basic block
ins3
ins1
Takefirstbasicblock
(4)
21
22. Target application
shared system libs
How Does DynamoRIO Work ? (10000 foot view)
Launcher
DynamoRIO
Launch (suspended)
(1)
Application in memory
Kernel
(3)
Hook entry point DynamoRIO lib + user-defined libs
ins2
basic block
transformation
(5)
ins1
ins2
DR’s ins6
ins3
ins1
Code cache
DR’s ins1
DR’s ins2
DR’s ins3
DR’s ins4
DR’s ins5
ins3
(4)
Takefirstbasicblock
22
24. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
24
25. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
25
InstrumentLoadLibrarycall
Setcallback
(1)
(1.1)
26. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
26
InstrumentLoadLibrarycall
Setcallback
(1)
(1.1)
LoadLibrary(msvcrt.dll)(2)
27. How Does Drltrace Work ?
Application in memory
Main module
kernel32.dll
ntdll.dll
DBI engine
dynamorio.dll
drltrace.dll
27
InstrumentLoadLibrarycall
Setcallback
(1)
(1.1)
LoadLibrary(msvcrt.dll)(2)
msvcrt.dll (being loaded)
Instrumentexportedfunctions
(3)
31. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
31
32. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
32
33. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
33
34. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
34
35. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
● External configuration file to add new API calls.
35
36. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
● External configuration file to add new API calls.
● Easy-to-use (no additional dependencies, no heavy-
weight GUI).
36
37. Why DrLtrace Rock
● Support x86 and x64 (ARM in future).
● Support Windows and Linux (macOS in future).
● Support self-modifying code.
● Support all types of library API calls (static and
dynamic).
● Not-detectable by standard malware anti-research
techniques (anti-hooking, anti-debugging and anti-
emulation).
● External configuration file to add new API calls.
● Easy-to-use (no additional dependencies, no heavy-
weight GUI).
● Open-source (BSD-license).
37
38. Runtime Overhead
PowerPoint Word Calculator Internet Explorer VMWare IDA PRO StarCraft II
Launcher
Dropbox Chrome Notepad++ 38
14,7
16,5
20,2
37,2
10
22
44,6
25,6
43,3
32
0
5
10
15
20
25
30
35
40
45
50
RUNTIMEOVERHEAD
39. Example 1. EmbusteBot
● Type - Brazilian BankingTrojan
● Language - Delphi
● Main Functionality – Keylogger,Screenshotscapturing
● Obfuscation – time-based anti-researchchecks,encryptionof sensitivestrings,no code packing
● Operation period – (2017 – present)
Report- https://securityintelligence.com/brazilian-malware-never-sleeps-meet-embustebot/
More details - https://github.com/mxmssh/drltrace/wiki/Malware-Analysis-Examples
39
57. Future Work
● Make DynamoRIO more resistant against anti-DBI
tricks.
● Add heuristics to search for certain (YARA
rules?) malicious patterns in logs.
● ARM and macOS.
● Attach drltrace into running process
57
58. Conclusion
● Dynamic binary instrumentation is a reasonable trade-off for
dynamic malware analysis.
● Drltrace is the first efficient and light-weight solution for
API calls tracing in modern sophisticated malicious samples
based on DBI technique.
● The solution allowed to revel in several minutes a lot of
internal technical details about malicious sample without even
starting IDA or debugger.
58