SlideShare a Scribd company logo
Win32/Flamer: Reverse Engineering and
      Framework Reconstruction


    Aleksandr Matrosov
    Eugene Rodionov
Outline of The Presentation

 Typical malware vs. Stuxnet/Flame
    What the difference?

 Flamer code reconstruction problems
    C++ code reconstruction
    Library code identification


 Flamer framework overview

 Object oriented code reconstruction

 Relationship Stuxnet/Duqu/Flamer
Typical Malware vs. Stuxnet/Flamer
What’s the Difference?
What’s the Difference?

 Typical malware                          Stuxnet/Flame …
     Different motivation, budget …         Different motivation, budget …
     Use 1-days for distribution            Use 0-days for distribution
                                             Anti-stealth for bypassing all sec
     Anti-stealth for bypassing AV
                                              soft
     Stealth timing: months                 Stealth timing: years
     Developed in C or C++ in C style       Tons of C++ code with OOP
     Simple architecture for plugins        Industrial OO framework platform
     Traditional ways for obfuscation:      Other ways of code obfuscation:
        packers                                tons of embedded static code
        polymorphic code                       specific compilers/options
        vm-based protection                    object oriented wrappers for
                                                   typical OS utilities
        …
Stuxnet/Duqu/Flamer/Gauss Appearance
Code Complexity Growth




Gauss   miniFlamer   Stuxnet   Duqu   Flamer
Code Complexity Growth
C++ Code REconstruction
       Problems
C++ Code Reconstruction Problems
 Object identification
    Type reconstruction



 Class layout reconstruction
     Identify constructors/destructors
     Identify class members
     Local/global type reconstruction
     Associate object with exact method calls

 RTTI reconstruction
    Vftable reconstruction
    Associate vftable object with exact object
    Class hierarchy reconstruction
C++ Code Reconstruction Problems
      Class A

       vfPtr

       a1()
                                   A::vfTable
       a2()
                                     meta

                                    A::a1()
                  RTTI Object
                    Locator         A::a2()
                   signature

                pTypeDescriptor

                pClassDescriptor
C++ Code Reconstruction Problems
Identify Smart Pointer Structure
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Custom Type Operations
Identify Objects Constructors
Identify Objects Constructors
Library code identification
         problems
Library Code Identification Problems

 Compiler optimization

 Wrappers for WinAPI calls

 Embedded library code
   Library version identification problem


 IDA signatures used syntax based detection methods
   Recompiled libraries problem
   Compiler optimization problem
Library Code Identification Problems
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Festi: OOP in kernel-mode
Main Festi Functionality store in kernel mode
     Win32/Festi
      Dropper


               Install kernel-mode
                       driver
                                                                              user-mode

                                                                              kernel-mode



                              Win32/Festi
                              kernel-mode
                                 driver

                                             Download plugins


                               Win32/Festi
     Win32/Festi
      Plugin 1                  Plugin 2            ...         Win32/Festi
                                                                 Plugin N
Main Festi Functionality store in kernel mode
     Win32/Festi
      Dropper


               Install kernel-mode
                       driver
                                                                              user-mode

                                                                              kernel-mode



                              Win32/Festi
                              kernel-mode
                                 driver

                                             Download plugins


                               Win32/Festi
     Win32/Festi
      Plugin 1                  Plugin 2            ...         Win32/Festi
                                                                 Plugin N
Festi: Architecture



                      Win32/Festi
     Win32/Festi                      Win32/Festi
                      C&C Protocol
   Plugin Manager                    Network Socket
                        Parser




                      Win32/Festi
                       Memory
                       Manager
Festi: Plugin Interface


         Array of pointers
            to plugins
                                     Plugin 1
              Plugin1        struct PLUGIN_INTERFACE
                                     Plugin 2
              Plugin2        struct PLUGIN_INTERFACE
                                     Plugin 3
              Plugin3        struct PLUGIN_INTERFACE

                ...
                                     Plugin N
              PluginN        struct PLUGIN_INTERFACE
Festi: Plugins

 Festi plugins are volatile modules in kernel-mode address space:
   downloaded each time the bot is activated
   never stored on the hard drive

 The plugins are capable of:
   sending spam – BotSpam.dll
   performing DDoS attacks – BotDoS.dll
   providing proxy service – BotSocks.dll
Flamer Framework Overview
An overview of the Flamer Framework
The main types used in Flamer Framework are:
 Command Executers –the objects exposing interface that allows
  the malware to dispatch commands received from C&C servers

 Tasks – objects of these type represent tasks executed in
  separate threads which constitute the backbone of the main
  module of Flamer

 Consumers – objects which are triggered on specific events
  (creation of new module, insertion of removable media and etc.)

 Delayed Tasks – these objects represent tasks which are executed
  periodically with certain delay.
An overview of the Flamer Framework
Vector<Consumer>                  Vector<Command Executor>

                   DB_Query   ClanCmd     FileCollect    Driller   GetConfig
    Mobile
   Consumer


     Cmd                                  Vector<Task>
   Consumer
                    IDLER     CmdExec      Sniffer       Munch     FileFinder

     Lua
   Consumer

                                     Vector<DelayedTasks>
    Media                       Share         LSS
   Consumer        Euphoria                                 Frog     Beetlejuice
                               Supplier      Sender
Some of Flamer Framework Components

             Identifying processes in the systems corresponding to
Security     security software: antiviruses, HIPS, firewalls, system
             information utilities and etc.
Microbe      Leverages voice recording capabilities of the system
Idler        Running tasks in the background
BeetleJuice Utilizes bluetooth facilities of the system
Telemetry    Logging of all the events
Gator        Communicating with C&C servers
Flamer SQL Lite Database Schema
Flamer SQL Lite Database Schema
REconstructing Flamer Framework
Data Types Being Used



 Smart pointers

 Strings

 Vectors to maintain the objects

 Custom data types: wrappers, tasks, triggers and etc.
Data Types Being Used: Smart pointers
typedef struct SMART_PTR
{
   void     *pObject;    // pointer to the object
   int      *RefNo;      // reference counter
};
Data Types Being Used: Strings
struct USTRING_STRUCT
{
   void *vTable;             // pointer to the table
   int RefNo;                // reference counter
   int Initialized;
   wchar_t *UnicodeBuffer;   // pointer to unicode string
   char *AsciiBuffer;        // pointer to ASCII string
   int AsciiLength;          // length of the ASCII string
   int Reserved;
   int Length;               // Length of unicode string
   int LengthMax;            // Size of UnicodeBuffer
};
Data Types Being Used: Vectors
struct VECTOR
{
  void *vTable;         //   pointer to the table
  int NumberOfItems;    //   self-explanatory
  int MaxSize;          //   self-explanatory
  void *vector;         //   pointer to buffer with elements
};

 Used to handle the objects:
   tasks
   triggers
   etc.
Using Hex-Rays Decompiler

 Identifying constructors/destructors
   Usually follow memory allocation
   The pointer to object is passed in ecx (sometimes in other registers)



 Reconstructing object’s attributes
   Creating custom type in “Local Types” for an object



 Analyzing object’s methods
   Creating custom type in “Local Types” for a table of virtual routines
Using Hex-Rays Decompiler

 Identifying constructors/destructors
   Usually follow memory allocation
   The pointer to object is passed in ecx (sometimes in other registers)



 Reconstructing object’s attributes
   Creating custom type in “Local Types” for an object



 Analyzing object’s methods
   Creating custom type in “Local Types” for a table of virtual routines
Reconstructing Object’s Attributes
Reconstructing Object’s Attributes
Reconstructing Object’s Methods
Reconstructing Object’s Methods
Reconstructing Object’s Methods
DEMO
Relationship
Stuxnet/Duqu/Gauss/Flamer
Source Code Base Differences
Exploit Implementations

     Stuxnet          Duqu             Flame         Gauss
   MS10-046                         MS10-046        MS10-046
      (LNK)                            (LNK)         (LNK)
   MS10-061                         MS10-061
 (Print Spooler)                  (Print Spooler)
   MS08-067                         MS08-067
      (RPC)                            (RPC)
   MS10-073
  (Win32k.sys)
   MS10-092
(Task Scheduler)
                    MS11-087
                   (Win32k.sys)
Exploit Implementations: Stuxnet & Duqu
 The payload is injected into processes from both kernel-
  mode driver & user-mode module

 Hooks:
     ZwMapViewOfSection
     ZwCreateSection
     ZwOpenFile
     ZwClose
     ZwQueryAttributesFile
     ZwQuerySection

 Executes LoadLibraryW passing as a parameter either:
   KERNEL32.DLL.ASLR.XXXXXXXX
   SHELL32.DLL.ASLR.XXXXXXXX
Exploit Implementations: Stuxnet & Duqu
 The payload is injected into processes from both kernel-
  mode driver & user-mode module

 Hooks:
     ZwMapViewOfSection
     ZwCreateSection
     ZwOpenFile
     ZwClose
     ZwQueryAttributesFile
     ZwQuerySection

 Executes LoadLibraryW passing as a parameter either:
   KERNEL32.DLL.ASLR.XXXXXXXX
   SHELL32.DLL.ASLR.XXXXXXXX
Injection mechanism: Flame
 The payload is injected into processes from user-mode
  module

 The injection technique is based on using:
   VirtualAllocEx
   WriteProcessMemoryReadProcessMemory
   CreateRemoteThreadRtlCreateUserThread


 The injected module is disguised as shell32.dll

 Hooks the entry point of msvcrt.dll by modifying PEB
Injection mechanism: Flame
 The payload is injected into processes from user-mode
  module

 The injection technique is based on using:
   VirtualAllocEx
   WriteProcessMemoryReadProcessMemory
   CreateRemoteThreadRtlCreateUserThread


 The injected module is disguised as shell32.dll

 Hooks the entry point of msvcrt.dll by modifying PEB
Exploit Implementations: Gauss

 The payload is injected into processes from user-mode
  module
Thank you for your attention!



Eugene Rodionov         Aleksandr Matrosov
rodionov@eset.sk        matrosov@eset.sk
@vxradius               @matrosov

More Related Content

What's hot

13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19
Niit Care
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14
Niit Care
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01
Niit Care
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understanding
Binu Bhasuran
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
Vincenzo Iozzo
 
Csharp
CsharpCsharp
Csharp
Swaraj Kumar
 
01 gui 01
01 gui 0101 gui 01
01 gui 01
Niit Care
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
Mohammad Faizan
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing  asp.netSynapse india reviews sharing  asp.net
Synapse india reviews sharing asp.net
SynapseindiaComplaints
 
Java session02
Java session02Java session02
Java session02
Niit Care
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)
DrUjwala1
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
Pantech ProLabs India Pvt Ltd
 

What's hot (12)

13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understanding
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
Csharp
CsharpCsharp
Csharp
 
01 gui 01
01 gui 0101 gui 01
01 gui 01
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing  asp.netSynapse india reviews sharing  asp.net
Synapse india reviews sharing asp.net
 
Java session02
Java session02Java session02
Java session02
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
 

Viewers also liked

Virus&malware
Virus&malwareVirus&malware
Virus&malware
Robin Garza
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked   alok guptaFrom app sec to malsec malware hooked, criminal crooked   alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
DefconRussia
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
Symantec Italia
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
Corporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceCorporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligence
Martin Brunet
 
Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio
kennywhite
 
10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit
WhatRunsWhere
 
Human as a virus
Human as a  virusHuman as a  virus
Human as a virusYaniv sela
 

Viewers also liked (20)

Virus&malware
Virus&malwareVirus&malware
Virus&malware
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked   alok guptaFrom app sec to malsec malware hooked, criminal crooked   alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
Corporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceCorporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligence
 
Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio
 
10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit
 
Human as a virus
Human as a  virusHuman as a  virus
Human as a virus
 

Similar to Win32/Flamer: Reverse Engineering and Framework Reconstruction

Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
Sasha Goldshtein
 
Android cameraoverview
Android cameraoverviewAndroid cameraoverview
Android cameraoverview
Madhu Selvarangam
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
C# tutorial
C# tutorialC# tutorial
C# tutorial
sarangowtham_gunnam
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
Presentation On Com Dcom
Presentation On Com DcomPresentation On Com Dcom
Presentation On Com Dcom
Bharat Kumar Katur
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
LicensingLive! - SafeNet
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
National Cheng Kung University
 
Asp dot net
Asp dot netAsp dot net
Asp dot net
husnara mohammad
 
Win rt fundamentals
Win rt fundamentalsWin rt fundamentals
Win rt fundamentals
Kevin Stumpf
 
.Net Session Overview
.Net Session Overview.Net Session Overview
.Net Session Overview
Logu Thanigachalam
 
Inside .net framework
Inside .net frameworkInside .net framework
Inside .net framework
Faisal Aziz
 
jhkghj
jhkghjjhkghj
jhkghj
Admin
 
test2PPT
test2PPTtest2PPT
test2PPT
Admin
 
Asp net
Asp netAsp net
Implementation
ImplementationImplementation
Implementation
hcicourse
 
CFInterop
CFInteropCFInterop
CFInterop
webuploader
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
Peter R. Egli
 
.Net + novas tecnologias + win8
.Net + novas tecnologias + win8.Net + novas tecnologias + win8
.Net + novas tecnologias + win8
Ricardo Guerra Freitas
 

Similar to Win32/Flamer: Reverse Engineering and Framework Reconstruction (20)

Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
Android cameraoverview
Android cameraoverviewAndroid cameraoverview
Android cameraoverview
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
C# tutorial
C# tutorialC# tutorial
C# tutorial
 
Understand study
Understand studyUnderstand study
Understand study
 
Presentation On Com Dcom
Presentation On Com DcomPresentation On Com Dcom
Presentation On Com Dcom
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Asp dot net
Asp dot netAsp dot net
Asp dot net
 
Win rt fundamentals
Win rt fundamentalsWin rt fundamentals
Win rt fundamentals
 
.Net Session Overview
.Net Session Overview.Net Session Overview
.Net Session Overview
 
Inside .net framework
Inside .net frameworkInside .net framework
Inside .net framework
 
jhkghj
jhkghjjhkghj
jhkghj
 
test2PPT
test2PPTtest2PPT
test2PPT
 
Asp net
Asp netAsp net
Asp net
 
Implementation
ImplementationImplementation
Implementation
 
CFInterop
CFInteropCFInterop
CFInterop
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
 
.Net + novas tecnologias + win8
.Net + novas tecnologias + win8.Net + novas tecnologias + win8
.Net + novas tecnologias + win8
 

More from Alex Matrosov

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and Issues
Alex Matrosov
 

More from Alex Matrosov (10)

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and Issues
 
Stuxnet msu
Stuxnet msuStuxnet msu
Stuxnet msu
 
RusCrypto'2009
RusCrypto'2009RusCrypto'2009
RusCrypto'2009
 

Recently uploaded

Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
nitinpv4ai
 
BBR 2024 Summer Sessions Interview Training
BBR  2024 Summer Sessions Interview TrainingBBR  2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
Katrina Pritchard
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
TechSoup
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
Himanshu Rai
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
Steve Thomason
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
deepaannamalai16
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
سمير بسيوني
 
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
National Information Standards Organization (NISO)
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
giancarloi8888
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
TechSoup
 
Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47
MysoreMuleSoftMeetup
 
math operations ued in python and all used
math operations ued in python and all usedmath operations ued in python and all used
math operations ued in python and all used
ssuser13ffe4
 
Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"
National Information Standards Organization (NISO)
 
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptxPrésentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
siemaillard
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
HajraNaeem15
 
Pharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brubPharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brub
danielkiash986
 

Recently uploaded (20)

Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
 
BBR 2024 Summer Sessions Interview Training
BBR  2024 Summer Sessions Interview TrainingBBR  2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
 
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
 
Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47
 
math operations ued in python and all used
math operations ued in python and all usedmath operations ued in python and all used
math operations ued in python and all used
 
Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"
 
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptxPrésentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
 
Pharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brubPharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brub
 

Win32/Flamer: Reverse Engineering and Framework Reconstruction

  • 1. Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
  • 3. Typical Malware vs. Stuxnet/Flamer
  • 5. What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
  • 7. Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
  • 10. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 11. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
  • 14. Identify Exact Virtual Function Call in vtable
  • 15. Identify Exact Virtual Function Call in vtable
  • 16. Identify Exact Virtual Function Call in vtable
  • 17. Identify Custom Type Operations
  • 21. Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
  • 23. Object Oriented API Wrappers and Implicit Calls
  • 24. Object Oriented API Wrappers and Implicit Calls
  • 25. Object Oriented API Wrappers and Implicit Calls
  • 26. Festi: OOP in kernel-mode
  • 27. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 28. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 29. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 30. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 31. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 33. An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
  • 34. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
  • 35. Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
  • 36. Flamer SQL Lite Database Schema
  • 37. Flamer SQL Lite Database Schema
  • 39. Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
  • 40. Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
  • 41. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
  • 42. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
  • 43. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 44. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 50. DEMO
  • 52. Source Code Base Differences
  • 53. Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
  • 54. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 55. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 56. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 57. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 58. Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
  • 59.
  • 60. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov