Amit Malik SecurityXploded Research Group Researcher @ FireEye Labs.

Return Address – The Silver Bullet

Amit MalikSecurityXploded Research GroupResearcher @ FireEye Labs

2

Disclamier

The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working. However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

(c) SecurityXploded Research Group

3

Agenda

Objective

Challenge

Theory

Properties of Call and RET

Analysis

Detection

Conclusion


4

Objective (Defense)

In defensive side of security we can define problems in two steps

Analysis

Detection

Analysis – Understanding of the subject

Detection – The Solution

Detection depends on Analysis


5

Challenge

At the top level the behavior of the malicious code can be divided into two

parts:

Application execution hijacking

System interaction and manipulation

Application execution hijacking means deviation from the normal

execution path.

System interaction and manipulation means using the system for malicious

activities.


6

Execution Hijacking

Classic examples:

Exploits

Under normal circumstances (yes normal ) in execution hijacking the

execution will be transferred temporarily or permanently to stack or heap.

After that the malicious code will always interact with the system (eg: file

system, Network, Processes etc.)

*Normal hooks with code/DLL injection also comes under execution

hijacking but they are more part of system interaction so in execution

hijacking I am explicitly talking about the exploits.


7

System Interaction and Manipulation

Classic Examples:

Malware binaries

In this case the binaries or the code compromise the state of the

system.

The scope here is the entire system so few things are difficult

(e.g.: detection).


8

Theory The fundamental questions:

Why a specific event/activity is happening in the system?

Who started the event/activity. These questions in-fact are one of most difficult problems and at a

ground level even bigger than the software security problem. A very thin solution is try to identify the origin of the event/activity. In our case our focus is on API calls so if the API calls are the medium to

interact with the system then we need to identify the origin of the API

calls. It means that the return address is one of the most important pointer of

the entire execution cycle.


9

Properties of CALL and RET

CALL ins: Push the address of the next instruction on to the stack i.e

Return Address Jump on to the destination address

RET ins: Take the address from the current value of ESP (Return

Address) and load it into the EIP. The important point here is that the CALL and RET may be in a

relation or may not be in a relation but the return address will always be on the stack [per ESP] so at any point of time if we hit above ins then we can get the return address from stack [per ESP].


10

Tracing

Fundamentally Tracing is an approach to track the execution of the code. Roughly we can divide tracing in three parts:

1. Instruction level tracing i.e every instruction logging

2. Function and API level tracing i.e function and API call logging

3. API level tracing i.e only API call logging #2 and #3 are of our point of interest. But how we can log this information?

Hooking Breakpoints

Hooking is a clean approach but we need at least 5 bytes at the target location on the other hand breakpoint is silly approach but we just need 1 byte.


11

Applying Theory

Configuration-1: API calls Tracing

Configuration-2: Function and API call tracing

Configuration-1 is suitable for both analysis and detection.

Configuration-2 is good for analysis.

Configuration-2 is also very useful for the analysis of normal

applications.


12

Applying Theory (Analysis)

Application execution hijacking:

Configuration-1: API calls from heap or stack, basically calls from a

non-image mapped memory region indicates the hijacking of the

execution.

Configurations-2: Function and API call tracing can provide in-depth

look into the execution cycle and possible locations for execution

deviation.


13

Applying Theory (Analysis)

System Interaction and Manipulation

Configuration-1:Based on the API calls and their return addresses

following information can be easily identified:

▪ Unpacked/run time generated/injected code in memory

▪ Interesting code segments

My tool Malpimp is based on the same philosophy.


14

Analysis – Graphical View

Benign File:


15

Analysis – Graphical View Malicious Files:


16

Applying Theory (Detection)

Execution Hijacking:

Relatively easy* in comparison to malware binaries. In reality we have only two chances to detect this behavior from an external tool or

app.

Bypass of DEP

Execution of shellcode As mentioned in the theory we need to identify the origin of the API calls and if the

API calls are from a non-Image mapped memory region then we have some serious

problems. Practically speaking it is possible to make an exploit that is nearly impossible to

detect using an external tool because we have only two chances to catch the

abnormal execution.

The checks for rop detection, heap spray, etc. are basically assumptions they are

not organic detection mechanisms. It all depends on the API call. (c) SecurityXploded Research Group

17

Applying Theory (Detection)

System interaction and Manipulation:

The stages of unpacking/run time generated code can be easily

identified.

Unpacking alone can not be really a detection mechanism.

Abnormal behavior can be identified:

▪ Unpacking stages

▪ Some other events like (code injection etc.)


18

Conclusion

Return address is the invaluable pointer of the execution cycle.

With the right implementation we can greatly improve the tasks related to

analysis and detection.

Thank You!


Amit Malik SecurityXploded Research Group Researcher @ FireEye Labs.

Documents

Transcript of Amit Malik SecurityXploded Research Group Researcher @ FireEye Labs.