i Malware Analysis – Advance Evasion – All things in moderation

Malware Analysis – Advance Evasion

In the previous parts, I think you guys know the first thing about how to evade Antivirus Signature. And I hope you could do the same dirty things like me with your JavaScript and PDF. Today, I will show you some advance evasion techniques about it.

First of all, you guys need some basic knowledge about Antivirus softwares. They have two core parts: The Disassembler and The Emulator.

The Disassembler

I have to say The Disassembler is the heart of Emulator. The Disassembler of Antivirus have to support a long list of instruction sets, for example: x86, FPU, SSE, SSE2, SSE3, SSE4, SSE5, 3DNow!, MMX, VMX, AVX, XOP, FMA instructions, and so on.
You could find the details of them on Wikipedia: List_of_instruction_sets

As you see, we have many instruction sets here, so The Disassembler of Antivirus will find it hard to cover all of them. They only can deal with some basic instruction sets. If you guys want to see how hard it is, you could go to diStorm on GitHub to download and test it for a while.
Personally, I think I will write an article about them later.

To bypass The Disassembler of Antivirus, you need to fingerprint them first or just test with the commercial version of the Anitivirus to find out what it is. After that, you just need to use some weird instructions like :

vxorps ymm0,ymm0,ymm0
vxorps ymm1,ymm1,ymm1
vxorps ymm2,ymm2,ymm2
vxorps ymm3,ymm3,ymm3
vxorps ymm4,ymm4,ymm4
vxorps ymm5,ymm5,ymm5
vxorps ymm6,ymm6,ymm6
vxorps ymm7,ymm7,ymm7

And more and more.

The Emulator

They have built many emulators inside Antivirus Software, for example: Intel x86, ARM, JavaScript interpreters, .NET…
To bypass the Emulator, we could do some way like this:

  • We could use some special functions like:

NTAccessCheck

advance evasion emulator

This kind of functions is System functions, you can try to call it in User Context. If it could call or not, you should use TRY and CATCH to know we could bypass the Emulator or not.

  • OR we could call some system libraries like:

NTOSKRNL.EXE, NTKRNLMP.EXE, NTKRNLPA.EXE, NTKRPAMP.EXE

Ntoskrnl.exe (Short for Windows NT operating system kernel,) also known as kernel image, provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, thus making it a fundamental part of the system. Many emulators find it hard to lead these libraries. Because they are system components. We can handle exception to know we could bypass their emulator or not.

  • We still have some other tricks like control DR0 register in Intel x86 or open special driver names like CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9,… then control our exception to check our result.

Another trick

In the last part, I will show you my trick. Because I love reverse malware, so I will show you some funny things base on my terrible experiences.

I have normal file here. Its hash 607b8f519b70abafe328857c004f563616017874ce2eb27baf80755351e964f2
When you view it by IDA Disassembler, its code is so great to read for reversers.

advance evasion emulator

This file has its entry point at 0x00401000. I will make some changes on this file at address 0x00401190 like this:

advance evasion emulator

And then our file looks like this:

advance evasion emulator

I think reverse engineers could find it hard to understand what we prepare to do when they try to reverse our code. This trick could be named as Anti IDA trick.
Like I said before, I haven’t explained why I choose the address 0x00401190 to do my Anti IDA trick for some security reasons. But you guys could leave your comment here, then I will answer in private, just for education purpose. 🙂

6 Comments

  1. John May 8, 2017
  2. Stephen Stinson May 8, 2017
    • steven james July 11, 2017
  3. steven james July 11, 2017
    • Stephen Stinson July 12, 2017
  4. Evanson Mwangi November 3, 2017

Leave a Reply