To determine the behavior of a piece of malware, we will develop a script (based on LibVMI functions) that will allow us to trace the Kernel APIs executed by a malware and their arguments.
After choosing the domain name of the machine, create the file containing the dictionary and determine the malware file name to be scanned.
The following command is launched from the hypervisor:
./monitor_api w6164-1 /tmp/w6164-1.json malware.exe
This script will take several entries as argument:
- w6164-1: The domain name of the virtual machine under Xen
- /tmp/w6164-1.json: The file containing the functions/structures and the corresponding offsets
- malware.exe: The malware we want to analyze
Below is the code allowing the initialization of our system of introspection:
// Create altp2m view that will altered with breakpoints ... xc_altp2m_set_domain_state(xch, domain_id, 1); ... xc_altp2m_create_view(xch, domain_id, 0, &shadow_view); ...
2. Breakpoints Insertion
We first define the APIs we want to monitor. Take, for example, the following three APIs:
- NtCreateFile: Allows file creation/opening
- NtSetValueKey: Create or replace the value of a registry key
- NtDelayExecution: Delays execution (this API is executed when the Sleep API call is made from user mode). It can be used as an evasion technique
For more information on these APIs, you can refer to the MSDN documentation.
Afterwards, we insert the breakpoints in the altp2m view for each API.
// Add breakpoints on the monitored APIs in the altp2m view ... xc_altp2m_set_domain_state(xch, domain_id, 1); uint8_t trap = 0xcc; vmi_write_8_pa(vmi, (shadow << 12) + shadow_offset, &trap); ...
3. Callbacks Initialization
In this example, we will rely on three types of callbacks that we will initialize.
3.1. Interrupt Events Callback
This callback is triggered each time a breakpoint is trapped. It will retrieve the desired information through the function process_event (). This function will allow to (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Youness Zougar. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ktABjs18_oE/