hiding pin's artifacts - black hat...fake read handler module fake write handler module fake...
TRANSCRIPT
![Page 1: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/1.jpg)
Hiding PIN's Artifactsto Defeat Evasive Malware
Mario Polino, Andrea Continella, Sebastiano Mariani, Lorenzo Fontana, Stefano D'Alessio, Fabio Gritti, Stefano Zanero
![Page 2: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/2.jpg)
Agenda
- Arancino
- Dynamic Binary Instrumentation Tools
- DBI Evasion
- Evasive Malware Measurement
- Evasive Resilient Unpacking Tool
- DEMO
![Page 3: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/3.jpg)
Arancino
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino
![Page 4: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/4.jpg)
Arancino
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino
![Page 5: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/5.jpg)
Malware Analysis
![Page 6: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/6.jpg)
Malware Analysis
Static Dynamicmov eax, esimov edi, ebxmov ecx, 14hrep stosdmov dword ptr [esp+0Ch], 0Ahmov dword ptr [esp+8], 50hmov [esp+4], ebxmov dword ptr [esp], 0call sub_8048C30cmp eax, 0FFFFFFFFhjz short loc_80488F8
mov [esp], ebxcall sub_8048A50test eax, eaxjz short loc_8048858
loc_80488F8:mov edx, [esp+6Ch]xor edx, large gs:14hjnz short loc_804890D
loc_8048858:cmp ds:dword_804C3C0, 1mov [esp+8], ebxmov dword ptr [esp+4], offset aSInvalidCommansbb eax, eaxnot eaxadd eax, 24hmov [esp+0Ch], eaxmov dword ptr [esp], 1call ___printf_chk
cmp ds:dword_804C3C0, 1mov dword ptr [esp+4], 804960Bhmov dword ptr [esp], 1sbb eax, eaxnot eaxadd eax, 24hmov [esp+8], eaxcall ___printf_chkjmp short loc_8048882
loc_8048882:mov eax, ds:stdoutmov [esp], eaxcall _fflush
CreateFile (_T("File.txt"),...) VirtualAlloc( ... )
ReadFile(hout, buf, 40, 0, NULL);
CloseHandle(hout)
Run in a sandbox
Traces instances
Malware
![Page 7: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/7.jpg)
Malware Evasive
If (amIUnderAnalysis()){ die();}else{ beMalicious();}
![Page 8: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/8.jpg)
Dynamic Binary Instrumentation
![Page 9: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/9.jpg)
What is a DBI Tool?
Memory
.text
.rodata
.data
stack
![Page 10: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/10.jpg)
What is a DBI Tool?
MemoryDBI
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
.text
.rodata
.data
stack
![Page 11: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/11.jpg)
What is a DBI Tool?
Trace
Control Flow Graph
Basic Block BB1
BB3 BB2
BB4
BB6
BB7 BB8
BB9
BB10
![Page 12: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/12.jpg)
What is a DBI Tool?
BB1
BB3 BB2
BB4
BB6
BB7 BB8
BB9
BB10 Code Cache
BB1
BB3 BB2Trace is
copied in the code cache
![Page 13: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/13.jpg)
BB1
BB3 BB2
BB4
BB6
BB7 BB8
BB9
BB10 Code Cache
User instrumentation code is added.
BB1
BB3 BB2
User Defined Code
User Defined Code
What is a DBI Tool?
JIT Compiler
![Page 14: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/14.jpg)
DBI - Evasive Malware
DynamoRIO
Valgrind
Intel Pin Tools
rev.ng
![Page 15: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/15.jpg)
DBI - Evasive Malware
DynamoRIO
Valgrind
Intel Pin Tools
rev.ng
![Page 16: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/16.jpg)
Overhead Detection
DBI - Evasive Malware
Code Cache Artifacts
Environment Artifact
JIT Compiler Detection
![Page 17: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/17.jpg)
Code Cache Artifacts
![Page 18: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/18.jpg)
Code Cache Artifacts
Code Cache
BB1
BB3 BB2
User Defined Code
All those artifacts caused by having a Code Cache
● IP Detection
● Self-Modifying Code
![Page 19: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/19.jpg)
CCA - IP Detection
Nt Sycall (EIP -> EDX)
int 2e
Floating Point Context on the Stack
fsave/ fxsave/ fstenv
When we find one of those in a trace we patch the env after the execution of the instruction.
NB call Instruction is handled by Pin
ins1ins2 ins3ins4ins5ins6
...
ins1ins2 ins3ins4
EIP
code cache
![Page 20: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/20.jpg)
Arancino - Pattern Matching Module
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino- PatchMap: List of instructions and func pointers
- PatchDispatcher: check and add patch to instructions during trace building.
![Page 21: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/21.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
PATCH DISPATCHER
int 2e
fsave
fxsave
PATCHED TRACE
![Page 22: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/22.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
add eax,4
int 2e
fsave
fxsave
PATCHED TRACE
PATCH DISPATCHER
![Page 23: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/23.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
add eax,4
int 2e
fsave
fxsave
PATCHED TRACE
PATCH DISPATCHER
Is it in the list?
![Page 24: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/24.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
add eax,4
int 2e
fsave
fxsave
PATCHED TRACE
PATCH DISPATCHER
Nope!
![Page 25: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/25.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
add eax,4
int 2e
fsave
fxsave
PATCHED TRACE
add eax,4
PATCH DISPATCHER
![Page 26: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/26.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
int 2e
int 2e
fsave
fxsave
PATCHED TRACE
add eax,4
PATCH DISPATCHER
![Page 27: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/27.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
int 2e
int 2e
fsave
fxsave
PATCHED TRACE
add eax,4
PATCH DISPATCHER
Is it in the list?
![Page 28: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/28.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
int 2e
int 2e
fsave
fxsave
PATCHED TRACE
add eax,4
PATCH DISPATCHER
Yes!
![Page 29: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/29.jpg)
CCA - IP Detection
add eax,4int 2e
jmp 0x0804856c
TRACE
int 2e
int 2e
fsave
fxsave
PATCHED TRACE
add eax,4int 2e
patch_int2e()
PATCH DISPATCHER
![Page 30: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/30.jpg)
CCA - IP Detection RT
add eax,4int 2e
Jmp 0x0804856c[ … ]
add eax,4int 2e
patch_int_2e()Jmp 0x0804856c
Main module
Code Cache
0x002000000x002000030x00200005
0x00400000
0x00400005
0x00200003
EDX
0x00400003
![Page 31: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/31.jpg)
CCA - IP Detection RT
add eax,4int 2e
Jmp 0x0804856c[ … ]
add eax,4int 2e
patch_int_2e()Jmp 0x0804856c
Main module
Code Cache
0x002000000x002000030x00200005
0x00400000
0x00400005
0x00400003
EDX
0x00400003
![Page 32: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/32.jpg)
Code Cache Artifacts
Code Cache
BB1
BB3 BB2
User Defined Code
All those artifacts caused by having a Code Cache
● IP Detection
● Self-Modifying Code
![Page 33: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/33.jpg)
CCA - Self Modifying Code
ins1ins2
wrong_ins3ins4ins5ins6ins7
...
.text
code cache
Collected Trace
![Page 34: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/34.jpg)
CCA - Self Modifying Code
ins1ins2
wrong_ins3ins4ins5ins6ins7
...
.text
code cache
ins1ins2
wrong_ins3ins4ins5
Collected Trace
![Page 35: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/35.jpg)
CCA - Self Modifying Code
ins1ins2
wrong_ins3ins4ins5ins6ins7
...
ins1ins2
wrong_ins3ins4ins5
.text
code cache
Instruction Pointer
Patch
![Page 36: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/36.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6ins7
...
ins1ins2
wrong_ins3ins4ins5
.text
code cache
Instruction Pointer
Patch
![Page 37: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/37.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6ins7
...
ins1ins2
wrong_ins3ins4ins5
.text
code cache
Instruction Pointer
![Page 38: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/38.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6ins7
...
ins1ins2
wrong_ins3ins4ins5
.text
code cache Instruction Pointer
![Page 39: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/39.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6ins7
...
ins1ins2
wrong_ins3ins4ins5
.text
code cache Instruction Pointer
Crash
![Page 40: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/40.jpg)
Arancino - Self Modifying Code Module
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino- MarkWrittenAddress: store which address has been overwritten
- CheckEIPWritten: check if next instruction has been overwritten.
![Page 41: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/41.jpg)
CCA - Self Modifying Code
ins1ins2
wrong_ins3ins4ins5ins6
...
.text
code cache
Collected Trace
Analysis Routines
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten()
![Page 42: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/42.jpg)
CCA - Self Modifying Code
ins1ins2
wrong_ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten()
Instruction Pointer
![Page 43: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/43.jpg)
CCA - Self Modifying Code
ins1ins2
wrong_ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
![Page 44: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/44.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
Instruction Pointer
Patch
![Page 45: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/45.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
Instruction Pointer
![Page 46: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/46.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
![Page 47: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/47.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
Instruction Pointer
![Page 48: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/48.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
Instruction Pointer
![Page 49: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/49.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
![Page 50: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/50.jpg)
CCA - Self Modifying Code
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
CheckEipWritten()MarkWrittenAddress()
ins1CheckEipWritten()
ins2 CheckEipWritten()
wrong_ins3CheckEipWritten() address_ins3
Instruction Pointer
Cache Invalidated
![Page 51: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/51.jpg)
CCA - Self Modifying Code
address_ins3
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
ReCollected Trace
![Page 52: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/52.jpg)
CCA - Self Modifying Code
address_ins3
ins1ins2 ins3ins4ins5ins6
...
.text
code cache
ReCollected Trace
CheckEipWritten()ins3
CheckEipWritten()ins4
CheckEipWritten()ins5
![Page 53: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/53.jpg)
Environment Artifacts
![Page 54: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/54.jpg)
Environment Artifacts
● Parent Detection
● Memory Fingerprinting
![Page 55: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/55.jpg)
EA - Parent Detection
Malware can check which is the process father.
● NtQuerySystemInformation
● CSRSS.exe
![Page 56: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/56.jpg)
Arancino - Hooking Module
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino- Hooking Function Module: Install an Hook on dll’s Functions
- Hooking Syscall Module: Install an Hook on dll’s Functions
![Page 57: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/57.jpg)
Arancino - Hooking Module
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino- Hooking Function Module: Install an Hook on dll’s Functions
- Hooking Syscall Module: Install an Hook on dll’s Functions
![Page 58: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/58.jpg)
Arancino - Hook Functions
ImageLoad Memory
.text
Pintool.dll
![Page 59: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/59.jpg)
Arancino - Hook Functions
ImageLoad Memory
.text
new.dll
Pintool.dll
![Page 60: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/60.jpg)
Arancino - Hook Functions
ImageLoad Memory
.text
new.dll
Pintool.dll
new.dll
VirtualFree
VirtualQueryEx
...
HOOK DISPATCHER
![Page 61: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/61.jpg)
Arancino - Hook Functions
ImageLoad Memory
.text
new.dll
Pintool.dll
new.dll
VirtualFree
VirtualQueryEx
...
HOOK DISPATCHER
![Page 62: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/62.jpg)
Arancino - Hook Functions
ImageLoad Memory
.text
new.dll
Pintool.dll
new.dll
VirtualFree
VirtualQueryEx
...
HOOK DISPATCHER
Check if Functions are
in the List
![Page 63: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/63.jpg)
Arancino - Hook Functions
ImageLoad Memory
.text
new.dllnew.dll
VirtualFree
VirtualQueryEx
...
HOOK DISPATCHER
Pintool.dll
![Page 64: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/64.jpg)
Arancino - Hook Functions
ImageLoad
.text
new.dll
VirtualFree
VirtualQueryEx
...
HOOK DISPATCHER
Hook FunctionPintool.dll
Functionnew.dll
![Page 65: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/65.jpg)
EA - Parent Detection
Hooked NtQuerySystemInformation
pin.exe -> cmd.exe
Hooked NtOpenProcess
to deny access to CSRSS.exe
![Page 66: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/66.jpg)
Environment Artifacts
● Parent Detection
● Memory Fingerprinting
![Page 67: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/67.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
![Page 68: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/68.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
![Page 69: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/69.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
![Page 70: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/70.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
![Page 71: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/71.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
![Page 72: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/72.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
0x00400000
0x00402000
0x55100000
0x55101000
0x6f100000
0x6f103000
![Page 73: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/73.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
0x00400000
0x00402000
0x55100000
0x55101000
0x6f100000
0x6f103000
0x58402000
![Page 74: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/74.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
0x00400000
0x00402000
0x55100000
0x55101000
0x6f100000
0x6f103000
Crash
0x58402000
![Page 75: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/75.jpg)
EA - Memory Fingerprinting
.text
new.dll
Pintool.dll
VirtualQuery
![Page 76: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/76.jpg)
EA - Memory Fingerprinting
We Hook NtQueryVirtualMemory
We create a Whitelist of accessible memory regions updated at runtime.
● Main Module● Libraries● Heap and Stack● PEB, TEB, etc.● Mapped files
![Page 77: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/77.jpg)
JIT Compiler Detection
![Page 78: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/78.jpg)
JIT Compiler Detection
● Memory Page Permissions○ Checks if there are WX pages
● DLL Hook Detection
● Memory Allocations
![Page 79: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/79.jpg)
JIT Compiler Detection
● Memory Page Permissions○ Checks if there are WX pages
● DLL Hook Detection
● Memory Allocations
![Page 80: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/80.jpg)
JITC Detection - DLL Hook
A process can search through memory for discrepancy caused by Hooks.
KiUserApcDispatcher - Instrumented execution
KiUserApcDispatcher - normal execution
![Page 81: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/81.jpg)
Arancino
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino
![Page 82: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/82.jpg)
JITC Detection - DLL Hook
TRACE FAKE_READ_HANDLER MEMORY
0x77C76F58 JMP 0x5B680BE0LEA EAX, [ESP+2D]
![Page 83: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/83.jpg)
JITC Detection - DLL Hook
TRACE FAKE_READ_HANDLER MEMORY
0x77C76F58 JMP 0x5B680BE0
![Page 84: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/84.jpg)
JITC Detection - DLL Hook
add eax,2mov edx, [eax]cmp edx,0x8d
jnz ebx
TRACE
add eax,2
FAKE_READ_HANDLER
Is memory read operation?
Nope!Go next
eax = 0x77C76F58
MEMORY
0x77C76F58 JMP 0x5B680BE0
![Page 85: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/85.jpg)
JITC Detection - DDL Hook
add eax,2mov edx, [eax]cmp edx,0x8d
jnz ebx
TRACE
mov edx, [eax]
FAKE_READ_HANDLER
Is memory read operation?
eax = 0x77C76F58
MEMORY
0x77C76F58 JMP 0x5B680BE0Yes
![Page 86: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/86.jpg)
JITC Detection - DDL Hook
add eax,2mov edx, [eax]cmp edx,0x8d
jnz ebx
TRACE
mov edx, [eax]
FAKE_READ_HANDLER
eax = 0x77C76F58
MEMORY
0x77C76F58 JMP 0x5B680BE0
Is the target address inside a fake memory item?
Yesfake memory function
invoked
![Page 87: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/87.jpg)
JITC Detection - DDL Hook
add eax,2mov edx, [eax]cmp edx,0x8d
jnz ebx
TRACE
mov edx, [eax]
FAKE_READ_HANDLER
eax = 0x77C76F58
MEMORY
0x77C76F58 JMP 0x5B680BE0
0x77C76F58
0x77C76F5F
FakeMemoryFunc()
JMP 0x5B680BE0
LEA EAX, [ESP+2D] 0x01C00A2B
![Page 88: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/88.jpg)
JITC Detection - DDL Hook
add eax,2mov edx, [eax]cmp edx,0x8d
jnz ebx
TRACE
mov edx, [eax]
FAKE_READ_HANDLER MEMORY
0x77C76F58 JMP 0x5B680BE0JMP 0x5B680BE0
LEA EAX, [ESP+2D] 0x01C00A2B
Instrumented process read the fake value:
LEA EAX, [ESP+2D] and doesn’t detect
PIN
![Page 89: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/89.jpg)
JIT Compiler Detection
● Memory Page Permissions○ Checks if there are WX pages
● DLL Hook Detection
● Memory Allocations
![Page 90: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/90.jpg)
JIT Compiler - API Hook
JIT Compiler needs Memory to perform the compiling
We can monitor the allocation by Hooking at ZwAllocateVirtualMemory
![Page 91: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/91.jpg)
JIT Compiler - API Hook
.textCounter Fun
Pintool.dll
ZwAllocateVirtualMemory
ntdll.dll
![Page 92: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/92.jpg)
JIT Compiler - API Hook
.textCounter Fun
Pintool.dll
ZwAllocateVirtualMemory
ntdll.dll
Write
![Page 93: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/93.jpg)
Arancino
Fake Read Handler Module
Fake Write Handler Module
Fake Free Handler Module
Fake Memory Handler Modules
Pattern Matching Module
Self Modifying Code Module
Process Information Module
Hooking Function Module Hooking Syscall Module
Hooking Module
Arancino
![Page 94: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/94.jpg)
JIT Compiler - API Hook
.textCounter Fun
Pintool.dll
ZwAllocateVirtualMemory
ntdll.dll
Write
![Page 95: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/95.jpg)
JIT Compiler - API Hook
.textCounter Fun
Pintool.dll
ZwAllocateVirtualMemory
ntdll.dll
Write
![Page 96: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/96.jpg)
JIT Compiler - API Hook
.textCounter Fun
Pintool.dll
ZwAllocateVirtualMemory
ntdll.dll
Write
![Page 97: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/97.jpg)
JIT Compiler - API Hook
.textCounter Fun
Pintool.dll
ZwAllocateVirtualMemory
ntdll.dll
Read
![Page 98: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/98.jpg)
Overhead Detection
![Page 99: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/99.jpg)
Overhead Detection
● Windows Time○ Use windows API
■ GetTickCount and timeGetTime○ Or Windows Structures
■ KUSER_SHARED_DATA.
● CPU Time○ Count CPU cycles (rdtsc)
![Page 100: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/100.jpg)
Evasive Malware Measurement
![Page 101: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/101.jpg)
Anti-Instrumentation Measurement
Dataset
● 7006 Binaries
● Virus Total Intelligence (3+ AV Detection)
● From October 2016 to February 2017
![Page 102: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/102.jpg)
Anti-Instrumentation Measurement
Environment Setup
● Virtual Machine (VirtualBox)
● Windows 7 (64-bit)
● Custom Apps (Adobe Reader, Chrome, and media players)
● User Data (saved credentials, browser history, etc.)
● Basic User Activity (moving the mouse, launching applications)
● 5 min run
![Page 103: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/103.jpg)
Evasive MalwareAt least one evasive behavior: 1,093 / 7006 (15.6%)
Family Name [1] Samples Evasive Techniques
virlock 619 (8.8%) 600 (96.9%) 2
confidence 505 (7.2%) 68 (13.5%) 4
virut 242 (3.5%) 13 (5.4%) 2
mira 230 (3.3%) 9 (3.9%) 1
upatre 187 (2.7%) 2 (1.1%) 1
lamer 171 (2.4%) 0 (0.0%) 0
sivis 168 (2.4%) 0 (0.0%) 0
[1] AvClass https://github.com/malicialab/avclass
![Page 104: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/104.jpg)
Top Evasive MalwareAt least one evasive behavior: 1,093 / 7006 (15.6%)
Family Name [1] Samples Evasive Techniques
sfone 19 19 (100.0%) 1
unruy 11 11 (100.0%) 1
virlock 619 600 (96.9%) 2
vilsel 13 8 (61.5%) 2
urelas 18 9 (47.4%) 2
confuser 52 8 (44.4%) 1
vobfus 29 19 (36.5%) 1
[1] AvClass https://github.com/malicialab/avclass
![Page 105: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/105.jpg)
Top Techniques UsedAt least one evasive behavior: 1,093 / 7006 (15.6%)
Technique #
Code Cache Artifacts Self-modifying code 897
Environment Artifacts Parent detection 259
JIT Compiler Detection Write on protected memory region
40
Environment Artifacts Check DEBUG flag 5
Environment Artifacts Memory fingerprinting 3
![Page 106: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/106.jpg)
Overhead
Pin time [ms]
Arancino [ms]
Arancino overhead
[%]
Module activated
Parent Detection 850 870 2%Hooking Module
EIP Detection - int2e 710 1,150 62%Pattern Match
Module
Memory Fingerprinting
2,000 7,090 254,5%Fake Read
Module
Memory Allocations 2,000 2,900 45%
Fake Write Module + Hooking Module
![Page 107: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/107.jpg)
Unpacking Approach
Detect W and X memory
regions
Dump the
Program
Deobfuscate the Import
Address Table
Recognize the correct
dump
![Page 108: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/108.jpg)
Experiment 1 : known packers
Upx FSG Mew mpress PeCompact Obsidium ExePacker ezip
MessageBox.exe
WinRAR.exe
Xcomp PElock ASProtect ASPack eXpressor exe32packer beropacker Hyperion
MessageBox.exe
WinRAR.exe
Original code dumped but Import directory not reconstructed
![Page 109: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/109.jpg)
Experiment 2 : wild samples
N° %
Unpacked and working 669 63
Unpacked but not executable 139 13
Not unpacked 258 24
Number of packed (checked manually) samples 1096
![Page 110: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/110.jpg)
Arancino - GitHub
DEMO Time!
eXait https://www.coresecurity.com/corelabs-research/open-source-tools/exait
![Page 111: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/111.jpg)
Black Hat Sound Bytes
● Malware authors employ Anti-Instrumentation techniques to detect when their samples are being instrumented
● We proposed an approach to practically defeat such techniques
● We studied the common techniques adopted by modern malware authors to evade of instrumentation systems
● On top of Arancino ~> dynamic, evasion-resilient unpacker○ Known packers use anti-instrumentation techniques!
![Page 112: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/112.jpg)
Arancino - GitHub
Thanks!
https://github.com/necst/arancino
Mario Polino
![Page 113: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/113.jpg)
Arancino - GitHub
Questions?
https://github.com/necst/arancino
Mario Polino
![Page 114: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/114.jpg)
Arancino - GitHub
Questions?
https://github.com/necst/arancino
Mario Polino
![Page 115: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/115.jpg)
Credits
● Icons, CC from Noun Project:○ Vicons Design○ Aya Sofya○ Adnen Kadri○ Stock Image Folio○ Icon Fair○ Creative Stall○ Gregor Cresnar
![Page 116: Hiding PIN's Artifacts - Black Hat...Fake Read Handler Module Fake Write Handler Module Fake Free Handler Module Fake Memory Handler Modules Pattern Matching Module Self Modifying](https://reader034.vdocuments.mx/reader034/viewer/2022051815/603d829917b66964f5519d46/html5/thumbnails/116.jpg)
Arancino - GitHub