Dailydave mailing list archives
Re: VPC
From: Halvar Flake <halvar () gmx de>
Date: Tue, 26 Feb 2008 11:46:03 +0100
Thorsten Holz wrote:
On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave () immunityinc com> wrote:There's another one called CWSandbox that has a free web form you can send exe's to.You can either send a sample to <https://cwsandbox.org/?page=submit> or <http://research.sunbelt-software.com/submit.aspx> More info about the tool is available in an article (<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>) and an example report is <https://cwsandbox.org/?page=details&id=156851&password=iokop>(They hook a bunch of things but I think you can escape the hooking by calling system calls directly?)But then you are not platform independent. CWSandbox was originally designed to automatically analyze the malware we capture with the help of honeypots (worms, bots, ...), but has evolved a lot since then
OS-version independent API-hook bypassing is a very old hat (late 90's ?). Aside from checking for such hooks (which many common packers do out-of-the-box, and have been doing since ... uhm ... almost a decade?), the attacker has many choices to bypass the hook. I have seen many variants of hook bypasses of various quality over the years -- some samples include: * Checks for the exact OS version to then differentiate which exact syscalls to use, then using syscalls * Inlining the first few bytes of OS functions into the executable, then jumping to API+X * Packers that inline entire OS functions into the executable None of these are entirely rocket science (altho (3) is kinda cute), and platform-independence can be achieved easily if one is willing to sacrifice Win9x (and, perhabs, Win2k) compatibility. Empirically, it is likely true that very little malware takes these countermeasures. That just means that the authors have decided that the cost of taking countermeasures (virtually zero) isn't worth incurring yet. It constantly amazes me in how many guises API hooks will cross my path in my life -- I have seen bad IPS based on it 7 years ago, then again 4 years ago etc. etc. API hooking is great if you're dealing with a nonadversarial target. For everything else, it's useful as long as nobody decides it's worth 3 hours to deal with it Cheers, Halvar PS: "Nobody will break into my house -- I put paper in front of my door. No burglar has ever been seen cutting paper in order to break in !" :-P _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave