- Jan 8, 2017
- 1,318
New ‘Early Bird’ Code Injection Technique Helps APT33 Evade Detection
- Thread starter Faybert
- Start date
Very interesting, also I have noticed that often a goal is to change the entrypoint of a malware redirecting it to a loop (XOR encoder), and this makes difficult to detect it by common AVs.
Sometimes it can be noticed the creation of the empty code, for instance by using OllyDBG and checking if the PE of the malware is writable or not; in the second case, obviously, it is necessary to modify the PE and using an hex editor to insert many bytes with a value of "0".
The next step is to try to redirect the program to the empty code, by changing the entrypoint.
If the PE is not really accessible, a PE editor can give you the address of the entrypoint of the program.
This is a very easy operation, it will find the entrypoint of the program, take one of the first offset of the empty code and redirect the entrypoint, with a simple JMP to the offset of the empty code.
Let's say that the most difficult part is the insertion of the loop (XOR encoder) inside the empty code.
It is necessary to put in the EAX register, the contents of the istruction immediately after the entrypoint; code: MOV EAX, OFFSET
It is necessary to do the XOR in the code where the EAX register points with keyword "0F"; code: XOR BYTE PTR DS:[EAX].0F
Increment the EAX register; Code: INC EAX
Compare the value of the EAX register with the value of the final istruction of the section .text; code: CMP EAX, OFFSET
Execution of the IF cycle, using a JLE, so that, if the value at EAX is not equal to that to which it was compared before, you get back to the XOR, and, accordingly, it increases, and so on: JLE SHORT, OFFSET (XOR).
Ok at this point "we" (the malcoders) get the encoding of the malware but it is not possible to save it, because obviously we do not have redirected the body of the program.Then after the conditional jump to XOR, we have to put an obligatory leap into the program's body..
Then we insert the code JMP OFFSET (the one after the entrypoint).
Well this is a well-known process that seems difficult but really it is often applied to recycled sample.
Sometimes it can be noticed the creation of the empty code, for instance by using OllyDBG and checking if the PE of the malware is writable or not; in the second case, obviously, it is necessary to modify the PE and using an hex editor to insert many bytes with a value of "0".
The next step is to try to redirect the program to the empty code, by changing the entrypoint.
If the PE is not really accessible, a PE editor can give you the address of the entrypoint of the program.
This is a very easy operation, it will find the entrypoint of the program, take one of the first offset of the empty code and redirect the entrypoint, with a simple JMP to the offset of the empty code.
Let's say that the most difficult part is the insertion of the loop (XOR encoder) inside the empty code.
It is necessary to put in the EAX register, the contents of the istruction immediately after the entrypoint; code: MOV EAX, OFFSET
It is necessary to do the XOR in the code where the EAX register points with keyword "0F"; code: XOR BYTE PTR DS:[EAX].0F
Increment the EAX register; Code: INC EAX
Compare the value of the EAX register with the value of the final istruction of the section .text; code: CMP EAX, OFFSET
Execution of the IF cycle, using a JLE, so that, if the value at EAX is not equal to that to which it was compared before, you get back to the XOR, and, accordingly, it increases, and so on: JLE SHORT, OFFSET (XOR).
Ok at this point "we" (the malcoders) get the encoding of the malware but it is not possible to save it, because obviously we do not have redirected the body of the program.Then after the conditional jump to XOR, we have to put an obligatory leap into the program's body..
Then we insert the code JMP OFFSET (the one after the entrypoint).
Well this is a well-known process that seems difficult but really it is often applied to recycled sample.
Similar threads
