Transfer Execution

Question 1

Malware needs to control what code is executed. Aside from jump and call, what are other common techniques used by malware to achieve controlled execution?

Answer 1

The most frequently seen techniques utilize:

1. DLLs (most common)
2. Processes
3. Mutexes
4. Services
5. Component Object Model (COM)
6. Exceptions

Question 2

How may malware writers utilize a DLL?

Answer 2

Malware writers use DLLs to provide additional functionality to their malware. The authors can either write the DLLs themselves or utilize the DLLs offered by Windows or third party vendors.

Writing your own DLLs is more challenging and are more likely to be detected as an unknown DLL by the OS.

Windows DLL are better understood by reverse engineers and the composition of imported DLLs may quickly enable the investigator to understand abilities of the malware and how it is configured. In short, it can make the investigators job easier.

Third party DLLs are similar to those offered by the OS, but are less well known.

Question 3

What are the main differences between processes and threads?

Answer 3

A process can be considered a container which is assigned a section of main memory. Within such a container we find a set of threads which execute code and are managed by the OS. Every thread will therefore operate in the same section of allocated memory, but they are distinguished by separate stacks and registers.

In windows there is also a means of execution known as fibres. These are not managed by the OS but an individual thread. the parent thread maintains the stack of individual fibres and a subset of their register values.

Question 4

How may threads be utilized maliciously?

Answer 4

There are many ways in which threads can be used maliciously. Some of the best known methods is to spawn a new thread to launch a DLL into the process, or to create two threads (one for input and the other for output) to enable outside communication with the program.

Question 5

Why are mutexes so important for malware.

Answer 5

Mutexes are global objects on the system used to govern access to resources such as a data structure in memory, a certain file, etc. A key concern for malware writers is to implement their malware in a manner that makes it as difficult to detect as possible. Therefore, having several instances of the malware running simultaneously makes it far more likely that the additional load on the system provide the malware with unwanted attention. Ensuring that only one instance of the malware is running can be accomplished using a mutex. It is typically as simple as having the malware try to create a hard coded mutex when launched. If the mutex already exists it means that it has already been created an another instance of the malware is running. If the mutex already exists the new instance is usually terminated.

Question 6

What are services and how can they be exploited?

Answer 6

Windows services are non-user processes that run temporarily and are scheduled by the service manager. Adding malware as a service provides several advantages such as running in SYSTEM/Admin mode, often hidden from task manager as it is considered an auto runs tool which also provides persistence.

There are three key functions to recognize when malware tries to utilize Windows services:

1. OpenSCManager which opens a handle to the windows services manager.
2. CreateService adds a service to be managed by the services manager. The function also lets you defined whether the service should be launched manually or at boot.
3. StartService starts a specified service if it is configured to be started manually.

Services are most often used and run under processes called svchost.exe. This process runs the services stored as DLLs and can run several services at once. There are typically several instances of this process running at once.

Services can also be run as WIN_32_OWN_PROCESS where a .exe file is run on its own. Kernel drivers can also be used.

Information about the services on a Windows machine can be found in the registry at HKLM\SYSTEM\CurrentControlSet\Services

Question 7

What are Microsoft Component Object Models?

Answer 7

COMs are interfaces implemented for allowing software components to call each others code without knowing anything specific about one another (they can even be implemented in different programming languages). COM is implemented as a client/server framework where the clients are the software components and the reusable software component implemented as a COM is the server. Microsoft has implemented a large number of COM objects which makes them hard to investigate. However, we can be fairly certain that a piece of malware interacts with COM if it calls the functions OleInitialize or CoInitialize as these must be called if the system is to provide access to a given COM. Any COM is a structure containing a se of pointers to the functions included in the reusable software component. When CoInitialize is called a pointer to this structure is returned to the calling program. Whenever a function is the COM is called there will be some offset from the pointer to COM. This offset must be investigated if the malware analyst is to inspect the function call more closely.