Exploring the Insides of your Favourite Malware Sandbox, a Generic Approach

By: nullsub 1) Abstract

This little package (source code and this shitty text file) shows a generic
way which can be used to explore your favorite malware sandbox. I chose
Norman's one cause I think it is a good work so I thought it could be
interesting to take a look at.

2) Basis of RE methodology

The "idea" came to my mind when I saw a norman's sandbox report, I
supposed it works as follows :

- Initialize architecture emulator (in this case i386)
- Initialize fake Operating System (in this case W32)
- Starts to execute a sample file (Portable Executable) inside the emulated environment.
- "Logs" an execution events chain.
- Decide whether the sample is malware or goodware.
- Output results (if the sample is malware)

When the sandbox detects the file as malware it shows information of
the emulated infection like :

- Modified/Created files
- Modified/Created registry entries
- HTTP, FTP downloaded files
- Executed files
- Connections (IRC,SMTP)
...

Within this information there are some fields which we can control in
order to show our own information, just like debug messages!!

So we can make fake malware executables in order to extract information from the
sandbox ;-)


3) Included Source code


sandfuck.c :
Main file which you can play with. It implements some methods to extract information : Memory / File dumping, SEH, Address layout, etc ... It was used mainly as a test file so I left some crappy code inside.

modfake.c :
This shitty program, modifies a reserved field in the header of our faked program,this is used for automated file/memory reading, because we can't pass parameters to our file when it's executed inside the emulated environment.

pedumpfix.c :
Fix a PE dumped from the sandbox memory, so we can reverse it with IDA ;-)

sandx.pl :
Perl script which automates the sandbox fake file execution and modification in order to extract files and dump memory :-).

4) Extracted files:


- kernel32.dl   : Sandbox implementation of KERNEL32.DLL
- advapi32.dll  : Sandbox implementation of ADVAPI32.DLL
- gdi32.dll     : Sandbox implementation of GDI32.DLL
- ntdll.dll     : Sandbox implementation of NTDLL.DL
- gunnar.exe    : NOTEPAD.EXE!!!, yes you can find it inside the sandbox ;-), I
                  think they use it to check file infectors.
- gdt.bin       : Memory dump of IDT
- idt.bin       : Memory dump of GDT


4) Release notes

I'm too lazy to document all I have found inside this very nice sandbox,
I suggest you to take a look at the sandbox main OS DLL's implementation.

You'll find tons of ways which can be used to detect the sandbox, like
Aaaaaa!KERNEL32.DLL (which peter ferrie talks about in his last paper as well),
opcode manipulation, PEB structure, ... and you can also find funny stuff
like this :


CODE:77DC1380 ; BOOL __stdcall CryptEncrypt(HCRYPTKEY hKey,HCRYPTHASH hHash,BOOL Final,DWORD dwFlags,BYTE *pbData,DWORD *pdwDataLen,DWORD dwBufLen)
CODE:77DC1380                 public CryptEncrypt
CODE:77DC1380 CryptEncrypt    proc near
CODE:77DC1380
CODE:77DC1380 hKey            = dword ptr  8    ; unused :-)
CODE:77DC1380 hHash           = dword ptr  0Ch
CODE:77DC1380 Final           = dword ptr  10h
CODE:77DC1380 dwFlags         = dword ptr  14h
CODE:77DC1380 pbData          = dword ptr  18h
CODE:77DC1380 pdwDataLen      = dword ptr  1Ch
CODE:77DC1380 dwBufLen        = dword ptr  20h
CODE:77DC1380
CODE:77DC1380                 enter   0, 0
CODE:77DC1384                 push    esi
CODE:77DC1385                 push    ecx
CODE:77DC1386                 mov     esi, [ebp+pbData]
CODE:77DC1389                 mov     ecx, [ebp+dwBufLen]
CODE:77DC138C                 mov     eax, 55555555h        ; Hardcoded key (very strong)
CODE:77DC1391                 cmp     word ptr [esi], 5A4Dh ; MZ Header?
CODE:77DC1396                 jnz     short loc_77DC139E
CODE:77DC1398                 add     esi, 2                ; Skip two first bytes, i suppose
CODE:77DC1398                                               ; they want to leave the _magic_ in
CODE:77DC1398                                               ; plaintext, OMG you shouldn´t be
CODE:77DC1398                                               ; cyphering executables! ;-)
CODE:77DC139B                 sub     ecx, 2
CODE:77DC139E
CODE:77DC139E loc_77DC139E:
CODE:77DC139E                 push    ecx
CODE:77DC139F                 shr     ecx, 2
CODE:77DC13A2                 jz      short loc_77DC13AB
CODE:77DC13A4
CODE:77DC13A4 loc_77DC13A4:
CODE:77DC13A4                 xor     [esi], eax         ;  Blowfish ... X-DD
CODE:77DC13A6                 add     esi, 4
CODE:77DC13A9                 loop    loc_77DC13A4
CODE:77DC13AB
CODE:77DC13AB loc_77DC13AB:
CODE:77DC13AB                 pop     ecx
CODE:77DC13AC                 and     ecx, 3
CODE:77DC13AF                 jz      short loc_77DC13B6
CODE:77DC13B1
CODE:77DC13B1 loc_77DC13B1:
CODE:77DC13B1                 xor     [esi], al           ; Last bytes..
CODE:77DC13B3                 inc     esi
CODE:77DC13B4                 loop    loc_77DC13B1
CODE:77DC13B6
CODE:77DC13B6 loc_77DC13B6:
CODE:77DC13B6                 pop     ecx
CODE:77DC13B7                 pop     esi
CODE:77DC13B8                 mov     eax, 1
CODE:77DC13BD                 leave
CODE:77DC13BE                 retn    1Ch             ; Buffer crypted!, now you are safe! :-)
CODE:77DC13BE CryptEncrypt    endp
CODE:77DC13BE
CODE:77DC13C1 ; Exported entry  73. CryptGenKey


That's all folks, you can reach me by email if you want to comment something :-)

Have a nice RE day! ;-)

Cheers,

nullsub

ps.
The linked file contains paper and source code. As an example i have included some stuff of Norman's one:

http://vx.7a69ezine.org/re/nsandbox.zip

Enjoy it!

nullsub/7A69ML - http://vx.7a69ezine.org/