Malware Journey Day 28

From yesterday I learned basic Dll dynamic loading which usually involves a simple LoadLibrary and GetProcAddress function.

I also was curious when analyzing my functions on what signatures were really useful for. Before researching I knew they were mostly for in the malware world for detecting malware based on YARA rules due to a unique pattern a particular sample could follow.

Now beginning research I find this.

Shellcode byte sequences are good identifiers for malware. Signatures will have prebuilt rules to look for any patterns in this regard. Of course to add to this is file hashes but honestly its pretty unreliable due to the ease of simple byte changes compeltely alter the file hash. What I am most used to is behavioral patterns like prehaps LoadLibrary, GetProcAddress, VirtualAlloc, VirtualProtect, CreateProcessA. This to me looks like a dll being injected and shellcode getting permissions to execute.

There is also IAT analysis but I learned previously its pretty easy to bypassing if we load functions manually through GetProcAddress.

On the topic of dlls, Ldr basically does what GetModuleHandle does, which is retrieving dlls. Though I believe this is not detected by IAT, while GetModuleHandle is.

typedef int (WINAPI* FnMessageBoxA)( 
  HWND          hWnd,
  LPCSTR        lpText,
  LPCSTR        lpCaption,
  UINT          uType
);
void main(){
    FnMessageBoxA pMessageBoxA = (FnMessageBoxA)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxA");
    pMessageBoxA(NULL, "This is TEXT", "HERE IS MYCaption", MB_OK); 
    
}

The above section is actually a unique way to avoid detection of the IAT. It does the exact same thing as my below sample. Really only difference is trying to hide this function MessageBoxA from static analysis.

void main(){
    MessageBoxA(NULL, "This is TEXT", "HERE IS MYCaption", MB_OK);    
}

A final part of my blog was more of trying to get a grasp on handles

void main() {
    DWORD dwPriorityClass;

    DWORD pid = 2928;

    HANDLE hOpenProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
    TerminateProcess(hOpenProcess, 1);
    dwPriorityClass = GetPriorityClass(hOpenProcess);
    CloseHandle(hOpenProcess);
   
}

The above seems to do the trick. TerminateProcess uses the handle returned by OpenProcess. I was superised I didnt have to wrap the OpenProcess in an if state since it is a boolean return type. Though I didnt get any issues.

Nows its time to do the opposite

    DWORD dwPriorityClass;

    DWORD pid = 13820;

    HANDLE hOpenProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pid);
    dwPriorityClass = GetPriorityClass(hOpenProcess);
    CloseHandle(hOpenProcess);