Learn, hack!

URL

http://recon.cx/2013/slides/Recon2013-Aleksandr%20Matrosov%20and%20Eugene%20Rodionov-Reconstructing-Gapz%20Position-Independent%20Code%20Analysis%20Problem.pdf

File name

Recon2013-Aleksandr%20Matrosov%20and%20Eugene%20Rodionov-Reconstructing-Gapz%20Position-Independent%20Code%20Analysis%20Problem.pdf

File size

3.4 MB

MD5

3bb385827adc88c1256f35125dad9216

SHA1

ca8ec5bc1274fe1edf26139649501168f8ffcf52

This presentation is devoted to analysis one of the stealthiest bootkit seen in the wild – Win32/Gapz. The talk will cover not only remarkable features of the bootkit such as custom kernel-mode network protocol implementation, advanced bootkit technique and payload injection functionality but, also, the way the authors of the presentation approached the problem of analysis Win32/Gapz using the tools by Hex-Rays. The authors will demonstrate the usage of Hex-Rays decompiler SDK for building a plugin that aids with performing reverse engineering of position-independent code in Win32/Gapz. In the recent time there is a steady increase in the number of malware programs utilizing bootkit technology to load unsigned kernel-mode drivers on Microsoft Windows x64 platform, hide malicious modules outside of OS’s file system and etc. The bootkit technology is being constantly enhanced with the appearance of new bootkit threats and Win32/Gapz, without doubt, is at the top of this race. In this talk we are going to present the result of analysis of Win32/Gapz which is also the most complex bootkit threat known so far. It attracted our attention in December of 2012 due its elaborated dropper and bootkit technique never seen before. Another interesting feature of Win32/Gapz is its kernel-mode module implementation containing a large amount of position-independent code which is quite difficult to analyze using conventional disassemblers and decompiles. In the course of research a plugin for Hex-Rays decompiler was developed to overcome such difficulties. The presentation will be started with an overview of Win32/Gapz and its implementation details. We will highlight the most interesting features of the malware: dropper injection & HIPS bypassing functionality, a brand new bootkit technique, custom kernel-mode implementation of TCP/IP protocol stack using NDIS miniport adapter. Then, we will be concentrated on implementation of the main part of Win32/Gapz – kernel-mode module. It will be shown which difficulties related to position-independent code analysis the authors had to deal with to be able to reconstruct functionality of the malware. In the next part of talk the authors will demonstrate the capabilities of Hex-Rays decompiler SDK for developing plugins. It will be shown how the decompiler’s internal facilities helps to build the Win32/Gapz kernel-mode module CFG (Control Flow Graph) and navigate through it, as a result Hex-Rays plugin will be presented. Finally, the authors will discuss the application of the plugin for decompiling object oriented code.