search

mandiant / speakeasy

Windows kernel and user mode emulation.
MIT License
1.5k stars 229 forks source link

Load dependencies files (especially ntoskrnl.exe) to memory #41

Closed rakovskij-stanislav closed 4 years ago

rakovskij-stanislav commented 4 years ago

Hi. Some malware drivers reads memory of mapped ntoskrnl.exe to find desired kernel methods. Are there any possibilities to load my decoy ntoskrnl.exe, hal.dll, etc to the memory before the malware start? Like it looks in miasm sandbox with param -i

[INFO]: Loading module name 'win32_dll/ntoskrnl.exe'
[ERROR]: Cannot open win32_dll/bootvid.dll
[ERROR]: Cannot open win32_dll/kdcom.dll
[ERROR]: Cannot open win32_dll/ci.dll
[ERROR]: Cannot open win32_dll/clfs.sys
[ERROR]: Cannot open win32_dll/pshed.dll
[ERROR]: Cannot open win32_dll/hal.dll
[WARNING]: Create dummy entry for 'pshed.dll'
[WARNING]: Create dummy entry for 'hal.dll'
[WARNING]: Create dummy entry for 'bootvid.dll'
[WARNING]: Create dummy entry for 'kdcom.dll'
[WARNING]: Create dummy entry for 'clfs.sys'
[WARNING]: Create dummy entry for 'ci.dll'

# sb.run()
# got my handled exception
# running ipython

In [1]: sb.jitter.vm
Out[1]:
Addr               Size               Access Comment
0x130000           0x10000            RW_    Stack
0x400000           0x1000             RW_    'driver': PE Header
0x401000           0x63000            R__    'driver': b'.text\x00\x00\x00'
0x464000           0x5000             R__    'driver': b'.rdata\x00\x00'
0x469000           0xC000             RW_    'driver': b'.data\x00\x00\x00'
0x476000           0x2000             R__    'driver': b'.reloc\x00\x00'
0x800000           0x34               RW_
0xA0000000         0x1000             RW_    'win32_dll/ntoskrnl.exe': PE Header
0xA0001000         0x115000           R__    'win32_dll/ntoskrnl.exe': b'.text\x00\x00\x00'
0xA0116000         0x1000             R__    'win32_dll/ntoskrnl.exe': b'_PAGELK\x00'
0xA0117000         0x1000             R__    'win32_dll/ntoskrnl.exe': b'POOLMI\x00\x00'
0xA0118000         0x2000             R__    'win32_dll/ntoskrnl.exe': b'POOLCODE'
0xA011A000         0x45000            RW_    'win32_dll/ntoskrnl.exe': b'.data\x00\x00\x00'
0xA015F000         0x1000             RW_    'win32_dll/ntoskrnl.exe': b'ALMOSTRO'
0xA0160000         0x2000             RW_    'win32_dll/ntoskrnl.exe': b'SPINLOCK'
0xA0162000         0x1AD000           R__    'win32_dll/ntoskrnl.exe': b'PAGE\x00\x00\x00\x00'
0xA030F000         0x12000            R__    'win32_dll/ntoskrnl.exe': b'PAGELK\x00\x00'
0xA0321000         0x5000             R__    'win32_dll/ntoskrnl.exe': b'PAGEKD\x00\x00'
0xA0326000         0x18000            R__    'win32_dll/ntoskrnl.exe': b'PAGEVRFY'
0xA033E000         0x2000             R__    'win32_dll/ntoskrnl.exe': b'PAGEHDLS'
0xA0340000         0x5000             R__    'win32_dll/ntoskrnl.exe': b'PAGEBGFX'
0xA0345000         0x3000             RW_    'win32_dll/ntoskrnl.exe': b'PAGEVRFB'
0xA0348000         0x12000            R__    'win32_dll/ntoskrnl.exe': b'.edata\x00\x00'
0xA035A000         0x9000             RW_    'win32_dll/ntoskrnl.exe': b'PAGEDATA'
0xA0363000         0xD000             RW_    'win32_dll/ntoskrnl.exe': b'PAGEKDD\x00'
0xA0370000         0x3000             R__    'win32_dll/ntoskrnl.exe': b'PAGEVRFC'
0xA0373000         0x1000             RW_    'win32_dll/ntoskrnl.exe': b'PAGEVRFD'
0xA0374000         0x42000            RW_    'win32_dll/ntoskrnl.exe': b'INIT\x00\x00\x00\x00'
0xA03B6000         0x35000            R__    'win32_dll/ntoskrnl.exe': b'.rsrc\x00\x00\x00'
0xA03EB000         0x1A000            R__    'win32_dll/ntoskrnl.exe': b'.reloc\x00\x00'
drewvis commented 4 years ago

Hello, yes this is currently supported in a couple ways. If executing from run_speakeasy.py script you can supply a directory name containing the decoy modules with the "-l" flag. If you are supplying your own configuration file, the fields module_directory_x86 and module_directory_x64 allow you to specify this same directory for each architecture (see here: https://github.com/fireeye/speakeasy/blob/master/speakeasy/configs/default.json#L238).

When the emulator detects malware attempting to manually access the memory for ntoskrnl.exe, the configured module directory will be searched for a matching module name (in this case, ntoskrnl.exe).

The image will then be lazily mapped into memory so the malware can resolve exported functions like normal.

Hope that helps.