Coldzer0 Coldzer0

Fixing an APT sample so it can work on Modern Windows versions - An Exercise in Reverse Engineering

I stumbled upon an old miniduke APT malware, and found that it has some cool tricks, while I won't be explaining how the malware works or what it even does, I will be focusing on showing a code flaw in the sample, that was the reason for a crash that I found while debugging it on Windows 10, as well as showing how we can fix it, that requires some amount of reverse engineering and coding (I will use C & Assembly).

But to give you a quick introduction, that sample comes as 32-bit DLL file, with one export with name 'JorPglt', which is the start of payload, the sample also employs few simple (code mutation / instruction-level obfuscations) that we will discuss as well.

So without getting into much details here is where the code flaw resides

Dezhou Instrumentz

The challenge consisted of an iOS app (Calc.app) which implemented a simple calculator. Moreover, the app also registered a custom URL scheme (icalc://) which would simply evaluate the content of the URL. The calculator was implemented using NSExpressions and the input string would simply be parsed as such an expression and executed. NSExpressions are pretty powerful and allow for example calls to ObjC Methods (e.q. typing in sqrt(42) would end up calling +[_NSPredicateUtilities sqrt:@42]). Further, there are two interesting helper functions available in NSExpressions:

FUNCTION(obj, 'foo', "bar")

Which will result in a call of the method 'foo' on object obj with parameter "bar" (an NSString).

Memory Optimization (Christer Ericson, GDC 2003)
http://realtimecollisiondetection.net/pubs/GDC03_Ericson_Memory_Optimization.ppt

Cache coherency primer (Fabian Giesen)
https://fgiesen.wordpress.com/2014/07/07/cache-coherency/

Code Clinic 2015: How to Write Code the Compiler Can Actually Optimize (Mike Acton)
http://gdcvault.com/play/1021866/Code-Clinic-2015-How-to


	typedef interface IEditionUpgradeManager IEditionUpgradeManager;

	typedef struct IEditionUpgradeManagerVtbl {

	BEGIN_INTERFACE

	HRESULT(STDMETHODCALLTYPE *QueryInterface)(
	__RPC__in IEditionUpgradeManager * This,
	__RPC__in REFIID riid,

	' ASR rules bypass creating child processes
	' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
	' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
	' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

	Sub ASR_blocked()
	Dim WSHShell As Object
	Set WSHShell = CreateObject("Wscript.Shell")
	WSHShell.Run "cmd.exe"
	End Sub

	#include <windows.h>
	#include <wininet.h>
	#include <stdio.h>

	#pragma comment (lib, "Wininet.lib")

	int main(int argc, char *argv[]) {

	HINTERNET hSession = InternetOpen(
	L"Mozilla/5.0", // User-Agent

	#include <windows.h>
	#include <stdint.h>
	#include <stdbool.h>
	#include <stdio.h>
	#include <sal.h>
	#include <assert.h>

	#ifdef _X86_
	#error "This snippet only build in 64-bit due to heavy use of uintptr arithmetics."
	#endif

	#include "stdafx.h"

	#define DB(_val_) __asm __emit (_val_)

	#define INVALID_SYSCALL (DWORD)(-1)

	// code selectors
	#define CS_32 0x23
	#define CS_64 0x33

	unit SystemExceptionHandling;

	// Inspired by what is described at FPC's forums:
	// http://bugs.freepascal.org/view.php?id=12974 [^]
	//
	// especially in comment 0040683 by Bernd Kreuss

	{$mode objfpc}{$H+}
	{$AsmMode intel}