Obfuscation Techniques

Making a quick post on some obfuscation techniques I've seen.  This will also be a multi part post, but I won't number them because who knows when it would end :P

first, the malware I got this from imports only a couple of seemingly harmless api, one of them being GetCommandLine.  So we dereference it's address into eax and call a routine to get the base address for kernel32.dll like so:

1. mov     eax, ds:GetCommandLineA ; cpy the addr of GetCmdLine into eax
2. push    eax             ; push addr of GetCommandLine
3. call    GetStartAddrFor_Kernel32 ; emulate GetProcAddress

So now we have address of GetCommandLine in kernel32.dll so we take that address and zero out the last 3 nibbles by doing an and with 0xFFFFF000h

GetStartAddrFor_Kernel32;

1. mov     ebp, esp
2. sub     esp, 8
3. mov     eax, [ebp+addrGetCmdLine] ; cpy GetCommandLine's address to eax
4. xor     ecx, ecx
5.   ; zero the last 3 nibbles of the address, its now 0xXXXXX000
6. and     eax, 0FFFFF000h 
7. and     ecx, 0Fh
8. mov     [ebp+addrGetCmdLine], eax ; replace with the new address

Then we enter a loop, which takes the address, dereferences a word from the address into edx, and compares it with 0x5A4Dh, which is 'MZ' 

1. loc_401106:                             ; CODE XREF: GetStartAddrFor_Kernel32+5Aj
2. mov     edx, 1
3. test    edx, edx
4. jz      short loc_40114C
5. mov     eax, [ebp+addrGetCmdLine]
6. mov     [ebp+var_8], eax ; cpy the address to a tmp variable
7. mov     ecx, [ebp+var_8]
8. movzx   edx, word ptr [ecx] ; dereference a word from that address into edx
9. cmp     edx, 5A4Dh      ; does edx == 'MZ'?
10. jnz     short loc_40113F

If we found 'MZ', next check for 'PE' by adding 0x3c to the address, which should point to the PE header structure

1. mov     eax, [ebp+var_8] ; if 'MZ' then set EAX
2. mov     ecx, [ebp+var_8] ; and ECX to be the start address for kernel32
3. add     ecx, [eax+3Ch]  ; add 3ch to ecx, it now points to the PE header struct
4. mov     [ebp+var_4], ecx ; cpy PE struct addr to a variable
5. mov     edx, [ebp+var_4] ; and to edx as well
6.   ; make sure we're at the right place, 45h 50h == 'PE'
7. cmp     dword ptr [edx], 4550h 
8. jnz     short loc_40113F ; if we're at the right spot
9. mov     eax, [ebp+var_8] ; cpy start addr of kernel32 into eax again
10. jmp     short loc_40114C ; and exit

If we didn't find 'MZ' then subtract 0x1000h from the address and loop until we find it.

1. loc_40113F:                             ; CODE XREF: GetStartAddrFor_Kernel32+31j
2. mov     eax, [ebp+addrGetCmdLine]
3. sub     eax, 1000h      ; subtract 4KB from eax
4. mov     [ebp+addrGetCmdLine], eax
5. jmp     short loc_401106

Once found, return 

1. loc_40114C:                             ; CODE XREF: GetStartAddrFor_Kernel32+1Dj
2. mov     esp, ebp
3. pop     ebp
4. retn

Then when we return, do some checking for the OS, on a WinXP box GetCommandLine's address points to a mov, while a Win7 box points to a jump

1. add     esp, 4          ; stack adjust
2. mov     kernel32addr, eax ; cpy addr of Kernel32 to a variable
3. mov     ecx, ds:GetCommandLineA ; cpy GetCmdLine's addr to ecx
4. movzx   edx, byte ptr [ecx] ; deref a byte to edx
5. cmp     edx, 0A1h       ; if its a mov [WinXP], jump
6. jz      short loc_40126A ; cpy kernel32 addr to edx
7. mov     eax, ds:GetCommandLineA
8. movzx   ecx, byte ptr [eax] ; deref a byte of what's there to ecx
9. cmp     ecx, 0EBh       ; if its a jmp [win7] then jump
10. jz      short loc_40126A ; cpy kernel32 addr to edx

So, a quick wrap-up of what the above really did:

We got the address to an exported API from kernel32.dll, then we using that address we resolved the base address of kernel32. Once we have that, we check to see what OS we're running on.  In a later post I'll show how this piece walks through the PE file to find the exports directory, and starts resolving address for other API by walking through it. 

darel