Sunday, January 17, 2016

Malicious Code - training simulator

If you have ever had to assist others understand malware behaviour then every trainer needs a useful tool to illustrate basic concept. Marco Schweighauser has launched a useful online webpage with such a tool ( https://schweigi.github.io/assembler-simulator/ ) or a github page ( https://github.com/Schweigi/assembler-simulator ) to download the working tool so that trainers can play with creating harmless scripts.

Marco has produced a "simulator which provides a simplified assembler syntax (based on NASM) and is simulating a x86 like cpu." The tool is demonstrated by using default code "HELLO WORLD" and presented as a visualisation for illustrative and activity purposes relating to registers, flags, Instruction Pointer (IP), Stack Pointer (SP), RAM, machine code, stack, and memory mapping when following how the harmless code is executed either in RUN or STEP mode.


Iko Knyphausen (Computer Forensic Examiner, Intrusion & Malware Analyst at /d/b/a Datasource Forensics) has played with a simple but harmless malicious code (https://www.linkedin.com/pulse/using-simple-8-bit-assembler-simulation-illustrate-iko-knyphausen) to demonstrate malware in action by overwriting HELLO WORLD. Cut and paste the example into the online or downloaded tool and watch the activity.

=============================


; Writes Hello World to the output and emulates an infection; At the beginning of the PRINT function a simulated buffer
; overwrite called "stack_smash" pushes 12 values to
; the stack. After the print function has printed Hello World !
; it RETURNs but sets the Instruction Pointer to a manipulated
; address on the stack. From there execution continues on the
; stack, in this example overwriting all output with asterisk *
; characters.

; Single step through this demo for best results ;-)

    JMP start
name:     DB "Hello World!" ; Variable
           DB 0    ; String terminator

start:
    MOV C, name    ; Point to var
    MOV D, 232    ; Point to output
    CALL print
        HLT             ; Stop execution

print:            ; print characters from var to output
    
    stack_smash:     ; this would typically be a buffer
            ; overwrite which we simulate by
            ; pushing 12 values onto the stack
            ; in reverse order
            ; the RET operation from the print
            ; function puts the instruction pointer
            ; to 0xDC and overwrites the output
            ; with * characters in reverse order
    
    PUSH 0        ; HLT
    PUSH 0xDC    ; LOOP back to this address on stack
    PUSH 39        ; JNZ 0xDB
    PUSH 232    ; the beginning of the output memory
    PUSH 3
    PUSH 23        ; CMP D, 232
    PUSH 42        ; character to overwrite output
    PUSH 3
    PUSH 8        ; MOV number to reg_address
    PUSH 3
    PUSH 19        ; DEC register #3 = D
    PUSH 0xDC    ; RET from print will pull this address

    MOV B, 0
.loop:
    MOV A, [C]    ; Get char from var
    MOV [D], A    ; Write to output
    INC C
    INC D  
    CMP B, [C]    ; Check if end
    JNZ .loop    ; jump if not

    RET        ; loads malicious return address from stack


=============================

To understand assembler code visit:

https://schweigi.github.io/assembler-simulator/instruction-set.html
https://en.wikipedia.org/wiki/Assembly_language
http://www.nasm.us/xdoc/2.10.09/html/nasmdoc3.html