Malware Anti-Analysis Techniques-TLS and Process Hallowing
In continuation to previous articles, this article will also show a more sophisticated approach used by malware to thwart anti-analysis techniques.
Let's start the analysis of sampleTLS.exe
Become a certified reverse engineer!
As soon as I load the sample into OllyDBG for debugging, it is in paused state, but when I look into process hacker, there is an instance already started running. See below sample is in paused state
However, then in process hacker below, we can see the instance as already running.
What is causing the sample to launch even before WinMain() is hit.
Well, it is about TLS callback which is executed before the Entry Point WinMain().On loading this sample in IDAPro, we can see that there are a couple of entry points:
Let's configure OllyDBG to pause at TLS callbacks instead of WinMain.
Now let's load the sample again in OllyDBG after the above configuration. We can see that now only one process is running under OllyDBG under process hacker. Below is the code of TLS callback function.
Now since we have overcome the entry point and the hidden TLS callback in the sample, let's begin the normal analysis. Let's see the function calls embedded in the sample. Below is the snippet of the embedded function calls that the specimen is utilizing.
Well, can you think we can we see CreateProcess, NTUnmapViewOfSection, ReadProcessMemory, WriteProcessMemory, etc.? If you are thinking Process Hallowing, let's keep it as our assumption for now.
Let's see how we can track our assumption in the following section. Let's search for function with what Process Hallowing starts i.e. CreateProcess
Let's keep a breakpoint there when the CreateProcess is about to begin and analyze the parameters on the stack.
The top one is the address of the next instruction where this function will return to. Let's look at other important function parameters like:
- At 00411010: The process that needs to be created. This means that the sampleTLS.exe is creating a child process of its own as we have already seen in the process hacker screenshot earlier.
- The other important parameter is the 6th parameter which is CreationFlag. Its value is set to 4. This corresponds to the create the process in 'suspended' state. This is an important indicator of our assumption around Process Hallowing.
Ok, let's run this sample and 'analyze till user code' to hit the location where this function was called from.
Here call EAX points to call to CreateProcess, and we can see the parameter that is passed to the function. Note the CREATE_SUSPENDED flag also there.
Also notice the SUB ESP,28 which is a stack clean up act.
Now lets' step through the user code until we reach Write Process as we are interested I what is written to the hallowed process. On the way, you might see other function calls as well like VirtualAlloc, VirtualAllocEx, NtUnmapViewOfSection
Below we can see the ReadProcessMemory when the sample is reading the attributes of the process to be followed like the handle, baseaddress, etc.
Below is the code section for WriteProcessMemory
Here we can see that buffer attributes that is to be written to the hollowed process. And following are the contents of what's inside the buffer. Notice the MZ header in the buffer.
Let's dump this file memory section to a file on disk by name sampleTLS_dump.exe and let's start analyzing that file now.
First, let's load the file to view if it is still packed or not. It turns out that the dumped file is packed with UPX packer.
It is easy for us now to unpack it since it is packed with a known packer. Let's unpack it 
Now let's start analyzing the unpacked binary which indeed has the malicious characteristics. Below we can see various API calls related to internet access, reading file, etc.
Below are some of the strings that can be extracted from the unpacked file. We can see URLs and their file fetch records inside strings.
Since there are too many fuzzed up strings, let's try to see if it is encoded or not. Let's try to brute force decode it with 1 byte XOR keys, and we can see that a new URL can be seen like atomportal.
And this is the domain which the original sample(sampleTLS.exe) is trying to communicate with and download the get.php file when we provide it fake DNS and run a httpd port.
The result of this get.php file is that it will overtake the victim screen.
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware Anti-Analysis Techniques-TLS and Process Hallowing
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis