A Fistful of Red-Pills
A Fistful of Red-Pills
How to Automatically Generate Procedures to Detect CPU Emulators
Roberto Paleari1 Lorenzo Martignoni2
Giampaolo Fresi Roglia1 Danilo Bruschi1
1
Universit`
a degli Studi di Milano
Universit`
a degli Studi di Udine
2
3rd USENIX Workshop on Offensive Technologies (WOOT ’09)
The ideal malware
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
2
The ideal malware
Who lasts longer earns the most...
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
2
Long lasting malware
I
Spread/replicate fast
I
Hide the presence on the system
Complicate the analysis
I
I
I
Obfuscate the code
Detect and block dynamic analysis attempts
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
3
Long lasting malware
I
Spread/replicate fast
I
Hide the presence on the system
Complicate the analysis
I
I
I
Obfuscate the code
Detect and block dynamic analysis attempts
The easiest way to detect and block dynamic analysis
attempts is to detect the presence of a virtual execution
environment and to alter the behavior
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
3
A red-pill enhanced malware
void main() {
redpill = "\x08\x7c\xe3\x04...";
if (((void (*)())redpill)()) {
// Executed on a physical CPU
return CPU;
} else {
// Executed on an emulated CPU
return EMU;
}
}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
4
A red-pill enhanced malware
void main() {
redpill = "\x08\x7c\xe3\x04...";
if (((void (*)())redpill)()) {
// Low risk of dynamic analysis
...
} else {
// High risk of dynamic analysis
...
}
}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
4
Our contribution
So far red-pills have been found manually
or using rudimentary techniques
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
5
Our contribution
We propose a fully automatic technique to generate red-pills for
detecting when programs are executed in CPU emulators
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
5
Why CPU emulators?
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
6
Why CPU emulators?
I
Powerful tools for monitoring and controlling the execution of a
program:
I
I
Enable very sophisticated and low-level analysis
Allow to control actively the execution of programs
I
CPU emulators are widely used form malware analysis
I
Other virtual execution environments (e.g., virtual machines)
are not as powerful
I
CPU emulator are vulnerable to detection
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
6
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
A sequence of bytes (encoding a valid or
an invalid instruction) that is fed to CPU
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
Candidate red-pills
A pill that triggers different observable
behaviors in the CPU and in the emulator
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
A pill that triggers the same observable behavior in any CPU
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
A simple abstraction of the CPU
s = h pc, r , m, e i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
s 0 = h pc 0, r 0, m0, e 0 i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
Candidate red-pills
s
=s
= hpc, r , m, ⊥i
6=
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
=s
= hpc, r , m, ⊥i
6=
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
=s
= hpc, r , m, ⊥i
6=
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
s0
=s
= hpc, r , m, ⊥i
6=
s0
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
=s
=
6
s0
and
s
= hpc, r , m, ⊥i
=s
s0
produce the same output state
is not a candidate red-pill
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
s0
=s
= hpc, r , m, ⊥i
6=
s0
Because of an artifact in the emulator s 0 6= s 0
s
=s
is a candidate red-pill
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills: from CPU states to programs
s
s0
=s
s0
6=
We have a state s
=s
but...
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
10
Candidate red-pills: from CPU states to programs
CPU
EMU
...we need a program that can detect where it is being executed
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
10
Candidate red-pills: from CPU states to programs
I
s
=s
I
s0
I
s0
I
s 0 6= s 0
= hpc, r , m, ⊥i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
11
Candidate red-pills: from CPU states to programs
Initializes the state
of the CPU to s
I
s
=s
I
s0
I
s0
I
s 0 6= s 0
= hpc, r , m, ⊥i
Executes the instruction pointed by pc
Compares the state resulting
from the execution with s 0
Returns CPU is the comparison
succeeds or EMU otherwise
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
11
Candidate red-pills: from CPU states to programs
Initializes the state
of the CPU to s
I
s
=s
I
s0
I
s0
I
s 0 6= s 0
= hpc, r , m, ⊥i
Executes the instruction pointed by pc
Compares the state resulting
from the execution with s 0
Returns CPU is the comparison
succeeds or EMU otherwise
All non meaningful state information can be omitted
We can generate very small C programs (∼94 LOC on average)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
11
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
12
(Un)reliable red-pills
CPU
The pill can distinguish between
EMU
and
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
(Un)reliable red-pills
CPU
What about
EMU
,
, and
?
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
(Un)reliable red-pills
CPU
EMU
EMU
and
produce different output states
The pill is not a reliable
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
(Un)reliable red-pills
CPU
CPU
EMU
and
produce the same output state
The pill is reliable
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
Causes of unreliability
I
Different CPU features (CPUID)
I
MMX/XMM
Streaming SIMD Extensions:
I
I
I
I
I
SSE
SSE2
SSE3
Changes in the code of the emulator (e.g., bug fixes)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
14
Discarding unreliable red-pills
Test reliability with multiple CPUs and multiple emulators
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Discarding unreliable red-pills
CPU
CPU
EMU
CPU
EMU
EMU
EMU
disagrees on the output; the pill is discarded
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Discarding unreliable red-pills
CPU
CPU
CPU
CPU
EMU
EMU
CPU
disagrees on the output; the pill is discarded
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Discarding unreliable red-pills
CPU
CPU
CPU
CPU
EMU
EMU
EMU
All CPUs return CPU and all emulators return EMU
The pill is reliable
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Large scale red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
16
Generating inputs for candidate red-pills detection
I
I
Random data and algorithmically generated code
Use the CPU to explore the instruction set:
I
I
I
Detect strings representing valid instructions
Infer the format of instructions
Generate few instruction instances for each opcode found
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
17
Evaluation
Evaluated the technique with QEMU & BOCHS
Detected 875 unique
for QEMU and 171 for BOCHS
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
18
Evaluation
Evaluated the technique with QEMU & BOCHS
Detected 875 unique
for QEMU and 171 for BOCHS
I
Generated ∼2M
I
Tested reliability of
and then selected 50K
found using:
I
I
I
5 different versions of QEMU
4 different versions of BOCHS
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
18
Evaluation
Evaluated the technique with QEMU & BOCHS
Detected 875 unique
for QEMU and 171 for BOCHS
I
Generated ∼2M
I
Tested reliability of
and then selected 50K
found using:
I
I
I
5 different versions of QEMU
4 different versions of BOCHS
Evaluation took ∼2 hours
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
18
Evaluation
Emulator
QEMU
BOCHS
#
21713
4671
#
20728
2973
# unique
875
171
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
QEMU
bsf -0xc(%esp),%edi
Produces differences in some status flags
(ambiguity in the X86 specification)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
BOCHS
mulps -0x4(%esp),%xmm1
Does not raise a general protection fault exception if the source
operand is not aligned (minor bug in the emulator)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
Tested some of our red-pills against ANUBIS and RENOVO
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
Tested some of our red-pills against ANUBIS and RENOVO
The report of the analysis demonstrated that our red-pills
always detected the analysis environments
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Conclusions
I
A new technique to generate red-pills for detecting CPU
emulators:
I
I
I
Dynamic
Fully automatic
Independent from the emulator
I
Prototype implementation of the technique
I
Discover of hundreds of new red-pills for QEMU and BOCHS
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
20
A Fistful of Red-Pills
How to Automatically Generate Procedures to Detect CPU Emulators
Thank you!
Any questions?
Lorenzo Martignoni
[email protected]
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
21
![How to Build a PC Chris Pontes [Type text]](http://cdn1.abcdocz.com/store/data/000178475_1-a37bd1b4ff4d2fc57eb275ffa980478c-250x500.png)
© Copyright 2024