Monday, 30 July 2012

[Tutorials] Malware Analysis Tutorials: a Reverse Engineering Approach

http://fumalwareanalysis.blogspot.com/
=====================================
 Author: Dr. Xiang Fu

Roadmap: You need to first follow Tutorials 1 to 4 to set up the lab configuration. Then each tutorial addresses an independent topic and can be completed separately (each one will have its own lab configuration instructions).

Malware Analysis Tutorial 1- A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) 
Malware Analysis Tutorial 2- Introduction to Ring3 Debugging 
Malware Analysis Tutorial 3- Int 2D Anti-Debugging .
Malware Analysis Tutorial 4- Int 2D Anti-Debugging (Part II) 
Malware Analysis Tutorial 5- Int 2D in Max++ (Part III) .
Malware Analysis Tutorial 6- Self-Decoding and Self-Extracting Code Segment .
Malware Analysis Tutorial 7: Exploring Kernel Data Structure .
Malware Analysis Tutorial 8: PE Header and Export Table .
Malware Analysis Tutorial 9: Encoded Export Table
Malware Analysis Tutorial 10: Tricks for Confusing Static Analysis Tools .
Malware Analysis Tutorial 11: Starling Technique and Hijacking Kernel System Calls using Hardware Breakpoints .
Malware Analysis Tutorial 12: Debug the Debugger - Fix Module Information and UDD File .
Malware Analysis Tutorial 13: Tracing DLL Entry Point .
Malware Analysis Tutorial 14: Retrieve Self-Decoding Key .
Malware Analysis Tutorial 15: Injecting Thread into a Running Process .
Malware Analysis Tutorial 16: Return Oriented Programming (Return to LIBC) Attack .
Malware Analysis Tutorial 17: Infection of System Modules (Part I: Randomly Pick a Driver).
Malware Analysis Tutorial 18: Infecting Driver Files (Part II: Simple Infection)
Malware Analysis Tutorial 19: Anatomy of Infected Driver 
Malware Analysis Tutorial 20: Kernel Debugging - Intercepting Driver Loading .
Malware Analysis Tutorial 21: Hijacking Disk Driver 
Malware Analysis Tutorial 22: IRP Handler and Infected Disk Driver
Malware Tutorial Analysis 23: Tracing Kernel Data Using Data Breakpoints 
Malware Analysis Tutorial 24: Tracing Malicious TDI Network Behaviors of Max++  
Malware Analysis Tutorial 25: Deferred Procedure Call (DPC) and TCP Connection 
Malware Analysis Tutorial 26: Rootkit Configuration 
Malware Analysis Tutorial 27: Stealthy Loading of Malicious Driver  
Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection 
Malware Analysis Tutorial 29: Stealthy Library Loading II (Using Self-Modifying APC) 
Malware Analysis Tutorial 30: Self-Overwriting COM Loading for Remote Loading DLL
Posted by at No comments:
Labels:

Device Driver Development For Beginners

http://quequero.org/Device_Driver_Development_For_Beginners
=================================

Introduction

Just a little starter for people interested in starting Kernel-Mode Development. This tutorial is a flexible one, time by time I'll Reload and Expand it.

By following a good thread on UIC forum, opened by a beginner that wanted to know how to start with Device Driver Development, I remembered that long time ago published a similar blog post on that subject.


Development Tools

  1. WDK/DDK - this is the proper Driver Development SDK given by Microsoft, latest edition can be dowloaded http://www.microsoft.com/whdc/DevTools/WDK/WDKpkg.mspx
  2. Visual Studio 2008/2010 - you can also develop without VS, but I always prefer all the Comforts given by a such advanced IDE, especially in presence of complex device drivers.
  3. DDKWizard - DDKWizard is a so-called project creation wizard (for VisualStudio) that allows you to create projects that use the DDKBUILD scripts from OSR (also available in the download section from this site). The wizard will give you several options to configure your project prior to the creation. You can download it http://ddkwizard.assarbad.net/
  4. VisualAssist - (Optional Tool) Visual Assist X provides productivity enhancements that help you read, write, navigate and refactor code with blazing speed in all Microsoft IDEs. You can Try/Buy it http://wholetomato.com/
  5. VisualDDK - Develop and Debug drivers directly from VS, enjoy debugging your driver directly from Visual Studio, speeding up debugging ~18x for VMWare and ~48x for VirtualBox. Download and Step by Step Quick Start Guide http://visualddk.sysprogs.org/quickstart/
  6. Virtual Machine - You need a Virtual Machine to perform efficient Driver Debugging, best options are VMWare or VirtualBox.

Building a Driver Development Environment

As you can see, a good comfortable Driver Development station is composed by a good amount of components, so we need an installation order.
  • Install your IDE - VisualStudio2008 or VisualStudio2010
  • Install WDK package
  • Install DDKWizard
  • Download and place ( usually into C:\WinDDK ) ddkbuild.cmd
  • By following DDKWizard pdf you will be driven to add an new Envirnment Variable directly releated to the OS version in which you are developing and successively add a reference of ddkbuild.cmd into VS IDE. DDWizard Manual is very well written.
  • After finishing DDKWizard integration you can test if your environment is correctly installed, by compilig your first driver. Steps are easy open VS and select DDKWizard templare (not EmptyDriver), you will see the skeleton of a Driver, all what you have to do is to Build Solution and Verify if No Compiling Errors occur, your station is correctly installed.
  • Install VirtualMachine
  • Integrate Debugging help of VisualDDK by following step by step quick start guide
  • Install Visual Assist (this can be done in every moment after VS Installation)

Additional Tools

  • DeviceTree - This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name. There is nothing like this utility available anywhere else. http://www.osronline.com/article.cfm?article=97
  • IrpTracker - IrpTracker allows you to monitor all I/O request packets (IRPs) on a system without the use of any filter drivers and with no references to any device objects, leaving the PnP system entirely undisturbed. In addition to being able to see the path the IRP takes down the driver stack and its ultimate completion status, a detailed view is available that allows you to see the entire contents of static portion of the IRP and an interpreted view of the current and previous stack locations.
http://www.osronline.com/article.cfm?article=199
  • DebugMon - Displays DbgPrint messages generated by any driver in the system (or the OS itself) in the application window. Can be used either in local mode or can send the DbgPrint messages to another system via TCP/IP. http://www.osronline.com/article.cfm?article=99
  • DriverLoader - This GUI-based tool will make all the appropriate registry entries for your driver, and even allow you to start your driver without rebooting. It's even got a help file, for goodness sakes! If you write drivers, this is another one of those utilities that's a must have for your tool chest. http://www.osronline.com/article.cfm?article=157
Now you have a full working Develop and Debug Station.
As you should imagine, dealing with driver development implies working with at Kernel Mode, a task pretty challenging, delicate and complex. A badly written driver lead to OS Crash and/or dangerous bugs, just think about a driver used in mission-critical applications like Surgery, a bug or a crash could lead to extremely big dangers. The driver need to be:
  • Bug Free
  • Fault Tolerant
  • Ready to Endure all Stress Situations
This could be done, only by the driver coder, with a large knowledge of following fields:
  • Hardware Architecture
  • Operating System Architecture
  • Kernel and User Mode Architecture
  • Rock Solid C language Knowledge
  • Debugging Ability
Here i'm going to enumerate necessary Documentation/Book/Etc. necessary to acheive a good and solid background and advanced knowledge about driver coding.
Microsoft WDK Page: http://www.microsoft.com/whdc/devtools/WDK/default.mspx
Will give you informations about:
  1. WDM ( Windows Driver Model)
  2. WDF (Windows Driver Foundation)
  3. IFS Kit (Installable FileSystem Kit)
  4. Driver Debugging
  5. Driver Stress Testing ( DriverVerifier tool )
PC Fundamentals: http://www.microsoft.com/whdc/system/default.mspx
Device Fundamentals: http://www.microsoft.com/whdc/device/default.mspx
This will give you an large view of 'what mean developing a driver' which components are touched and which aspects you need to know.
It's also obviously necessary to have a Reference about kernel mode involved Functions and Mechanisms, the first best resource is always MSDN, here the starter link to follow MSDN->DDK
http://msdn.microsoft.com/en-us/library/ee663300%28v=VS.85%29.aspx

How to start Learning

  • Driver Development Part 1: Introduction to Drivers
http://www.codeproject.com/KB/system/driverdev.aspx
  • Driver Development Part 2: Introduction to Implementing IOCTLs
http://www.codeproject.com/KB/system/driverdev2.aspx
  • Driver Development Part 3: Introduction to driver contexts
http://www.codeproject.com/KB/system/driverdev3.aspx
  • Driver Development Part 4: Introduction to device stacks
http://www.codeproject.com/KB/system/driverdev4asp.aspx
  • Driver Development Part 5: Introduction to the Transport Device Interface
http://www.codeproject.com/KB/system/driverdev5asp.aspx
  • Driver Development Part 6: Introduction to Display Drivers
http://www.codeproject.com/KB/system/driverdev6asp.aspx
It's really important to put in evicence MemoryManagement at KernelMode, the best starting point for these aspects are tutorials written by four-f;

http://www.freewebs.com/four-f/
Handling IRPs: What Every Driver Writer Needs to Know http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/IRPs.doc

Book Resources

Tutorial are a great starting point, but a solid understanding is given by a set of 'abstracts', emerges the necessity of a good Book Collection:
  • Windows NT Device Driver Development (OSR Classic Reprints)
http://www.amazon.com/Windows-Device-Development-Classic-Reprints/dp/0976717522/ref=sr_1_2?s=gateway&ie=UTF8&qid=1285616242&sr=8-2
  • Windows®-Internals-Including-Windows-PRO-Developer
http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Developer/dp/0735625301/ref=sr_1_1?s=gateway&ie=UTF8&qid=1285616160&sr=8-1
  • The Windows 2000 device driver book: a guide for programmers
http://www.amazon.com/Windows-2000-Device-Driver-Book/dp/0130204315
  • Undocumented Windows 2000 Secrets
http://undocumented.rawol.com/
  • Developing Drivers with WDF
http://www.microsoft.com/whdc/driver/wdf/wdfbook.mspx
  • Windows NT File System Internals, A Developer's Guide
http://oreilly.com/catalog/9781565922495

Web Resources

The first and most important resource about Windows Driver Development is OSROnline:
http://www.osronline.com/
I strongly suggest you to subscribe:
  1. The NT Insider
  2. NTDEV MailingList
  • NDIS Developer's Reference
http://www.ndis.com/
  • Information, Articles, and Free Downloads
http://www.hollistech.com/resources.htm
  • The Undocumented Functions
http://undocumented.ntinternals.net
  • Blog MSDN
http://blogs.msdn.com/iliast
  • Windows Vista Kernel Structures
http://www.nirsoft.net/kernel_struct/vista/
  • Peter Wieland's thoughts on Windows driver development
http://blogs.msdn.com/b/peterwie/
  • USB Driver Development
http://blogs.msdn.com/b/usbcoreblog/
  • Hardware and Driver Developer Blogs
http://www.microsoft.com/whdc/resources/blogs.mspx
Developer Newsgroups
  • microsoft.public.development.device.drivers
  • microsoft.public.win32.programmer.kernel
  • microsoft.public.windbg
Links
  • j00ru//vx tech blog Coding, reverse engineering, OS internals Blog
http://j00ru.vexillium.org/
  • Nynaeve
http://www.nynaeve.net/
  • DumpAnalysis Blog
http://www.dumpanalysis.org/
  • Analyze -v Blog
http://analyze-v.com/
  • Instant Online Crash Dump Analysis
http://www.osronline.com/page.cfm?name=analyze
  • Winsock Kernel (WSK)
http://msdn.microsoft.com/en-us/library/ff571084.aspx
  • Transport Driver Interface (TDI)
http://msdn.microsoft.com/en-us/library/ms819740.aspx
  • Network Driver Interface Specification (NDIS)
http://blogs.msdn.com/b/ndis/
  • System Internals
http://www.microsoft.com/whdc/system/Sysinternals/default.mspx
Driver development needs too many time patience and experience to be fully understood, in my opinion the best approach remains LbD ( Learning by Doing ) so, read, study and develop as many experience you build less BSODs and "strange behavior" you will obtain :)


Thanks

Thanks.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)