Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Defenders, Know Your Operating System Like Attackers Do! SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Defenders, Know Your Operating System Like Attackers Do!

Not a technical diary today but more a reflection… When I’m teaching FOR610[1], I always remind students to “RTFM” or "Read the F… Manual". I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters.

Many attackers have a very deep knowledge of how targeted operating systems are behaving and what are the controls in place or features that could be (ab)used by malicious code. When you’re analyzing malware samples, it’s very important to quickly spot interesting blocks of code (by learning which interesting OS feature they use). A classic example is the API call VirtualAllocEx()[2] which allocates a region of memory within the virtual address space of a specified process:

LPVOID VirtualAllocEx(
  HANDLE hProcess,
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect

hProcess is a handle to a process returned by OpenProcess(). Then, you use WriteProcessMemory() to write specified contents into the memory of the targeted process. When you read this, you can ask yourself: “Wait… why does Microsoft allow a process to inject code into another process?”. The answer is simple: because it’s a key feature of the operating system and it can be used for many totally legit reasons. Think about antivirus programs! It’s common that AV injects code into processes of a process (ex: in browsers to inspect downloaded data).

API calls are a key aspect of malware, not only the function itself but also its options. Here is another example: If you see a VirtualProtect, check the last parameter:

LPVOID VirtualAlloc(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect

flProtect allows you to set the memory protection for the region of pages to be allocated. If you see the value 0x40 (PAGE_EXECUTE_READWRITE) set for this parameter, it means the newly allocated memory will contain executable code![3]

An approach to flag some sample during the triage process is to identify the group of API’s that are used to perform suspicious actions like:

  • Code injection
  • DLL operations
  • Dropping 2nd stage

In my triage process, I use FLOSS[4] because it can extract a lot of API calls from strings, stack strings, etc… Then I parse the output to YARA to match interesting groups of API. Example:

remnux@remnux:/MalwareZoo/20210316$ floss sample.exe | ./ suspicious-api-calls.yara
Matching: api_address_search
Matching: dll_operations

Why YARA? Because it helps to create useful rules like "any of this", "all of this", and, or, groups of APIs. A sample of YARA rules is available here[5].

Happy hunting!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting London 2022


649 Posts
ISC Handler
Mar 17th 2021

Sign Up for Free or Log In to start participating in the conversation!