Advanced Register Techniques - Gr00t's Security Research Lab

# Advanced Register Techniques in Malware Analysis Building on [[CPU Registers Building Blocks]] and [[Register Operations in Assembly]], let's dive into how malware authors use advanced register techniques to hide their code's true intentions. ## Manual API Resolution One of the most common advanced techniques you'll see is PEB (Process Environment Block) walking for API resolution. Instead of importing functions normally through the [[PE File Format Foundations|Import Table]], malware often resolves APIs at runtime. ### PEB Walking ```nasm ; Manual PEB traversal to find kernel32.dll mov rax, gs:[60h] ; Get PEB address from GS segment mov rax, [rax + 18h] ; Get PEB_LDR_DATA mov rsi, [rax + 20h] ; Get InMemoryOrderModuleList find_kernel32: lodsd ; Get next module mov rax, [rax - 8h] ; Module base address mov rcx, [rax + 40h] ; Module name cmp dword [rcx], 'NREK'; Match 'KERN' jne find_kernel32 ; Keep searching if no match ``` >[!tip] This technique is often called "PEB walking" or "manual API resolution". >This technique is popular because: >1. It hides API calls from static analysis >2. It can bypass API hooks >3. It makes analysis more difficult Let's break down how this works: 1. `gs:[60h]` in x64 (or `fs:[30h]` in x86) points to the PEB 2. The PEB contains a loader data structure (offset 18h) 3. The loader data has a linked list of all loaded modules 4. Malware walks this list to find DLLs it needs Here's a more complete example showing API resolution: ```nasm ; Full example of resolving GetProcAddress get_api: ; First find kernel32.dll base (as shown above) mov rax, gs:[60h] ; PEB mov rax, [rax + 18h] ; PEB_LDR_DATA mov rsi, [rax + 20h] ; First module ; Walk loaded modules to find kernel32.dll find_k32: lodsd ; Next module mov rax, [rax - 8h] ; Module base mov rcx, [rax + 40h] ; Unicode module name cmp dword [rcx], 'NREK' jne find_k32 ; Now find GetProcAddress in export table mov rbx, rax ; Save kernel32 base mov eax, [rbx + 3Ch] ; PE header offset add rax, rbx ; PE header address mov eax, [rax + 88h] ; Export directory RVA add rax, rbx ; Export directory address ; Walk export directory to find GetProcAddress mov ecx, [rax + 18h] ; Number of names mov r8d, [rax + 20h] ; Address of names array add r8, rbx ; Make absolute address find_getproc: dec ecx mov esi, [r8 + rcx*4]; Get next function name RVA add rsi, rbx ; Make absolute address cmp dword [rsi], 'GetP'; Match "GetP" jne find_getproc ; Found it! Now get the function address mov edx, [rax + 24h] ; Ordinals array RVA add rdx, rbx ; Make absolute mov cx, [rdx + rcx*2]; Get ordinal mov edx, [rax + 1Ch] ; Address array RVA add rdx, rbx ; Make absolute mov eax, [rdx + rcx*4]; Get function RVA add rax, rbx ; Final function address! ``` Once malware has resolved GetProcAddress, it can use it to find any other API function it needs. Common patterns to watch for: - Access to GS/FS segment registers - References to PEB offsets (60h, 18h, etc.) - String comparisons with DLL names - Walking of linked lists - PE header parsing (looking for export directories) > [!note] Understanding this technique is crucial because > > 1. It helps identify malware even when import tables are clean > 2. It reveals what APIs the malware intends to use > 3. It's a strong indicator of deliberately evasive code ### String Decoding String obfuscation is a staple in malware. Using registers and XOR operations to decode strings at runtime ensures sensitive information, like C2 (Command and Control) server URLs, remains hidden until needed. ```nasm ; String decoding example section .data encoded_str db "XYZZY" ; Encoded string key db 0x5 ; XOR key str_len equ 5 ; Length section .text decode_string: cld ; Clear direction flag lea rsi, [encoded_str] ; Source string lea rdi, [encoded_str] ; In-place decode mov rcx, str_len ; Counter decode_loop: lodsb ; Load byte xor al, [key] ; Decode stosb ; Store byte loop decode_loop ; Continue ``` **Why It Matters** The XOR key (`0x5` in this case) obfuscates the string, rendering it unreadable during static analysis. Analysts often rely on emulation or dynamic analysis to uncover such obfuscated strings. ## Process Injection Techniques This technique allows malware to execute code within the memory space of another process, bypassing direct execution detection. ### x86 Process Injection ```nasm ; VirtualAllocEx example (x86) push 40h ; PAGE_EXECUTE_READWRITE push 1000h ; MEM_COMMIT push 1000h ; dwSize push 0 ; NULL push dword [hProcess] ; Process handle call VirtualAllocEx ``` ### x64 Process Injection ```nasm ; Same operation in x64 mov rcx, [hProcess] ; Process handle xor rdx, rdx ; NULL mov r8d, 1000h ; dwSize mov r9d, 1000h ; MEM_COMMIT push 40h ; PAGE_EXECUTE_READWRITE sub rsp, 20h ; Shadow space call VirtualAllocEx ``` **Real-World Context** - **DLL Injection**: Writing a DLL path to remote memory and calling `LoadLibrary`. - **Process Hollowing**: Replacing legitimate process code with malicious payloads, often seen in ransomware like Ryuk. ## Advanced Anti-Analysis Techniques Malware employs techniques to identify and thwart debugging or sandboxing environments. Timing checks are a common anti-debug trick. ### Checking for Debuggers ```nasm ; Timing-based anti-debug rdtsc ; Get initial timestamp push eax ; Save low 32 bits push edx ; Save high 32 bits nop ; Instruction being measured rdtsc ; Get end timestamp sub eax, [esp+4] ; Calculate difference sbb edx, [esp] ; Account for carry cmp eax, 100 ; Check if too slow ja debugger_detected ``` **Breaking It Down** - **`rdtsc` Timing**: Measures how long an operation takes. Debuggers, which introduce latency, trigger a detectable slowdown. - **Evading Detection**: Analysts must use stealthy debugging techniques or instrumentation to bypass these checks. ## Looking Ahead: Beating Malware at Its Own Game Understanding malware techniques like PEB walking and string decoding is half the battle. The next challenge? Countering these evasive moves with tools and strategies that expose their secrets. In our next post, we’ll reveal: - How to hook into dynamic API resolution and uncover hidden APIs in real time. - Advanced memory dumping techniques to extract obfuscated strings. - How to bypass anti-debugging tricks and sandbox evasion. Whether you’re an analyst, researcher, or just curious about the cat-and-mouse game of cybersecurity, you won’t want to miss it. **Keep an eye on [[Countering Evasive Malware Techniques]]—coming soon!** ## Final Thoughts Advanced techniques like string decoding, process injection, and anti-analysis methods are hallmarks of modern malware. Understanding these strategies equips analysts to: 1. **Detect Patterns**: Recognise common malware behaviours such as process hollowing. 2. **De-obfuscate**: Reverse complex string encoding schemes. 3. **Bypass Anti-Analysis**: Adapt debugging and sandboxing environments to counter evasive techniques. For more insights, dive into [[Windows API Basics]] for foundational API knowledge and [[Azure Malware Lab Design]] for secure malware analysis environments. These resources are perfect companions for exploring how these techniques play out in real-world malware.