Abstract
Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show a limit of existing API de-obfuscations. To do that, we first analyze existing API [de]obfuscation techniques and clarify an attack vector commonly existed in API de-obfuscation techniques, and then we present Stealth Loader, which is a program loader using our API obfuscation technique to bypass all existing API de-obfuscations. The core idea of this technique is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrate the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools and techniques. The result shows that among other obfuscation techniques, only Stealth Loader is able to successfully bypass all analysis tools and techniques.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
A DLL loaded by Stealth Loader.
- 2.
DLLs loaded by Windows.
References
Abrath, B., Coppens, B., Volckaert, S., De Sutter, B.: Obfuscating windows dlls. In: 2015 IEEE/ACM 1st International Workshop on Software Protection (SPRO), pp. 24–30. IEEE (2015)
Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, USENIX, pp. 41–46 (2005)
Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70542-0_8
Fewer, S.: Reflective dll injection. http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
Gross, T.R., Hartmann, T., Payer, M.: Safe loading - a foundation for secure execution of untrusted programs. In: IEEE Symposium on Security and Privacy (2012), pp. 18–32 (2012)
Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., Yin, H.: Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pp. 248–258. ACM, New York (2014)
Hex-Rays. https://www.hex-rays.com/
Hunt, G., Brubacher, D.: Detours: binary interception of win32 functions. In: Third USENIX Windows NT Symposium, USENIX, p. 8, July 1999
Kawakoya, Y., Iwamura, M., Shioji, E., Hariu, T.: API chaser: anti-analysis resistant malware analyzer. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 123–143. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41284-4_7
Kruegel, C., Kirda, E., Moser, A.: Limits of static analysis for malware detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, December 2007
Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, 1st edn. Wiley Publishing, USA (2014)
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM, New York (2005)
Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.-C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1), 1–13 (2012)
NtQuery. https://github.com/NtQuery/Scylla
Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Publishing, Birmingham (2013)
Plohmann, D., Hanel, A.: simplifire.idascope. In: Hacklu (2012)
Rekall. http://www.rekall-forensic.com/
Sharif, M., Yegneswaran, V., Saidi, H., Porras, P., Lee, W.: Eureka: a framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_31
Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 214–233. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22424-9_13
Suenaga, M.: A museum of API obfuscation on Win32. In: Symantec Security Response (2009)
Sycurelab. https://github.com/sycurelab/DECAF
VirusTotal. https://www.virustotal.com/
Yason, M.V.: The art of unpacking. In: Black Hat USA Briefings (2007)
Zynamics. https://www.zynamics.com/bindiff.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
A The Reasons for Unsupported API
A The Reasons for Unsupported API
In this Appendix, we explain the reasons why we cannot support several APIs with Stealth Loader on Windows 7 platform.
1.1 A.1 ntdll Initialization
ntdll.dll does not export the initialize function, i.e., DllMain does not exist in ntdll.dll, and LdrInitializeThunk, which is the entry point of ntdll.dll for a newly created thread, is also not exported. This inability of initialization leads to many uninitialized global variables, causing a program crash. As a workaround to this, we classified the APIs of ntdll.dll as to whether they are dependent on global variables or not by using static analysis. Then, we defined the APIs dependent on global variables as unsupported. As a result, the number of supported APIs for ntdll.dll is 776, while that of unsupported APIs is 1,992.
1.2 A.2 Callback
APIs triggering callback are difficult to apply Stealth Loader to because these APIs do not work properly unless we register callback handlers in PEB. So, we exclude some of the APIs of user32.dll and gdi32.dll, which become a trigger callback from our supported APIs. To distinguish whether APIs are related to callbacks or not, we developed an IDA script to make a call flow graph and analyzed win32k.sys, user32.dll, and gdi32.dll using the script. Then, we identified 203 APIs out of 839 exported from user32.dll and 202 out of 728 exported from gdi32.dll.
1.3 A.3 Local Heap Memory
Supporting APIs to operate local heap objects is difficult because these objects are possibly shared between DLLs. The reason is as follows. When a local heap object is assigned, this object is managed under the stealth-loaded kernelbase.dll. However, when the object is used, the object is checked under the Windows-loaded kernelbase.dll. This inconsistency leads to failure in the execution of some APIs related to the local heap object operation. To avoid this situation, we exclude the APIs for operating local heap objects from our supported API. As a result of static analysis, we found that local heap objects are managed in BaseHeapHandleTable, located in the data section of kernelbase.dll. Therefore, we do not support 6 APIs depending on this table in current Stealth Loader.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kawakoya, Y., Shioji, E., Otsuki, Y., Iwamura, M., Yada, T. (2017). Stealth Loader: Trace-Free Program Loading for API Obfuscation. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)