Malware Analysis with Vivisect
Colin Williams
NEST
What is Vivisect?
?Python framework
?Cross-platform (Windows, Linux, Mac)?Three components:
?Vivisect: Interactive disassembler
?Vtrace: Python debugger module
?Vdb: Command-line debugger (uses Vtrace)?Doesn’t have good documentation
Introduction to Vivisect
?Disassembler with GUI
?Used for static analysis
?Can launch VDB
Introduction to Vdb
?Command-line debugger
?Uses Vtrace API
?Can import scripts
Introduction to Vtrace
?Python Module
?Fully functional debugger
?Control program execution
?Add breakpoints on memory locations, expressions, or memory access ?Run custom code when events occur (load module, load file, etc)
Installing Vivisect
1.Install Python
2.7
2.Install QtPy
3.Go to https://www.wendangku.net/doc/5315160589.html,/static/releases/, and
download the latest version of Vivisect
4.Copy the Vivisect files into Python installation directory
(Optional)
Using Vivisect
?python vivbin
?View->Layouts->Load
?vivisect/qt/default.lyt
Vivisect Windows
?Strings - Displays all strings found in the binary ?Segments - Displays known segments in the binary ?Imports - Displays all function imports used
?Exports - Displays all function exports provided ?Functions - Displays all known functions available in the binary
Vivisect Function Graph
?Displays a program flow graph
?Visualize code paths more
easily
?Comment sections of code
?Rename locations
Vivisect Assembly Window ?Displays assembly for
selected function
?Syntax highlighting
?Cross referencing
?Rename locations
?Comment sections
Using Vdb ?python vdbbin
?exec
?attach
?help - displays command list or help for one command
?bp - manage breakpoints
?dis - disassemble around an address
?mem - print memory (optionally formatted)
?writemem - modify memory
?stepi - step one instruction (after breaking)
?script - run a python script in the context of the debugger
Using Vtrace (in a python script)
?Import vtrace (and optionally vdb)
?import vtrace
?import vdb
?Create a Trace object
?trace = vtrace.getTrace()
?Execute a trace on the program (doesn’t actually execute the program)
?trace.execute(filepath)
Using Vtrace (in a python script) (cntd)
?Set up breakpoints, functions, etc
?Run the program in the trace
?trace.run()
?This WILL run the program - be careful
Example - PMA Lab 01-01
?Practical Malware Analysis, by Sikorski and Honig ?Download from here: https://www.wendangku.net/doc/5315160589.html,/labs/?Chapter 1, Lab 1
?Replaces a system DLL with a modified version that opens a back door.
?Two files - Lab01-01.exe & Lab01-01.dll
?As always, use a virtual machine
General Overview - Vivisect
?Open file in vivisect
?python vivbin Lab01-01.exe
?python vivbin Lab01-01.dll
?Look through strings, imports, functions, etc
Imports (exe) - Vivisect
?File management imports
?CreateFile
?CreateFileMapping
?FindClose
?FindNextFile
?FindFirstFile
?CopyFile
?Probably doing something
with files
Imports (dll) - Vivisect ?Process Management
?CreateProcess
?CreateMutex
?OpenMutex
?Sleep
?Networking
?inet_addr
?connect
?send
?recv
?closesocket
?htons
Strings (exe) - Vivisect
?References to DLL files
? 2 absolute
? 2 relative (local)
?Note the last one
?kerne132.dll, rather than kernel32.dll
Strings (dll) - Vivisect
?IP address
?Indicates network activity
?Sleep, exec, hello
?Unknown at this point
Dynamic - Vtrace
?Set up custom debugger script to control the executable ?Prevent it from actually doing anything harmful
?Determine what it is trying to do
?Use information from Vivisect to determine what breakpoints to use