Witten by Hirokazu Murakami, GIAC GREM with Gold Certificate

 

Abstract

 

 "Process Hollowing" technique is often used by modern malwares. Examining this efficiently is a challenge for malware analysts. Some malicious actors use encryption to hide malicious code. The simplest extraction method for Process Hollowing is to dump the decrypted memory. However, there are cases where the file cannot be executed due to an import table problem. The purpose of this technical tips is to extract executable files from "Process Hollowing" processes.
 

There are advantages as follows:

 

• Files that can be analyzed dynamically can be shared by multiple analysts.
• It makes it easy to retry malware analysis.
• Some analysts can deepen their understanding of "Process Hollowing" techniques.

 

 

Basic knowledge of Process Hollowing

 

This article focuses on the technical tips of Extracting Process Hollowing. Therefore, detailed explanation of "Process Hollowing" is not written. You should see a different article for each.

As an example, here are some articles.

 

Process Hollowing
https://medium.com/@jain.sm/process-hollowing-930b30452279

Process Hollowing
http://www.autosectools.com/process-hollowing.pdf
 

 

Requirment

 

Tools

You need the following tools:

• x64dbg (Required)
  https://x64dbg.com/
• Other debuggers (If you need. I use IDA for my preference.)

Specimen

Ransomware "MegaCortex"

Hash:

MD5: 2B21BA38C13446B6CDD0113E719CA21C
SHA1: 7772C87601440E93C6D990F4EE31EED314E9C20D
 

 

Advance analysis
 

You must analyze each specimen before the start process of "Process Hollowing". It means just before the start of a process of "Process Hollowing" by ResumeThread API or other APIs. This article does not write those analysis steps. If I receive requests for the explanation of the analysis steps, I will write in the oter article.
 

 

Rough Steps for extract executable file from "Process Hollowing"
 

It is written a rough step as a roadmap for the procedure as follows:

 

• In the debugger, stop the process before resume the process after creating a process hollowing process and coping the memory.
• Launch x64dbg and attach to Process Hollowing process.
  *If the target process is x86 (32 bit process), use x32dbg.
• Set breakpoint at OEP(Original Entry Point) with x64dbg(or x32dbg).
• Resume "ResumeThread" that was stopped in the debugger.
• Stop at attached x64dbg(or x32dbg) breakpoint at OEP on process of "Process Hollowing".
• Analyze the IAT of the target process with Scylla and get the Import table.
• Get PE Dump of target process with Scylla.
• Output from the acquired PE Dump to an executable file that resolves the Import table using the Scylla's Fix Dump function.

 

 

Implementation procedures

 

Step 1: Attach to Process Hollowing process by x64dbg

 

First, attach to the process targeted by Process Hollowing. Attach to targeted process of "Process Hollowing" before "ResumeProcess" after the memory contents of the targeted process have been rewritten.

 

In the case of "MegaCortex" used in the article, it stops at the call eax (eax indicates "ResumeThread" address) at offset 0x0D35 of the execution code expanded in memory.

Next, launch x64dbg or x32dbg. In this article, I will use x32dbg because the target process is 32-bit.

Select "Attach" from the “File” menu. A list of 32-bit executable processes that can be attached is displayed.

Select the target process. If you don't know the ID of the target process, check it using a tool such as "Process Hacker". And push "Attach" button.

 

 

 

The attached process can see the code with x32dbg. Set a breakpoint at the address corresponding to the OEP with the debugger function.

 

 

Additional step: Additional step: How to get OEP Address

 

In this step, you have to know the OEP address. If you don't know the address of the OEP, you can easily find it by analyzing the PE header. Here is a simple procedure.

 

Displays the address 0x00400000. Then you can see the area that starts with "MZ". This is the DOS header (MZ header).

The header part of a Windows executable file is separated into three parts: "DOS header (MZ header)", "DOS stub", and "PE header". (Reference: https://blog.kowalczyk.info/articles/pefileformat.html)

The following shows the header of the execution program after being expanded by "Process Hollowing" of this specimen.

 

 

You can know the start position of the PE header from the "PE" characters or the offset value of 0x0040003C.

 

Next, analyze this PE header.

 

 

 

 

The PE header contains the signature, "Image file header", and "Image optional header". To know the entry point, pay attention to the "Image optional header". "struct _IMAGE_OPTIONAL_HEADER" contains "ULONG AddressOfEntryPoint" as a member. In this case, OEP is obtained by adding "Image Base" to this address.

 

0x000014B0 (AddressOfEntryPoint) + 0x00400000 (ImageBase) = 0x004014B0

* Attention that the memory value is little endian.

 

OEP got 0x004014B0.

 

 

Step 2: Resume "ResumeThread" on mother process and break at OEP on process of "Process Hollowing"

 

Resume the process that was stopped before executing "ResumeThread" with the debugger. Make sure you stop at the breakpoint of the attached "Process Hollowing" process. If the "Process Hollowing" process debugger is stuck in the dll, press Run once.

 

 

 

Step 3: Launch plug in "Scylla"

 

Launch "Scylla" from the "Plug-in" menu. Displays the overall picture of the Scylla plug-in dialog.

 

 

 

 

Step 4: Check target process and OEP

  Confirm that the target process is “Attach to an active process” at the top. After selecting the process, check the address of the OEP window. If it is different from the OEP obtained in advance, it will be overwritten with the correct OEP. The address of the OEP window may change when "Attach to an active process" is operated (be careful!).

 

 

 

Step 5: Search IAT and get Import table with Scylla

 

After selecting a process, perform IAT analysis. Press the "IAT Autosearch" button near the center of the screen.
It is automatically searched and the start address and size are obtained.
They are automatically entered in the VA and Size window.

 

 

 

 

In addition, get information of Import table. Press the “Get Import” button under IAT Autosearch. The Import table information is displayed in the "Imports" window.
 

 

 

Step 6: Get PE Dump from process of "Process Hollowing"

 

Dumps the PE format file of the process to be analyzed. Click the “File” menu → “Dump Memory” in the Scylla dialog to display the Dump Memory dialog.

 

 

 

When the Dump memory dialog opens, memory mapping information is displayed. Click the “Dump PE” button to open the “Save As” dialog box. Specify the folder and file name to save here and save the dump data. After that you will be asked to save mem, but this is not necessary.

 

 

 

Step 7: Fix the import table of PE dump

 

Resolves the import table of the dumped PE dump file. Press “Fix Dump” in the center of the screen. In the “Open” dialog box, select the PE dump file that was dumped Step 6. The image below is an example of saving a PE dump with the name "sample2.exe" in Step 6.

 

 

 

 

As a result, a file with “_SCY” added after the selected file name and before the extension is output.

 

 

 

The output file is a file with the Import table set correctly. Furthermore, when I set the breakpoint to OEP and executed it with IDA, it worked fine. For this reason, I think it is possible to perform analysis while running in the debugger. However, I am not sure that this file works perfectly until the end.

 

 

 

 

Conclusion

 

I discovered the technique of "Process Hollowing" in the specimen "MegaCortex" and tried extract. I recorded the step because it seemed successful. I would be happy if it would be useful for your malware analysis.

 

Let's hunt and kill for malware!