Tried, Tested and Proven


Over the past few weeks, Portcullis has shared two parts of a three part series on “Static Analysis vs Dynamic Imports”. The previous articles, part 1, discussed in detail the reasons “why malware developers use dynamic imports”, while part 2, discussed “dynamic imports methodology used by a malicious driver”.

In the very last article, part 3, we will demonstrate to the reader, on how to modify the code of the ChecksumExportLocator function, in order to retrieve the names instead of the addresses. The investigation will also show how to make a simple tool that will automate the whole process for all the dynamically imported APIs.

This particular investigation required Portcullis analysts to write a custom tool to automate the resolving of checksums to API names and how it speeds up the analysis process. This can be used on subsequent malware investigations which use similar dynamic importing methods. A tool was necessary in order to automate the process of finding the matches between he checksum constants and the kernel function names. Even though, this tool is particularly targeting the custom checksum algorithm of this driver, it can be maintained by adding more functions corresponding to different malware families. Furthermore, it is highly possible that a future version of the same malware will incorporate the same dynamic importing method through the same algorithm. Continue reading

Portcullis have compiled a three part series on “Static Analysis vs Dynamic Imports”. Part 1 discussed in detail, the reasons why malware developers use dynamic imports. If you have missed the first article, please click here!

The following article in part 2, will discuss “Dynamic imports methodology used by a malicious driver”.

This article will take the reader through a partial analysis of an actual piece of malware found in the wild. The aim is to show how the malware author attempts to find the base address of the Windows Kernel module and how the malware tries to hide its intended purpose. This is interesting because it calls the address of ‘legitimate’ functions in order to calculate the address of the intended target, making the malware appear benign at first glance. Finally, a description is given as to how the malware uses custom checksums calculated from exported function names and compares them against hard-coded ones to retrieve kernel functions. Continue reading

The following is part 1 of a series of 3 blog posts, which will describe in detail the reasons why malware developers use dynamic imports, how drivers operate in Kernel mode and why they often require static analysis and the challenges these elements present.

In a recent investigation, Portcullis has had to undertake static analysis of malware, which acting as a driver performed dynamic imports of Windows APIs.

Dynamic imports are always an issue from the malware analyst’s perspective, especially while performing static analysis on various malicious components. We are going to focus on the Windows OS where there are mainly two different methods for achieving dynamic importing of Windows APIs. Continue reading