┌───────────────────────┐
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │
│ █ █ █ █ █ █ │
│ █ █ █ █ █▀▀▀▀ │
│ █ █ █ █ ▄ │
│ ▄▄▄▄▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄ ▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄▄▄▄▄ │
│ █ │
PT_NOTE Disinfector │ █ │
~ manizzle └───────────────────█ ──┘
Hi all. Just to start, I am not an AVer. AVs suck, they are buggy and are usually prone to
exploitation. Feel free to fuzz the hell out of lief and capstone. I am sure they have bugs.
Now on to how to disinfect...
The PT_NOTE injection technique is quite clean and allows for a ready made memory slot to be filled
with goodies. But with all infection techniques, there is usually always a disinfection technique.
This is the nature of life.
I like to think of the easy by which to disinfect as a way to measure just how good an infection
technique is. The more constants in a disinfection technique, the more likely it will be broken
quicker. The game of cat and mouse goes on and on, and is the only way to develop more and more
insiduous virii. Keep playing the game with yourself and your virus will be the thing of madness
and wonder.
In this disinfection we use the fact that most virii will try to load the PT_NOTE segment as far
away as possible in case the binary is large and they are trying to make sure the goodies dont get
mapped over and cause some loading issues with the binary cause you gotta be surreptitious right?
We use Kmeans as a way to start and cluster the PT_LOAD segments together and we use the the inertia
of the clusters relative to their centroids as a way to measure how well Kmeans even did. Usually
for infections there is 1 PT_NOTE being infected but maybe sblip will tell you later, sometimes
there are 2 :)
if (math.log(cluster_1.inertia_)/math.log(cluster_2.inertia_)) < INERTIA_RATIO:
Once we have found out which segments seems to be mapped a bit farther than usual (though if you
wanted to map the PT_NOTE inbetween valid PT_LOADS and re-base the whole image, I mean who would do
such a thing?), we can begin to delve into its code.
Usually these virii will do some more worming around, infecting more files, but at some point they
need to let the program continue execution, you know, to avoid suspicion. We can assume that the jmp
to the original entry point occurs at the end of the infected PT_NOTE segment so we look for that.
Sometimes the jmp is direct, sometimes it is derived. We just follow the jmp target to a point where
it adds the OEP to the base it calculated before (if you want to get really fancy, you can always
use a use-def chain, but of course the virii can get even fancier and force you to resolve your
chain cross function boundaries OH MY!)
add {target}, CONST
Pop that back into your PHDR and you're back to the action
Better luck next time friend!
##################################################################
#!/usr/bin/env python3
from capstone import *
from collections import Counter
import lief
import math
import numpy as np
from sklearn.cluster import KMeans
import sys
# dont be an anti-re sucker dude
SUCKER_PUNCH = 3
# tested on a few large and small binaries
# most normal binaries fall within the range of 1.0SOMETHING
# even large multi-megabytes ones. I am sure we can find something
# that breaks it though
INERTIA_RATIO = 1.1
def find_anomalous_load_segment(segment_ranges):
segment_array = np.array(segment_ranges)
cluster_2 = KMeans(n_clusters=2, random_state=0).fit(segment_array)
cluster_1 = KMeans(n_clusters=1, random_state=0).fit(segment_array)
if (math.log(cluster_1.inertia_)/math.log(cluster_2.inertia_)) < INERTIA_RATIO:
print("No anomaly detected")
return None
cluster_counts = {v:k for k,v in Counter(cluster_2.labels_.tolist()).items()}
if 1 not in cluster_counts:
print("No singular cluster found")
return None
return segment_array[np.where(cluster_2.labels_ == cluster_counts[1])[0]][0]
def find_oep(segment_bytes, segment_start):
# we support x64-64 for now but this can be easily ported to
# other architectures as needed. Would be cool to use an IR
# here so that it is cross-platform
md = Cs(CS_ARCH_X86, CS_MODE_64)
md.skipdata = True
oep = None
last_jump = None
early_bail = 0
for r in [instr for instr in md.disasm(segment_bytes, segment_start)][::-1]:
if last_jump:
# if we see an instruction of the form
# add {target}, CONST
# we are probably adding the OEP to the base address
# We can make this more generic by actually constructing a
# real use-def chain here and solving for the actual value of
# rax here. Would require for finding functions like get_rip
# which are used to make jmps to the relative code easier
if last_jump + ", " in r.op_str and "add" == r.mnemonic.strip():
try:
oep = int(r.op_str.split(",")[1].strip(), 16)
break
except Exception as e:
# keep going, but unlikely we find it now
# keep trying a few more, but not too much
# you dont want to be suckered by some anti-re
early_bail += 1
if early_bail == SUCKER_PUNCH:
break
continue
if not last_jump and r.mnemonic.strip() == "jmp":
target = r.op_str.strip()
# Try to see if the jmp happens directly
# then take that value as the OEP
try:
oep = int(target, 16)
break
except Exception as e:
# If not, it is probably a register jump
oep = None
last_jump = target
return oep
def main():
l = lief.parse(sys.argv[1])
load_segs = [ [ll.virtual_address, ll.virtual_address + ll.virtual_size]
for ll in l.segments
if ll.type == lief.ELF.SEGMENT_TYPES.LOAD
]
anomalous_segment_start, anomalous_segment_end = find_anomalous_load_segment(load_segs)
segment_bytes = l.get_content_from_virtual_address(anomalous_segment_start, anomalous_segment_end)
real_oep = find_oep(bytes(segment_bytes), anomalous_segment_start)
print("found OEP: ", hex(real_oep))
l.header.entrypoint = real_oep
l.write(sys.argv[1] + ".cleaned")
if __name__ == "__main__":
main()