Documenting my research of Black Energy Driver, which is the loaded driver in the memory sample from "Malware Analyst Cookbook".
I was focusing integrating disassembling and Windows internals skill with memory forensics skills.
Black Energy is a malware used to perform variety of attacks. It contains multiple plugins used to perform different attacks capabilities.
I used Volatility to preform all the analysis of the memory sample and I have find out that there is loaded driver used by the malware.
I was interesting about the key features of the Black Energy Driver and wanted to understand how can I perform static reverse engineering of the driver when I have only the memory dump.
I couldn't find any report or documentation about loaded driver so I decided to try by myself 😄
I will skip this part because this is the well documented part. You can find lot of information and examples of investigating the Black Energy Driver using Volatility plugins.
I will go back to specific Volatility-plugins to fill the gap when I will dump the Black Energy Driver and start disassembling it.
- After running
callbacks
plugin on the memory sample we can see strange module-name appear:00004A2A
.
- The callbacks used by this module are:
PsCreateThreadNotifyRoutine
which can be used track and to notify the Driver whenever new Thread is created or terminated in the system.
- After finding indicator of suspicious module we can dump it and try finding it's logic using IDA.
- Let's find the base address of the module by it's name using
modscan
plugins andgrep
:
- We can use
moddump
to dump the module and perform further analysis using IDA:
- After dumping the module we should rebasing the driver address layout as it was when it was running when the memory dump was taken.
- Now we can load the module into IDA and perform rebasing to whole the module:
- Now we can start disassembling the module and search for more insights 💪✌️
- After fixing the address layout we can start reversing the module.
- The reversing process will be very difficult because IDA won't recognized any import functions used by the module, because the
IAT
is "broken" - We can use a another Volatility plugin to to recover the IAT using volatility
impscan
plugin:
- The output is very useful for our mission:
- IAT - represent address from the IAT directory of the module when is was running
- Function - The name of the import-function used in this address.
- I was writing simple script using Python to convert the output of
impscan
to usefulIDC
script which we can use in IDA:
- The script can be used as follow:
impscam_to_idc.py <iat_dump> <recovery_output>
- Let's look at the output (
IDC
script):
- Let's load the output script and fix the IAT of the module:
- Now we can see the recovered IAT and we can continue examining the module:
- Now IDA can provide us all the useful features, such as XRefs, etc.
- TODO
- TODO
- TODO
- TODO