Investigate injecting strings into agent binaries

[mssalvatore]

Spike

Objective

A common way of detecting malware is to search for strings in the binary. It could improve the fidelity of malware emulation if strings (or other data) could be injected into the agent binary at runtime by the island. The objective of this spike is to prototype an approach for injecting data into pyinstaller binaries.

Approach and Considerations

Based on some simple testing, it appears that arbitrary data can be appended to the end of an executable (Linux or Windows) with no ill effects. More thorough testing is required.

Strings should be separated with null characters.

Testing the PoC

1. Collect a set of YARA rules based on strings, such a found in [1] and [2]
2. Inject/append strings to the binary
3. Run YARA against the modified agent binary and verify that YARA identifies the binary as the expected malware.

Output

A report detailing:

1. The approach
2. tradeoffs, lessons learned, or alternate approaches that can be or were considered
3. Confirmation that appending random data does not effect execution of the agent binary

[mssalvatore]

Signed agent binaries

Appending random data to the Windows agent binary may not invalidate the signature.

Authenticode hashes do not cover the entire PE file, as regular hashes do. Authenticode hashes only cover specific PE sections, in a specific order. They specifically allow PE sections to be reordered, and some regions in the file to be modified.

Many people find it surprising that signed PE files can be modified without invalidating the signature.

Source: https://velociraptor.velocidex.com/verifying-executables-on-windows-1b3518122d3c

Experimentally, it seems that windows believes the modified binary to be unsigned. While it would be nice for modified binaries to remain signed, this approach is acceptable as long as binaries do not have invalid signatures.

[mssalvatore]

This feature will be implemented by #3240, #3241, #3242, and #3243.