Lab 2: Explicit Linking & Function Hashing

Overview

💡

The goal of this lab is to give you a high level overview of how programs can load external library functionality at run time. This is often done by malware developers so that the windows API functions that are used, don’t show up in the imports section of the PE headers.

Goals:

Understand dynamic loading
Practice using a debugger on Windows
Practice skills for malware analysis

Estimated Time: 1 hour, 15 Minutes

Part 1: Dynamic Loading

Get the example program.

dyn-load-example.exe

Run the program, then trace it with `procmon`

You should see it try and fail to open a .dll file a lot of times. Look for many calls to CreateFile in a row that return a failure code rather than SUCCESS.

Question
What is the name of the file that fails to open?

Examine the program in Binary Ninja

Use the strings view to find the name of the file and then follow the cross reference to see where this string is used. Review the code that is doing the dynamic loading and explain what functions are used.

Question
What does the LoadLibrary Windows API function do?

What does the GetProcAddress function do?

These functions are used “explicit linking” and are used by malware authors to hide or obfuscate the functionality of their code.

Question
What function does this program want call from the .DLL?

Download the shared library

temp_name.dll

Next rename this file to the correct name that you found in your earlier analysis and run the dyn-load-example.exe program again. You should notice that the behavior changes.

Setup Binary Ninja Debugger

Note

If the link in the above screenshot doesn’t work for you then you aren’t using the personal edition of binaryninja. Please install that and proceed or follow the instructions on the Binary Ninja docs page.

Install WinDbg with Binja Free Edition

Please follow the documentation to install WinDbg manually.

Use this bundle rather than trying to parse the XML file like it says:

windbg.msixbundle

Create a new time-travel debugging (TTD) trace

Launch the debugger with your new trace

You’ll need to also update the debugger settings to point to the trace you took earlier.

View the loaded modules

Question
Are there any modules here that were not loaded during your initial results with procmon above?

Set a breakpoint on the call to `LoadLibraryA`

Breakpoints are set at the instruction level, so this is best done from the disassembly view.

Use the icons in the top of the debugger window to step through the code.

Tip

This is a time-travel debugging (TTD) trace which means that the program has already run. This has some pros and cons. The con is that you won’t be able to do some nice features of a debugger like changing the value of a register and seeing what happens in the program. However, the pro is that you can go backwards if you want!

Question
What is the base address of the newly loaded module?

Keep stepping forward until you get to the point after the call to GetProcAddress.

Question
What is the address of the myputs function?

Part 2: Function Hashing

Download the `hash-example` files

hash-example.exe

Run the program to see what it does

Note

This program was written by the instructors and is safe to run.

Question
Make a hypothesis about the secret function that was called. What do you think it does?

Analyze the program in Binary Ninja

This program uses a malware technique known as function hashing or API hashing in order to hide the names of the library functions that are called. This makes it harder for reverse engineers to figure out what a program is doing. Reverse the program in Binary Ninja to answer the following questions:

Question
Where are the function hashes being calculated?

Tip

Often, you will see multiple hashes getting checked all at the same time and put into an array. Then they can be looked up quickly later on in the program. Also note, hashes are usually a 4 or 8 byte number (0x12345678) not the result of a hash function like sha256 or md5.

Question
What libraries (.dll files) is the program using to look up functions? (Hint: There are three names)

Use the Binary Ninja debugger to find the secret function

Rather than trying to completely reverse engineer the hash algorithm, it is usually easier to use a debugger to set a breakpoint when the hashed function is actually called. Then you can see which function in the loaded library corresponds to the hash.

You may need to rebase the program in binary ninja if the addresses don’t match where you set your breakpoint.

The debugger console lets you type commands and inspect memory in a text interface. This is similar to the gdb prompt you’ve used from earlier in this class. Binary Ninja uses a WinDbg backend for debugging windows programs. Any commands that you enter in the console should be WinDbg commands.

WinDbg Commands Cheat Sheet

Question
Set a breakpoint at the call instruction and determine the name of the secret function and what library it comes from.

Using the HashDB plugin

One of the main reasons to use the paid version of Binary Ninja, is the plugins! People from the security community write plugins to extend the functionality of Binary Ninja so that certain repetitive or niche problems can be more easily solved.

The HashDB plugin is a great example of this! Check out their website for more info.

To use the plugin with Binary Ninja, you need to install it:

To use it you need to go through a couple of steps:

First you need to Hunt for the hash algorithm. To do this you’ll right click on a hash value and then use the `Hunt feature to find an algorithm that matches that hash value.
Next you’ll need to do a Hash Lookup which will lookup the function names using the algorithm you selected in the previous step to create an enum entry with hash values mapping to function names for a specific library. Make sure you select the correct one in the drop-down menu!
Finally, you can replace the hash value in the Binary Ninja code view using the Display As > Enum Member option or by using the M shortcut key.