What is "Dynamic API loading"?

Legal usage :

Dynamic loading is a mechanism by which a computer program can, at run time, load a library (or other binary) into memory.
```
 more here > https://en.wikipedia.org/wiki/Dynamic_loading#cite_note-autobook-1
```

Illegal usage :

It is an antivirus bypassing technique used by malware to bypass static scanning and analysis by hiding the names of libraries and APIs they are using to hide their functionality.

Implementation stages :

1- Encrypting the names of libraries and APIs.

2- storing encrypted names in the executable.

3- Calling an API called "LoadLibraryA" to load the library he wants to APIs from.

4- Decrypting those names to be valid arguments.

5- Calling an API called "GetProcAddress" to load the API he wants to use.

Step by step explanation:

1- Encrypting the names of libraries and APIs:

In this stage, the malware author writes a program to implement an encryption algorithm taking a name as an input and return an encrypted string.

"This is a basic C++ program to implement a simple encryption algorithm just to explain the concept"

2- storing encrypted names in the executable:

In this stage, the malware author takes the encrypted names and store them in the malware as strings like this :

This is how it looks in the source code, let's see how it looks in real malware after being disassembled using IDA :

this is the main function of our samples calling the function that does "Dynamic API loading" which we are going to analyze:

let's open this function:

we will see this:

we will just focus on our encrypted name:

if we clicked on it, IDA will take you to its address the executable data section

like this:

3- Calling an API called "LoadLibraryA" to load the library he wants to APIs from:

LoadLibraryA: This API loads a dynamic link library into the virtual memory of

the calling program and returns its address.

so as you see it takes one argument and returns an address for the loaded library, lets see how it looks in our sample:

as we see he pushed the name of the library into the stack as an argument for the "LoadLibraryA" function, and it returns the address into the eax register and then he moves it into the esi register which got tested to make sure that the library loaded successfully.

4- Decrypting those names to be valid arguments:

the malware author now needs to decrypt API names to pass them as arguments for the API that will do Dynamic API loading, so the malware must have a decryption function that takes the encrypted names and returns them decrypted, lets see how does it look inside our sample:

so as we see in the above assembly instructions,

1-he created an instance variable and loaded its address into the eax register and pushed eax into the stack and also pushed the encrypted name address into the stack to be arguments for the function called "IstrcpyA" that copies the encrypted name into the instance variable.

2- then he loads the address of the variable containing the encrypted name into the eax register and pushes eax into the stack to be an argument for the decryption function (I named it to be "SHO_decrypyFunc"), we will not talk about the analysis of the decryption function we will analyze it in another post.

but we need to know which APIs does the malware load without analyzing the decrypt function so we will use OllyDbg to find out what the return of the decrypt function:

after executing the decryption function :

the output is "GetSystemDirectoryA".

5- Calling an API called "GetProcAddress" to load the API he wants to use.

GetProcAddress: This API gets the address of an API given its name and the

address of the library that contains this API.

this is how it looks in our sample :

he puts the decrypted API ("GetSystemDirectoryA") address into the edx register and then pushes it into the stack, also it pushes the esi register which contains the address of the library ("KERNEL32.dll") containing the API("GetSystemDirectoryA") he wants to load.

the GetProcAddress API will return the address of the API passed to it ("GetSystemDirectoryA") inside the eax register, the malware now can use this API as it wants.

now the malware managed to use Dynamic API loading to load and use APIs that will not appear in the executable imports when doing static analysis and antivirus will not be able to know that this is a malicious file when it checks it on the hard disk.

thanks for reading and please contact me if you would like to discuss anything with me

feel free to contact me here:

Twitter:@0xsho_O

Gmail: abdelrahman.essaam@gmail.com

resources :

mastering malware analysis book

https://docs.microsoft.com

en.wikipedia.org

Search This Blog

Abdelrahman Essam

How Malwares use Dynamic API loading to bypass signature based Static Scanning

What is "Dynamic API loading"?

Legal usage :

Illegal usage :

Implementation stages :

Step by step explanation:

1- Encrypting the names of libraries and APIs:

2- storing encrypted names in the executable:

3- Calling an API called "LoadLibraryA" to load the library he wants to APIs from:

4- Decrypting those names to be valid arguments:

5- Calling an API called "GetProcAddress" to load the API he wants to use.

Comments

Post a Comment