Some sandboxes, for example, Cuckoo Sandbox, implement a technique known as hooking. The hooking of functions allows the programmer, user or analyst to intercept calls, messages or events passed between a program and its libraries. This is very useful when analyzing malware because it allows the reverse engineer to view the behavior of the sample (call-wise) and start analyzing it without having to start with the reverse engineering. This also allows the automation of the analysis of malware samples.
As my colleague Raashid Bhat explained in “Revisiting the latest version of Andromeda/Gamarue Malware”, the most recent version of Andromeda uses an anti-hooking technique meant to disrupt automated analysis by sandboxes.
Generally speaking, a simple unpack has three different phases. First, the unpacker resolves all the imports (functions from libraries) that the sample will need. Secondly, it extracts and writes the instructions of the sample, be it into his own memory, or the memory of another process (RunPE technique), and at last, executes or jumps into that code.
In this case, the anti-hooking mechanism can be found during the resolution of the imports. For each imported function, the unpacker checks which is the first instruction that is going to be executed by the function, based on the following decision tree, and stores and returns the size of the instruction:
Afterward, the unpacker begins to reconstruct the functions for the Andromeda sample. In order to do this, it creates a fragment of code for each import, with the first instruction of the function, and creates a jump that will land at the second instruction of the function. The jump address is calculated with the offset value obtained previously.
In the following fragment, it can be observed that the calls are made to addresses that do not belong to any library, but to a section of the sample itself. The fragment corresponds to the decision made after checking if the sample is being executed in a vm/sandbox. If it thinks that it’s being executed in a sandbox/vm, the process enters in a never-ending sleep loop):
Most of the calls present in this layer have the anti-hooking mechanism. For example, the call inside the loop (sleep):
The Andromeda anti-hooking technique can bypass simple hookings performed by some sandboxes, mostly because one of the most simple and effective hooking techniques in user space modifies the beginning of the call to redirect it to wherever the programmer wants, such as a code that registers the arguments received by the function, or the returned value.
For example, this technique can be used to avoid certain hooking configurations found in cuckoo. As long as the hooking occurs in user space, the malware sample will have the necessary mechanisms to bypass it, one way or another.
That’s all for today! We hope that this post will help you to find out more about antihooking techniques used by Andromeda.