D-TIME: Distributed Threadless Independent Malware Execution for Runtime Obfuscation
An important aspect of malware design is to be able to evade detection. This is increasingly difficult to achieve with powerful runtime detection techniques based on behavioural and heuristic analysis. In this paper, we propose D-TIME, a new distributed threadless independent malware execution framework to evade runtime detection.
D-TIME splits a malware executable into small chunks of instructions and executes one chunk at a time in the context of an infected thread. It uses a Microsoft Windows feature called Asynchronous Procedure Call (APC) to facilitate chunk invocation; shared memory to coordinate between chunk executions; and a novel Semaphore based Covert Broadcasting Channel (SCBC) for communication between various chunk executions. The small size of the chunks along with the asynchronous nature of the execution makes runtime detection difficult, while the coordinated execution of the chunks leads to the intended malign action. D-TIME is designed to be self-regenerating ensuring high resilience of the system.
We evaluate D-TIME on a Microsoft Windows system with six different malware and demonstrate its undetectability with 10 different anti-virus software. We also study the CPU usage and its influence on Performance Counters.
Directory | Content |
---|---|
PoCs | Independent PoCs for major concepts used (SCBC and Re-generating APC based Emulators) |
emulator | Sample code for emulator and an example injection technique |
samples | Provide 6 malware samples to test D-TIME in your environment |
splitter | The code for IDA-Pro plugin which will split the malware into chunks |
Description of each module is given in the README of the respective directory.
DISCLAIMER: All the content provided on this site are for educational purposes only. The site is no way responsible for any misuse of the information
It is assumed that the reader has already gone through the research paper - "D-TIME: Distributed Threadless Independent Malware Execution for Runtime Obfuscation" (to be) published in WOOT'19. Understanding of this paper is crucial to understand the following steps.
Detailed instructions for each of the following steps are given in README of relevant directories or respective files.
IMPORTANT: We have tested the D-TIME in Windows 10 Pro (1803) using Visual Studio 2010. For the splitter, please use IDA Pro 6.5 (32bit). You are recommended to use a similar setup for your first attempt to avoid confusions. (You can safely use the latest version of Windows 10) |
Note 1: We recommend building the system in debug mode for the first time. Once you have understood the framework you can build the same in release mode.
Note 2: We recommend attempting the Offline Keylogger sample for the first time. It is the simplest sample that we have provided.
In Offline Phase, we create chunks that will be distributed across threads in the Online Phase. For this,
- Build one of the sample malware.
- Now we can use the malware binary(output of above build operation) to create malware chunks using
splitter
.splitter
creates the chunks and writes them to separate files. - Follow the instructions provided under
splitter
to generate these files.
In the Online Phase, we inject the emulator to threads and execute malware chunks in a distributed fashion. emulator
contains instructions to build the emulator along with a sample injector which will inject the emulators for you.
- Go to
d_time.h
and correct the following variables:- Uncomment
#define __LOG__
. This preprocessor variable logs the progress inblkLog.txt
under temporary folder. Note that logging is drastically slow down D-TIME. For example, keylogger may not be able to capture all the keystrokes when logging is ON. - Under
#ifndef __SELF_INJECTION__
section, uncomment the applications you like to inject D-TIME into. Instructions regarding victim applications are given in the next section.
- Uncomment
- Go to
main.cpp
and make the following changes:#define _NBLOCKS
and#define _NSEGMS
should be set to the number of chunks and segments generated by IDA Pro Plugin. The plugin will log these numbers in IDA Pro Console at the end of execution.#define _NPROC
is the number of victims. This should match the number of applications uncommented under#ifndef __SELF_INJECTION__
.
- Build the
emulator
. - Copy the chunk files generated in step 1 to your working directory of emulator.
- Make sure that your victim processes are running.
- Run emulator.exe.
The emulator build contains the actual emulator code and a sample injector. It will:- Read your chunks from the working directory and store them in shared memory.
- Inject the emulator to victim processes.
- Exit.
The injected emulator will now execute the chunks and re-generate themselves to execute more chunks.
- Tip: Adjust
skip_count
andwhitelist_count
arrays inmain.cpp
to control the threads targetted. Avoid targetting the main/most important threads. If these threads get busy with APC executions, it can easily hang the process.
IMPORTANT: D-TIME is a 32 bit applications and requires 32 bit victim processes. |
We have tested the following applications as victims:
- Chrome (version 74.0.3729.131)
- Skype (version 8.45.0.41)
- Opera (version 58.0.3135.132)
- Acrobat Reader (version 19.10.20099.322322)
- VLC (version 3.0.6)
- Calculator (version 1803) (Calculator that comes with Windows 10 is 64 bit. Please use the calculator that comes with 32 bit Windows 7)
Though we have provided the versions we tested on, you can safely use the latest version of these software.