Test Driving GHIDRA: NSA Reverse Engineering Tool

Screenshot from 2019-03-27 01-45-06.png

It’s elegance caught me by surprise

I was rightly impressed when I first started it. Running it was as easy as installing a up-to-date version of Java and running a script.

But what surprised me the most was how many features it had for FREE and open-source software.

Reexploring Meterpreter as the test subject

In a previous article, I created a simple Meterpreter RAT and compiled it as a ELF binary, while explaining how to perform the initial stages of Static Binary Analysis with objdump and how to manually generate shellcode.

And today, we are going to delve deep into the workings of Rapid7’s proprietary Remote Access Trojan, Meterpreter, as well as it’s beating heart, Mettle.

Screenshot from 2019-03-27 02-06-51

When the shell “lands”, a reverse connection is formed back to the attacker

Ghidra’s decompilation features work exactly the same way as RETDEC, or Retargetable Decompiler, another free alternative to IDA Pro.

In this section of code, the Meterpreter RAT opens a TCP client socket to call back to the listener C2 (Command and Control) server.Screenshot from 2019-03-27 02-05-31

Binary encryption and “packing” to evade detection of it’s payload

Meterpreter also uses encoding and encryption apparently. The green text is the decryption key to decode additional malware instructions that it is hiding in a array somewhere.

Screenshot from 2019-03-27 02-04-04

The beating heart of Meterpreter

In Mettle’s main function, notice that Meterpreter has…

1. A process monitor to check on the shell’s status (is it still alive?)

2. A job monitor, to ensure that the RAT is always kept busy performing a process asynchronously until it gets more orders from C2

3. A channel manager to help coordinate sessions and connections/transports with the attacker’s server

4. And a module manager that controls all of Meterpreter’s features such as dumping the Windows NT Hive of credentials and opening a local port-forwarding tunnel to pivot by attacking neighboring hosts

Screenshot from 2019-03-27 02-03-11

One of the first things it does upon execution of the payload, is to immediately enumerate the victim’s operating system. It returns a variable and reports it eventually to the attacker.Screenshot from 2019-03-27 01-59-39

Still not immune to memory forensics!

If you are using Volatility, this section here is gold. Using the malware-finder module, you can easily locate these mutexes in a memory dump, which are usually generated as the malware migrates, injects, or spawns new processes.

 

Screenshot from 2019-03-27 01-58-48

How Metasploit moves from one process to another to gain privileges and avoid detection and destruction by antivirus and anti-malware solutions

In this section, Meterpreter is about to perform a process migration. If it sees a suitable process to migrate to, such as svchost.exe with SYSTEM level privileges, then the original RAT generates a new process thread by injecting into that running process using a multitude of techniques like “process-hollowing”, then detaches/forks from it, and the parent process self-destructs to clean after itself.

Once the injected process runs the new code, a new connection is then connected back to the attacker, and they can continue to rampage unhindered.

FrScreenshot from 2019-03-27 01-57-10

For some strange reason, the Linux version of Meterpreter relies heavily on the curl command to make web requests.

Screenshot from 2019-03-27 01-56-09

Ghidra can identify logical decision-trees very well from just Assembly compare-and-jump-to instructions

Just as I suspected yesterday, the frequent CMP and JMP instructions in Assembly Operation codes imply that there is a decision-making tree here. In other words, if-and-then statements covering this entire function.Screenshot from 2019-03-27 01-54-52

Rapid7 REALLY loves the curl command

Moving right along, notice Meterpreter’s reliance on the curl command. Once Meterpreter determines that curl pipelining is supported, it constructs a HTTP request in version HTTP/1.1, and then returns the value to the pointer.

Screenshot from 2019-03-27 01-53-41

When I was scanning test.ELF on hybrid-analysis.com, the process of “thunking” set off a red flag in their criteria, alleging that it was a attack technique or something. As it turns out, it’s meant for backwards-compatibility of the malware instructions back to x86, or 32-bit instruction sets and data structures apparently.

https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/why-thunking-is-necessary

Screenshot from 2019-03-27 01-50-49

You can even see the commands that Meterpreter accepts!

And oooh man, bad call! The Remote Access Trojan’s commands are in plaintext strings that are easily detectable using the strings command, or with basic binary analysis tools like objdump.

What I highlighted there is a command that the attacker can send to Meterpreter to secretly start or stop their webcam from recording the victims.

Anti-malware vendors should take note of this fact for immediate profiling of it’s signature.

AScreenshot from 2019-03-27 01-48-39

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s