Technical Analysis : NotPetya\Petya MBR


This post will cover technical details of custom boot loader of NotPetya\Petya.

It starts with copying disk sectors (overwritten by malware) 1 to 32 at address 0x8000. Below is the set of instruction performing above operation.


To read sectors from disk it use INT13 BIOS interrupt call.Below is an example of INT 13 interrupt.
DAP













AH 42h = function number for extended read
DL 80h  = drive index (e.g. 1st HDD = 80h)
DS:SI 7BDCh = segment:offset pointer to the DAP, see below

DAP : Disk Address Packet
offset range size value description
00h 1 byte      10h size of DAP (set this to 10h)
01h 1 byte      00h unused, should be zero
02h..03h 2 bytes    01h number of sectors to be read
04h..07h 4 bytes    0x8000h segment:offset pointer to the memory buffer to which sectors will be transferred
08h..0Fh 8 bytes 01h     absolute number of the start of the sectors to be read (1st sector of drive has number 0)

memory buffer 0x8000 where 1st sector is read and next stage execution begins.











Next step is to get information of drives having status code set between 0x80-0x8F. Below information about a drive is collected and stored in array where each entry is of 8-byte.
1.Status Code - 1byte
2.Drive Sector 0 contain overwritten MBR - 1byte
3.Drive Present - 1byte
4.Total Number of Sectors - 4bytes

Read Drive Parameters, if Drive exist this call will be successful and Drive Present Flag will be set to 1 else set to 0.












Get total number of sectors in a drive by reading partition table entries and update value Total Number of Sectors.













Check sector 0 of drive contain bytes overwritten by NotPetya\Petya and set Drive Sector 0 contain overwritten MBR flag to 1 else set to 0.




















Once information about all drives are read.It is stored into drive info array where each drive entry is eight bytes.Below drive info array containing two entries.
Drive info array





1.Status Code - 0x80
2.Drive Sector 0 contain overwritten MBR - 0x1
3.Drive Present - 0x1
4.Total Number of Sectors - 0x77FE098

Next it check whether drive is already encrypted by reading sector 32 (contains salsa20 key) of drive for which Drive Sector 0 contain overwritten MBR value is set to 1.If first byte of sector 32 is set to 1 it means already encrypted else not encrypted.




If disk is not encrypted.It proceeds with disk encryption and display below message on screen.








Read sector 32(contains sals20 key) and move 1 to first byte of sector 32 and destroy next 0x20 bytes (which is salsa20 key) by overwriting with 0's and write back to sector 32 of Hard Disk Drive.

Read sector 32.









move 1 to first byte of sector 32.



Destroy next 0x20 bytes (which is salsa20 key).











Buffer containing sector 32 overwritten bytes.






Write above buffer byte to sector 32 of Hard Drive Disk.
Read sector 33 and encrypt using salsa20 key.






















Next step is to iterate over drive info array entries mentioned above and if Drive Present value of an entry is set perform below task.
1.Read Sector 34 (holds encrypted System MBR).
2.Decrypt System MBR.
3.Read Partition Table entries from decrypted System MBR.
4.Read first absolute sector and Number of sectors for each partition table entry.
5.For each partition table entry calculate address of NTFS_BOOT_SECTOR structure.
6.From NTFS_BOOT_SECTOR structure read field n64MFTLogicalClustNum and calculate address of NTFS_MFT_FILE_ENTRY_HEADER.
7.From NTFS_MFT_FILE_ENTRY_HEADER read field wAttribOffset and jump to Master File Table Attributes represented by NTFS_ATTRIBUTE structure.
8.Continue to next Master File Table Attribute until Master File Table Attribute of type Data is not found.
9.Read Data run lists entry of Master File Table Data Attribute.
10.For each Data run list calculate number of clusters in it and offset of first cluster.
11.Start encrypting bytes of Data run list clusters using salsa20 algorithm.

Read sector 34(holds encrypted system MBR).









Decrypt System MBR.







Read Partition Table entries from decrypted System MBR






























Read first absolute sector and Number of sectors for each partition table entry.



First Partition Entry
1.First Absolute Sector - 0x3F
2.Number of Sectors - 0x04FF9725
Second Partition Entry
1.First Absolute Sector - 0x04FF9764
2.Number of Sectors - 0x02804934

For each partition table entry calculate address of NTFS_BOOT_SECTOR structure.
NTFS_BOOT_SECTOR is located at first physical address of partition entry which can be calculated as -Address of NTFS_BOOT_SECTOR = First Absolute Sector  of partition entry* Size of Sector = 0x3F * 0x200 = 0x7E00.
















NTFS_BOOT_SECTOR
















From NTFS_BOOT_SECTOR structure read field n64MFTLogicalClustNum and calculate address of NTFS_MFT_FILE_ENTRY_HEADER.

 n64MFTLogicalClustNum - 0x0C0000
wBytesPerSector - 0x200
uchSectorPerClust - 0x08

Address of NTFS_MFT_FILE_ENTRY_HEADER = ((n64MFTLogicalClustNum*uchSectorPerClust) * wBytesPerSector + (First Absolute Sector * wBytesPerSector)) = (0xC0000*8)*0x200 + (0x3F*0x200) = 0xC0007E00









NTFS_MFT_FILE_ENTRY_HEADER



From NTFS_MFT_FILE_ENTRY_HEADER read field wAttribOffset and jump to Master File Table Attributes represented by NTFS_ATTRIBUTE structure.
wAttribOffset = 0x38

Continue to next Master File Table Attribute until Master File Table Attribute of type Data is not found.






















Read Data run lists entry of Master File Table Data Attribute.
MFT Data Attributes





NTFS_ATTRIBUTE .dwType = 0x80
NTFS_ATTRIBUTE.dwFullLength = 0x48
NTFS_ATTRIBUTE.uchNonResFlag = 0x01

 NTFS_ATTRIBUTE.NONRESIDENT.wDatarunOffset = 0x40

Portion highlighted in orange is Data run list entry.
First byte is 0x32.
Lower nibble of first byte (0x32) which is 2 means read next two bytes (highlighted in blue) adjacent to first byte 0x32. This value denotes number of cluster 0x1848.
Higher nibble of first byte (0x32) which is 3 means read three bytes (highlighted in green) after the number of clusters value .This value denotes Absolute value of start of clusters for Data run list (0xC0000).
Adding higher and lower nibble of first bytes i.e. 3 + 2 = 5, which denotes size(in bytes) of a Data run list entry after first byte and after that second Data run list entry begin. In above image it is 0x00 which mean no more Data run list entry.

For each Data run list calculate number of sectors in it and offset of first cluster.










Physical Address of Cluster =  (Absolute Value of Start of Cluster Data run list entry* No of Sectors Per Cluster * BytesPerSector) + (First Absolute Sector * Size of Sector) = (0xC0000*8*0x200) + (0x3F*0x200) = C0007E00

In above code we can see it skips first 0x20 sectors i.e. 0x20 * 0x200 =  0x4000 bytes.
Therefore physical address of first cluster on disk from where encryption starts C0007E00 + 0x4000 = 0xC000BE00.

Number of sectors to encrypt = (Number of Cluster in Data run list entry * No of Sectors Per Cluster) = 0x1848 * 8  = 0xC240

It skips first 0x20 sectors therefore Number of  sectors to encrypt = 0xC240 - 20 = 0xC220 (49696).

Before start with encryption of 0xC220(49696) sectors from physical address 0xC000BE00 it display fake CHKDSK message.


















Read two sectors (0x400 bytes) from physical address 0xC000BE00 and encrypt using salsa20 algorithm.










Disk Address packet for reading disk.



Number of Sectors to read - 0x02
absolute number of the start of the sectors to be read - 0x60005F = 0x60005F * 0x200 = 0xC000BE00










Comments

  1. TreverHarsey5 July 2021 at 05:28

    Wonderful website. A lot of useful information here. I’m sending it to some friends ans also sharing in delicious. And obviously, thanks for your effort! mac service berlin

    ReplyDelete

Post a Comment

Popular posts from this blog

VIrtual Machine Detection Techniques

This post will cover techniques that can be used to detect virtualized environment. Sample Analyzed - hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/ 1.VMWare Backdoor This techniques uses special I/O port to send command and get output. VMware Command Execution code In above image VMWare I/O port is 'VX' (5658h) . Command number 0x0A (get vmware version). VMware version is return in register EAX as shown below. More About VM Backdoor Port  https://sites.google.com/site/chitchatvmback/backdoor 2.VPCEXT VPCEXT instruction is used to detect presence of Virtual PC. If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected. 3.DMIDECODE Utility dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a
Read more

Analyzing ATM Malwares

This post will explain how to analyze ATM malwares developed using middle ware CEN/XFS (extension for financial services). ATM (Automated Teller machine). The three leading ATM vendors are - 1.NCR 2.Diebold 3.Wincor The main services (peripherals) of an ATM are - 1.Card Reader 2.PinPad 3.Cash Dispenser Applications developed to interact with ATM services (peripherals) uses CEN/XFS (extension for financial services). XFS provides the API to access and manipulate the ATM peripherals from different vendors as shown in below image. CEN/XFS Application Programming interface and SDK can be downloaded from below website under Published CWA's. https://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-XFS.aspx Apart from CEN/XFS Application Programming interface and SDK other important guides as mentioned below and can be download from above mentioned website. 1.Service Class Definition - Programmer's Reference 2.Identification Card Device Class Interface - Programmer&
Read more

Memory Forensics : Tracking Process Injection

This post describe about process memory internals which allow us to track process injections. Example used below is recent Brazil Malspam (hxxp://malware-traffic-analysis.net/2017/07/07/index.html) which inject DLL  fltLib.dll into process notepad.exe. Attach kernel debugger to infected machine and get information about notepad.exe  Process   object. Process object is represented by EPROCESS structure. VAD (Virtual Address Descriptors) is member of EPROCESS  structure and describes the layout of process memory segments. VADs contain the names of memory-mapped files, the total number of pages in the region, the initial protection (read, write, execute), and several other flags that can tell you a lot about what type of data the regions contain. VAD is a self balancing tree and each node in tree represent one range in process virtual memory.Each node has child in the form of left and right node.A node is represented using MMADDRESS_NODE structure. Listing all V
Read more

Samsung CTF : Chicken or Egg Reversing Challenge

 The CTF is over but i really enjoyed solving the challenge (https://sctf.codeground.org/ctf/prob).The challenge is to decrypt flag.enc. This is another APK + JNI (Java Native Interface) kind of challenge similar to the one in Google CTF 2017 (http://shasaurabh.blogspot.com/2017/07/google-ctf-2017-android-re-challenge.html). Challenge can be divided into three parts. 1.Android application (application) loading Native Library 2.Native Library decrypts DEX file in memory. 3.Using Reflection to call methods of decrypted DEX file in step 2. 1. Android application loading Native Library OnClick() method of MainActivity class calls constructor of Crypt class. Calling constructor of Crypt class results in loading of Native library ( libegg.so ) which is ELF for ARM. Constructor of Crypt class calls crackEgg method implemented in native library. 2.Native Library decrypts DEX file in memory. The native library reads the encrypted DEX file stored in asset fo
Read more

FireEye FLARE CTF 2017 : APK Challenge 8

The challenge required decrypting passwords in order to form AES key to decrypt the flag bytes. On decompiling flair.apk file we can see four classes for which we need to decrypt passwords. 1.Michael Class  It was pretty simple password comparison.The password is  MYPRSHE__FTW . 2. Brian Class Password is formed as shown below. String.format("%s_%s%x_%s!", new Object[]{t, y, Integer.valueOf(p), c}); t = (ImageView) findViewById(R.id.pfdu).getTag().toString() y = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), 128).metaData.getString("vdf") p = (TextView) findViewById(R.id.vcxv).getCurrentTextColor() & SupportMenu.USER_MASK; c = (TextView) findViewById(R.id.vcxv).getText().toString().split(" ")[4]; The Password is  hashtag_covfefe_Fajitas! . 3.Milton Class The password is formed by decrypting a string and taking SHA1 of the decrypted string. Decryption algorithm
Read more

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

The challenge is about selecting correct coordinates on to the map and advancing to the next stage to get flag. As we advance to next stage, the game print some metadata. After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage. import binascii key = 0x3B1EE5F6B3D99FF7                #initial key to decrypt metadata. offset = 0x50E0                         #offset of metadata in binary f = open('pewpewboat.exe','rb') for i in range(0,11):     stage = i     v = ((i << 3) + i) << 6     f.seek(offset + v)     mask = '0x'     temp = '0x'     res = []     metadata = []     for i in range(0,0x240):         key = ((key * 0x41c64e6d) + 0x3039) & 0xFFFFFFFFFFFFFFFF         c = binascii.hexlify(f.read(1))         c = int(c,16)         c = c ^ (key & 0xFF)         metadata.append(chr(c))      
Read more

Debugging MBR : IDA Pro and Bochs Emulator

This post will explain how to setup Bochs Emulator to debug MBR. I will be taking NotPetya\Petya ransomware MBR as an example. Take dump of Physical Drive whose MBR is overwritten by NotPetya\Petya ransomware by its malicious MBR. dd utility for windows can be used for this purpose.Command to dump the disk is as shown below. dd.exe if=\\?\Device\Harddisk0\DR0 of=<output file path> bs=512k --size --progress if = input file of = output file bs = read and write bytes at a time Configuring Bochs Emulator. Go to installation directory of Bochs Emulator and open file bochsrc and provide below information. 1.Disk Geometry 2.Boot Drive Disk Geometry setting contain Cylinder,Head and Sector (CHS) value of disk. # ATA controller for hard disks and cdroms ata0-master: type=disk, path="winxp0.img", mode=flat, cylinders=124830, heads=16, spt=63 where path is dump of disk taken using dd utility. Boot Drive setting contain bootable drive type. # BOOT: # This de
Read more

Windows Registry Forensics

This blog post will cover how registry keys are stored in memory. There are many good tools available to extract windows registry information from memory or dump but it's always good to learn how the information is stored in memory and how these tools are extracting it. Windows Registry (Configuration Manager) in memory is represented using CMHIVE  structure.You can view CMHIVE structure here  https://www.nirsoft.net/kernel_struct/vista/CMHIVE.html . More about Registry structure can be found here  https://binaryforay.blogspot.in/2015/01/registry-hive-basics.html . We can locate CMHIVE structure in memory by scanning pool tag value  CM10 . The pool tag is part of POOL_HEADER ( https://www.nirsoft.net/kernel_struct/vista/POOL_HEADER.html ).The size of POOL_HEADER structure is 8 bytes in 32-bit OS and lies above CMHIVE structure in memory.Below is the result of command ! poolfind <tag> <pooltype>  in windbg where tag is CM10 and pooltype =1 (paged pool). B
Read more

DoublePulsar Backdoor

This post explains DoublePulsar Backdoor and how WannaCry Ransomware uses it to spread Itself. EternalBlue Installing DoublePulasr Backdoor EternalBlue exploits vulnerability in SMB protocol and execute shell code.Offset of shell code in EternalBlue binary that is present in shadow broker dump. Shellcode finds address of srv.sys (SMB Driver) and replace address of srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with its own function address as shown below. Offset of function code in EternalBlue binary which replaces srv!SrvTransactionNotImplemented function address in srv!SrvTransaction2DispatchTable . Before overwriting srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with  its own function address shell code allocates memory using ExAllocatePool API and write function bytes. Function code is stored at 0x48 offset from memory address re
Read more

Google CTF 2017 : Android RE Challenge

The challenge was consist of three parts. 1.Android application loading native library (ARM or x86) depending on platform. 2.Native library drops a dex file and dynamically loads it. 3.Native library modify bytes (in memory) of loaded dex file in step2. 1.Android application loading native library Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class. Looking at FoodActivity class it only loads the native library cook .The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so , while a Win32 system converts the same cook name to cook.dll . 2.Attaching to libcook.so . We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to nati
Read more