PMA 420: Bootkit Analysis with Bochs (15 pts)

What You Need

A Windows 2016 Server. I used a Google Cloud machine.

Purpose

To examine a bootkit using the Bochs emulator and IDA Pro.

WARNING: Real Malware

This project uses real malware. You need to use an isolated machine with no important data on it, and you'll need to disable security software.

Preparing a Windows Machine

Set up the Windows machine as specified in the previous project "PMA 30".

Install the Immunity Debugger from here:

https://www.immunityinc.com/products/debugger/

We don't need Immunity, but we need Python, which it installs.

Turning Off Windows Defender

Windows Defender will delete this sample, so it must be disabled.

Click Start and type DEFENDER.

In the search results, click "Windows Defender settings".

Turn off the first three options, as shown below.

Source

This project follows chapter 9 of this book:

Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Installing Bochs

On your Windows machine, in Firefox, go to

https://sourceforge.net/projects/bochs/

Click Download, as shown below.

The download froze on my machine, with a "5" just sitting there in a green circle. If that happens, click the "Problems Downloading" button.

Then click "direct link". Click the "Save File button.

In your Downoads folder, double-click the Bochs-2.6.9.exe file.

Install the software with the default options.

Downloading Component Files

On your Windows machine, in Firefox, right-click the link below and save the file.

bootkits-master.7z

If you don't have it, install 7-Zip from 7-Zip.org

Unzip the archive with 7-Zip. Use the password malware.

Double-click the bootkits-master folder and double-click the MBR folder to find the two files you need, as shown below.

Creating a Working Folder

Open a new File Explorer window. Navigate to the root of C:. Create a folder named C:\bootkit. Copy the two files you obtained in the previous section to this folder, as shown below.

Creating a Bochs Disk Image

Right-click the Start button and click "Command Prompt (Admin)".

In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute this command:

setx path "%path%;C:\Program Files (x86)\Bochs-2.6.9"

Close the Administrator Command Prompt window.

Open a new Administrator Command Prompt window.

In the Administrator Command Prompt window, execute these commands:

cd C:\Program Files\Bochs-2.6.11 bximage.exe

The "bximage" tool launches, as shown below.

Enter these items:

1 to create a new image
Enter for "hd"
Enter for "flat"
Enter for 512 byte hard disk sectors
Enter for size "10"
Enter to accept the default name of "c.img"
Enter to continue and exit bximage

Creating the Configuration File

In the Administrator Command Prompt window, execute these commands:

notepad bochsrc.bxrc

A Notepad box pops up, asking if you want to create a new file.

Click Yes.

Enter this text into Notepad, as shown below.

megs: 512 romimage: file="BIOS-bochs-latest" vgaromimage: file="VGABIOS-lgpl-latest" boot: cdrom, disk ata0-master: type=disk, path="c.img", mode=flat mouse: enabled=0 cpu: ips=90000000

In Notepad, click File, Save.

Close Notepad.

Infecting the Disk Image

We need to copy the infected Master Boot Record (MBR) to the disk image. We'll use Python to do that.

Right-click the Start button and click "Command Prompt (Admin)".

In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute this command:

setx path "%path%;C:\Python27"

Close the Administrator Command Prompt window.

Open a new Administrator Command Prompt window.

In the Administrator Command Prompt window, execute these commands:

cd C:\Program Files\Bochs-2.6.11 copy C:\bootkit\infected_mbr.bin . copy C:\bootkit\partition0.data . notepad infect.py

A Notepad box pops up, asking if you want to create a new file.

Click Yes.

Enter this text into Notepad, as shown below.

mbr_file = open("infected_mbr.bin", "rb") mbr = mbr_file.read() mbr_file.close() disk_image_file = open("c.img", "r+b") disk_image_file.seek(0) disk_image_file.write(mbr) disk_image_file.close()

In Notepad, click File, Save.

Close Notepad.

In the Administrator Command Prompt window, execute this command:

python infect.py

Examining the Infected Disk with HxD)

If you don't have HxD, get it here: https://mh-nexus.de/en/hxd/

Launch HxD and open this file: C:\Program Files\Bochs-2.6.11\c.img The file contains some binary data, and some readable text, as shown below.

Writing the VBR and IPL to the Disk Image

Now we need to copy the Volume Boot Record (VBR) and the Initial Program Loader (IPL) to the disk image.

In the Administrator Command Prompt window, execute these commands:

cd C:\Program Files\Bochs-2.6.11 notepad vbr.py

A Notepad box pops up, asking if you want to create a new file.

Click Yes.

Enter this text into Notepad, as shown below.

vbr_file = open("partition0.data", "rb") vbr = vbr_file.read() vbr_file.close() disk_image_file = open("c.img", "r+b") disk_image_file.seek(0x10 * 0x200) disk_image_file.write(vbr) disk_image_file.close()

In Notepad, click File, Save.

Close Notepad.

In the Administrator Command Prompt window, execute this command:

python vbr.py

Examining the Infected Disk with HxD

Launch HxD and open this file: C:\Program Files\Bochs-2.6.11\c.img Scroll down to Offset 2000 to see the newly written data, as shown below.

Using the Bochs Internal Debugger

In the Administrator Command Prompt window, execute these commands:

cd C:\Program Files\Bochs-2.6.11 bochsdbg.exe -q -f bochsrc.bxrc

The virtual machine launches, showing a dark screen. Click in the "Bochs for Windows - Console" window to bring it to the front, as shown below.

At the *lt;bochs:1> prompt, execute these commands to set a breakpoint at the start of the MBR code and commence execution:

lb 0x7c00 c

The bootup sequence begins, as shown below.

At the *lt;bochs:1> prompt, execute this command to unassemble the first 20 commands:

u /20

The assembly instructions appear, starting with xor ax, ax, as shown below.

This is a decryptor that unscrambles the data starting at 0x7c19.

notice the invalid data at address 0x7c1c.

Flag PMA 420.1: Viewing the Decrypted Code (15 pts)

In the "Select Bochs for Windows - Console" window, execute these commands to set a breakpoint after the decryption process, commence execution, and unassemble ten commands:

lb 0x7c19 c u /10

The code at 0x7c19 is decrypted, as shown below. Find the flag, which is covered by a green rectangle in the image below.

Exiting Bochs

Click in the "Bochs for Windows - Console" window. Press Ctrl+C twice.

After a few seconds, the virtual machine closes. Press Enter to return to the normal Windows prompt, as shown below.

Posted 11-12-19
"Flag" wording removed for HxD image 11-25-19
Encrypted file used to avoid Firefox malware blocking; ported to new 64-bit version of Bochs 11-7-20
Background color changed 4-24-24