Malware and RE Tips #1

I am by no means a malware expert, but I do deal with it on a fairly regular basis out of necessity.

One tool which I often fall back on for quick and dirty dynamic analysis is the Preservation Filesystem Driver.  I stumbled across this piece of software while I was reading The Malware Analyst's Cookbook and if you don't already have a copy but the subject interests you, I highly recommend picking up a copy; it's well worth the investment.  Preservation is a filesystem driver that is designed to hook a variety of functions in order to monitor the filesystem for changes, prevent process deletion, file deletion, disable the loading of drivers, and better yet, log all of this information for analysis. Since it is very common for malware to drop files and remove them after execution, Preservation helps us...well, preserve, these files so that we can analyze them in IDA or Ollydbg or whatever else you prefer.  It's also worth noting that you can use this tool for a variety of other RE tasks and not only those dealing with malware.

Before I go on, if you're looking to do more robust dynamic analysis, I would recommend something like Cuckoo Sandbox or Buster Sandbox Analyzer, but for the times when you just need to take a quick look or get a copy of files dropped by a piece of malware, Preservation is very simple to work with.  It's also worth noting that preservation offers no protection for the operating system and as such, you'll want to run the malware on a virtual machine that you can tear down once you're done.

A quick look at the command line arguments give tell us everything we need to know to use the tool.

* Preservation Driver Loader

Usage: preservation.exe [OPTIONS]
  l     load driver and log actions
  f     prevent file deletions
  d     prevent driver loading
  p     prevent process termination
  n     install notify routines
  u     unload the driver
  preservation.exe lfdpn (prevent and log all)
  preservation.exe l (allow and log all)

If you're planning on running this on a 32 bit XP system, you will need to rename the .sys file to "preservation.sys."  Once you load the driver with whatever flags you want (hopefully you're logging!), the resultant log file will be placed in c:\preservationLogs\Log.txt.  You should expect to see something like the following:

00000000 0.00000000 *
00000001 0.00000000 * Preservation Driver Loaded
00000002 0.00000503 *
00000003 0.00019500 Hooking ZwTerminateProcess.
00000004 0.00019583 Hooking ZwSetInformationFile.
00000005 0.00019583 Hooking ZwDeleteFile.
00000006 0.00020086 Hooking ZwLoadDriver.
00000007 0.00020086 Hooking ZwSetSystemInformation.
00000008 0.00020394 Registering PsSetLoadImageNotifyRoutine.
00000009 0.00020505 Registering PsSetCreateProcessNotifyRoutine.
00000010 0.00020589 Registering PsSetCreateThreadNotifyRoutine.
00000011 1.99862134 [PROCESS TERMINATE] preservation.ex (PID:1340) terminating preservation.ex (PID 1340)
00000012 4.28231096 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log
00000013 4.28273106 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log
00000014 4.28281593 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log
00000015 4.28330183 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\edb0011D.log
00000016 4.28406811 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\edb0011E.log
00000017 4.78011131 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
00000018 4.78121567 [FILE DELETE] wuauclt.exe (PID:1952) deleting file \WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log
00000019 5.86221313 [PROCESS TERMINATE] wuauclt.exe (PID:1952) terminating wuauclt.exe (PID 1952)
00000020 11.57933235 [PROCESS START] explorer.exe (PID:1672) started fetch_10d8c4282 (PID 2776)
00000021 11.57944489 [THREAD START] explorer.exe (PID:1672) started thread (TID 2780)

In the event that you're preventing file deletion or process deletion, you will see events like [FILE DELETE] in the logs, but if you follow the path called out in the log file, the files will still be there; Preservation is simply letting you know that a deletion attempt was made on the file.

That wraps up our first quick tip for malware and reverse engineering and hopefully we'll have many more to come!