Search code examples
securityassemblyx86reverse-engineeringmalware

Running a brief asm script inline for dynamic analysis

Is there any good reason not to run a brief unknown (30 line) assembly script inline in a usermode c program for dynamic analysis directly on my laptop?

There's only one system call to time, and at this point I can tell that it's a function that takes a c string and it's length, and performs some sort of encryption on it in a loop, which only iterates through the string as long as the length argument tells it.

I know that the script is (supposed to be) from a piece of malicious code, but for the life of me I can't think of any way it could possibly pwn my computer barring some sort of hardware bug (which seems unlikely given that the loop is ~ 7 instructions long and the strangest instruction in the whole script is a shr).

I know it sounds bad running an unknown piece of assembly code directly on the metal, but given my analysis up to this point I can't think of any way it could bite me or escape.

Solution

  • Yes, you can but I won't recommend it.
    The problem is not how dangerous is the code this time (assuming you really understand all of the code and you can predict the outcome of any system call), the problem is that it's a slippery slope and it's not worth it considering what's at stake.

    I've done quite a few malware analysis and rarely happened that a piece of code caught me off guard but it happened.
    Luckily I was working on a virtual machine within an isolated network: I just restored the last snapshot and stepped through the code more carefully.
    If you do this analysis on your real machine you may take the habit and one day this will bite you back.
    Working with VMs, albeit not as comfortable as using your OS native GUI, is the way to go.

    What could go wrong with running a 7 lines assembly snippet?
    I don't know, it really depends on the code but a few things to be careful about:

    1. Exceptions. An instruction may intentionally fault to pass the control to an exception handler. This is why it very important that you totally understand the code: both the instruction and the data.
    2. System calls exploits. A specially crafted input to a system call may trigger a 0-day or an unpatched vulnerability in your system. This is why is important that you can predict the outcome of every system call.
    3. Anti debugger techniques. There are a lot of way a piece of code could escape a debugger (I'm thinking Windows debugging here), it's hard to remember them all, be suspicious of everything.

    I've just named a few, it's catastrophically possible that an hardware bug could lead to privileged code execution but if that's really a possibility then nothing but a spare sacrificable machine will do.

    Finally, if you are going to run the malware (because I assume the work of extracting the code and its context is too much of a burden) up to a breakpoint on your machine, think of what's at stake. If you place the break point on the wrong spot, if the malware takes another path or if the debugger has a glitchy GUI, you may loose your data or the confidentiality of your machine.
    I'n my opinion is not worth it.

    I had to make this premise for generality sake but we all sin something, don't we?
    I've never run a piece of malware on my machine but I've stepped through some with a virtual machine directly connected on the company network.
    It was a controlled move, nothing happened, the competent personnel was advised and it was an happy ending.
    This may very well be your case: it can just be a decryption algorithm and nothing more.
    However, only you have the final responsibility to judge if it is acceptable to run the piece of code or not.
    As I remarked above, in general it is not a good idea and it presupposes that you really understand the code (something that is hard to do and be honest about).
    If you think these prerequisites are all satisfied then go ahead and do it.

    Before that I would:

    1. Create an unprivileged user and deny it access to my data and common folders (ideally deny it everything but what's is necessary to make the program work).
    2. Backup the the critical data, if any.

    Optionally

    1. Make a restore point.
    2. Take an hash of the system folders, a list of installed services and the value of the usual startup registry keys (Sysinternals have a tool to enum them all).

    After the analysis, you can check that nothing important system-wide has changed.
    It may be helpful to subst a folder and put the malware there so that a dummy path traversal stops in that folder.

    Isn't there better solution?
    I like using VMs for their snapshotting capabilities, though you may stumble into an anti-VM check (but they are really dumb checks, so it's easy to skip them).

    For a 7-line assembly I'd simply rewrite it as a JS function and run it directly in a browser console.
    You can simply transform each register in a variable and transcript the code, you don't need to understand it globally but only locally (i.e. each instruction).
    JS is handy if you don't have to work with 64-bit quantities because you have an interpreter in front of you right now :)
    Alternatively I use any programming language I have at hand (One time even assembly it self, it seems paradoxical but due to a nasty trick I had to convert a 64-bit piece of code to a 32-bit one and patch the malware with it).