Use Cases

Side effects of Packing

Packed and obfuscated code will often include at least the functions LoadLibrary and GetProcAddress, which are used to load and gain Access to additional functions. The section sizes can be useful in detecting packed executables. For example, if the Vsize is much larger than the size of raw data, you know that the section takes up more space in memory than it does on disk. This is often indicative of packed code, particularly if the .text section is larger in memory than on disk and marked as code/executable (reference = "Practical Malware Analysis. BlackHat. Kris Kendall and Chad McMillan. Page 52")

To model a behaviour of packed/obfuscated code, for example, we can build rules like this (it's only an approach):

import "r2"
import "math"

rule difference_size_and_vsize {
  meta: 
    description = "Rule to detect binaries with a big difference between section size and section vsize (after unpack). Also, it includes a big entropy and executable flags"  
    author = "@plutec_net, @mmorenog"  
    reference = "Practical Malware Analysis. BlackHat. Kris Kendall and Chad McMillan. Page 52" 

  condition:  
    for any i in ( 0..r2.number_of_sections ) :  
      ((r2.section[i].vsize > r2.section[i].size*2) and 
      r2.section[i].flags contains "x" and  
      math.entropy(r2.section[i].paddr, r2.section[i].size) > 7) 

}

Potential keylogger

Detection of an hypothetical keylogger behaviour looking for “exports” symbols like: LowLevelKeyboardProc, LoveLevelMouseProc, functions like: SetWindowsHookEx, RegisterHotKey and string “Software\Microsoft\Windows\CurrentVersion\Run” usually found in malware.

import "r2" 

rule potential_keylogger {

  meta: 
    description = "Rule to detect a potential keylogger" 
    author = "@plutec_net, @mmorenog" 
    reference "Practical Malware Analysis (book), page 18"

  strings:
    $autorun = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii 

  condition: 
    r2.import(-1,"", "SetWindowsHookEx") and
    r2.import(-1,"", "RegisterHotKey") and
    r2.symbol("LowLevelKeyboardProc","") and 
    r2.symbol("LowLevelMouseProc","") and 
    $autorun 

}

UPX Packer Example

UPX packer is defined for 2 sections (UPX0 and UPX1), and it's so easy detect them with this module:

import "r2"

rule UPX {

  strings:
    $upx = "UPX"

  condition:
    r2.section("UPX0","") and
    r2.section("UPX1","") and
    $upx

}

Resources & Languages

At this point we can look for certain resources. For instance, a resource “STRING” with “LANG_RUSSIAN” or “LANG_CHINESE” as language:

import "r2"

rule res_string_jap { 
  condition: 
    r2.resource("STRING", "LANG_RUSSIAN") or 
    r2.resource("STRING", "LANG_CHINESE") 
}

Or increase the complexity using size (>2KB): 

import "r2"

rule resource { 
  condition: 
    for any i in ( 0..r2.number_of_resources ) :  
      (r2.resources[i].size > 2KB and 
      r2.resources[i].type == "STRING" and 
      r2.resources[i].lang contains "RUSSIAN" or
      r2.resources[i].lang contains "CHINESE") 

}