It’s common that malware using several tricks to change the execute flow of the program to disturb malware analysis, such as using unfamiliar callback functions, raising exception and so on.
During malware analysis, we hardly see some math functions imported and invoked, but currently we found a bunch of samples using floating-point math operations to harass analysis. Now I will give an example to show how this happened.
This loop seems never end; question is how the program jumps out. The most special part of this loop is invoking the math operation “log”. Obviously, the author of the malware doesn’t want to calculate the logarithm of certain number, and we notice that the number to calculate is continuously increased by 112, so when the number is big enough, maybe something will happen. After a few attempts I set the number to 0×80000070, and the log function take me here:
No exception triggered, no stack was overflowed, but finally EIP is out of the loop. It’s really strange that call log function will cause directly jump from the address of the log function to address of the malware. How this happened? The following screenshot shows you the truth.
By calling the setusermatherr will set up a handler to deal with some kind of math error. And this function is called before the main function. When debugging, we may ignore the part before the main function. By default, when we compile a program with VC, a conventional handle will be set to following type:
This function only return 0 to display the error message, so we have the reason to suspect the program which has long math error handle function. All of the floating-point functions open the convenient door to the malware writers, such as sin, cos, exp, sqrt, log, pow, mod, and so on.
And this kind of samples is also using the up-to-date injection way to inject codes to system process. Instead of mapping view of the system file to the memory to find the entry point of the target process, it uses LoadlibraryExA with DONT_RESOLVE_DLL_REFERENCES flag to get the entry point of the target file.
And then, covers the entry point and controls the workflow of the new process. We must pay attention to the samples that import this kind of floating-point functions since they have none business of math arithmetic.
Frank Zheng
Leave a reply
