Generic script emulation - Kurt Natvig (Acronis)

Описание: Presented at the VB2023 conference in London, 4 - 6 October 2023.
↓ Slides: https://www.virusbulletin.com/uploads...
↓ Paper: https://www.virusbulletin.com/uploads...
→ Details: https://www.virusbulletin.com/confere...

✪ PRESENTED BY ✪

• Kurt Natvig (Acronis)

✪ ABSTRACT ✪

Malware authors have been using various script languages for decades to install and launch their binary builds. These scripts are often highly obfuscated and can contain a lot of garbage intended to make detection more complicated.

There can be many languages involved: Visual Basic Scripts (VBS), Visual Basic for Applications (VBA) + Excel Macro (XLM), PowerShell, JavaScript, PHP, etc. Each of these have their own special attributes and strengths.

Creating and maintaining separate tools and support (e.g. an emulator) to cope with all these languages individually can be time consuming, so I wanted to see if one generic script emulator could do the job.

My presentation will show some of the research needed while creating this generic script emulator and developing it into a production component (speed/memory/data structures). It will demonstrate the power of abstract-syntax-trees (AST) and how we can create some version of this from various languages which the emulator understands and can handle correctly. We’ll then have a common framework and mechanics for a generic script emulator.

In computer science, an abstract syntax tree (AST) is a tree representation of the abstract syntactic structure (structural or content-related details) of text (often source code) written in a formal language.

For instance, the following simple line: “i = 500 + 4 * counter” can be represented in AST like this:

ASSIGN
/ \
i
/ \
500 *
/ \
4 counter

What, then, would a line like “IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();” look like?

I will focus on these items in the talk:

Goals
Language tokenization
Mapping logical flow
Token rewrite
AST generation
Emulation of AST
Optimization
Results

Various malicious samples will be analysed live, and we’ll go through what intelligence we can extract from the emulator when dealing with scripts.

The presentation will highlight the challenges and how some of them were solved.