Malware Analysis Patterns (Part 22)
Saturday, February 9th, 2013Raw Pointer pattern is about pointers without matching symbol files. They may be in the expected module range or in some other known module range in the form of module+offset or can be completely out of range of any module from the loaded module list and therefore just a number. For example, usually we have certain structures or arrays (tables) where we expect pointers with matching symbols such as IAT, IDT and 32-bit SSDT where an occurrence of a raw pointer immediately triggers a suspicion such as in this Import Address Table from ProcessA:
[...]
00000001`3f8a9048 00000000`76e282d0 ntdll!RtlSizeHeap
00000001`3f8a9050 00000000`76bf9070 kernel32!GetStringTypeWStub
00000001`3f8a9058 00000000`76c03580 kernel32!WideCharToMultiByteStub
00000001`3f8a9060 00000000`76e33f20 ntdll!RtlReAllocateHeap
00000001`3f8a9068 00000000`76e533a0 ntdll!RtlAllocateHeap
00000001`3f8a9070 00000000`76bfc420 kernel32!GetCommandLineWStub
00000001`3f8a9078 00000001`3f8a1638 ProcessA+0×10ac
00000001`3f8a9080 00000000`76c2cc50 kernel32!IsProcessorFeaturePresent
00000001`3f8a9088 00000000`76c02d60 kernel32!GetLastErrorStub
00000001`3f8a9090 00000000`76c02d80 kernel32!SetLastError
00000001`3f8a9098 00000000`76bf3ee0 kernel32!GetCurrentThreadIdStub
[…]
Note that structures are not limited to the above and can me any OS or even application specific structure where we have symbol files. Raw pointers that are outside of expected module range are covered in the next pattern.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -