C++ Malware: Standard Library Detection

TL;DR

Malware authors often use the C++ standard library to avoid detection. This guide explains how to identify common standard library functions used in malicious code, helping you analyse and reverse engineer threats.

Identifying Standard Library Use

1. Understand Common Functions: Malware frequently uses these standard library components:
   • Strings: std::string for text manipulation.
   • Vectors: std::vector for dynamic arrays.
   • Files: std::fstream, std::ifstream, std::ofstream for file operations.
   • Input/Output: std::cin, std::cout, std::cerr for console interaction.
   • Algorithms: Functions like std::find, std::copy, std::sort for data processing.
   • Threads: std::thread for multi-threading.
2. Disassembly Analysis: Use a disassembler (like IDA Pro, Ghidra, or Binary Ninja) to examine the code.
   • Look for calls to functions that are part of the C++ runtime library (e.g., those starting with _ZSt in GCC/Clang compiled binaries).
   • Pay attention to function arguments and return values; these can indicate how standard library components are being used.
3. String References: Search for string literals that might be related to standard library functions or their usage.
   • For example, strings like “std::string” or file paths commonly used with fstream.
4. Debugging: Use a debugger (like GDB or x64dbg) to step through the code and observe how standard library functions are called.
   • Set breakpoints on calls to suspected standard library functions.
   • Inspect the stack trace to understand the function’s context.
5. Static Analysis Tools: Employ static analysis tools (like Binary Ninja, or commercial solutions) that can automatically identify standard library usage.
   • These tools often provide a more comprehensive view of standard library calls than manual disassembly.

Example: Detecting std::string Usage

In GCC/Clang compiled C++ code, the constructor for std::string is often called as _ZSt4stringIcSt11char_traitsIcESaIcENSt7allocatorIcSt8allocator_traitsIcESaIcEEE. Searching for this string in a disassembler can reveal where strings are being created.

Example: Detecting File Operations

Look for calls to std::fstream‘s constructor and methods like open(), read(), write(), and close(). The function names will be mangled (e.g., _ZSt16ofstreamIcSt11char_traitsIcESaIcENSt7allocatorIcSt8allocator_traitsIcESaIcEEE5openERKSs for opening a file).

Example: Detecting Vector Usage

Look for calls to std::vector‘s constructor, push_back(), size() and other methods. The function names will be mangled (e.g., _ZSt6vectorIcSaIcENSt7allocatorIcSt8allocator_traitsIcESaIcEEE10push_backERKSs for adding an element to a vector).

Advanced Techniques

1. Virtual Table Analysis: If the malware uses virtual inheritance or polymorphism, analyse the virtual tables of C++ classes. This can reveal hidden dependencies on standard library components.
2. Code Deobfuscation: Malware authors may obfuscate their code to hide standard library usage. Use deobfuscation techniques (e.g., symbolic execution, control flow flattening) to simplify the code and make it easier to analyse.

cyber security Considerations

Identifying standard library use is just one step in malware analysis. You also need to understand how these components are being used to determine the malware’s functionality and potential impact.