Statistical analysis of artifacts offers means to correlate threat data. Attribution and identification is attained by associating an artifact with others, or differentiating it from a control group.
By hashing artifacts, uniqueness is established. Static data such as pe headers, metadata, imported functions, even unique strings, provide a useful dataset.
There are two parts:
- FP.exe - The Executable.
- Fingerprint - A set of .CS classes that get compiled at runtime.
These classes comprise your set of fingerprints.
Prerequisites:
COMMAND:
fp.exe <file or directory>
//Print the fingerprint and store in scanhistory.xml
OUTPUT:
Fingerprint v1.0, Copyright c 2010 HBGary, Inc. All Rights Reserved.
antidebug.cs compiled successfully
compiler.cs compiled successfully
compression.cs compiled successfully
integerparsing.cs compiled successfully
libs.cs compiled successfully
microsoft.cs compiled successfully
msapi.cs compiled successfully
pe.cs compiled successfully
regex.cs compiled successfully
sockets.cs compiled successfully
strings.cs compiled successfully
Scanning 1 file(s)...
Name: notepad.exe
Hash: F2C7BB8ACC97F92E987A2D4087D021B1
PE Timestamp ............... 7/13/2009 4:56:35 PM
Linker version ............. v9.0
DllCharacteristics .......... 00008140
PE Sections ................. .text | .rdata | .data | .pdata
PE Subsystem ................ 02
Windows GDI/Common Controls.. yes
Compiler .................... Microsoft Visual C++ 4.2
Services .................... open
Memory ...................... Win32
LoadLibrary ................. Generic
DataConversion .............. 64bit | double | wide | long
Wow64 ....................... aware
Thread Creation ............. Generic
File Mapping ................ Generic
File IO ..................... delete | Win32
Win32 File Searching ........ Generic
Debugger Timing ............. Ticks | PerformanceCounter
Command line parsing ........ Win32
Debugger Exception .......... UnhandledFilter
Window ...................... enum | aware
Clipboard aware ............. yes
Vararg Formatting ........... wide | length check
Command shell ............... Generic
SEH ......................... v4
ShellExecute ................ Ex
COM aware ................... yes
Windows Licensing ........... aware
OTHER COMMANDS:
fp.exe -c <file or directory>>
//Compare file(s) to XML database
fp.exe -c <file1> <file2>
//Compare two files
How to create a fingerprint class:
namespace FP
{
//insert class name
class {{class_name}} : BaseFingerPrint
{
override public bool OnEvaluateString(string theString,
ScanResultCollection results)
{
//evaluate theString,
//append to results,
//
//YOUR CODE HERE
//
return true;
}
}
}
Example #1 - Identifying imported functions (integerparsing.cs)
Wide data conversion functions contain the substring "wto". To identify these types of data conversions, simple string matching is utilized.
BaseFingerprint.OnEvaluate() accepts two arguments a string (theString) and a ScanResults object (results). Use substring matching, regular expressions or other methods to evaluate theString. Next, call the AppendResult function or the results object and pass name of name of fingerprint as argument 0 and fingerprint value as argument 1.
//Wide to * data conversions
if (theString.Contains("wto")
{
results.AppendResult("DataConversion", "wide", 1, 0);
}
Run fp.exe. If you see a message regarding compile errors, this usually means that there is an error in the syntax of the fingerprint class.
OUTPUT:
...
LoadLibrary ................. Generic
DataConversion .............. 64bit | double | wide | long
Wow64 ....................... aware
...
Example2 - How to add a regex:
In this example, for each regex match, the trimmed string is appended to results. Fingerprint values can be either a constant such as "yes" or "http" or the actual string.
//regex for protocols
Regex protMatches= new Regex("(http:|https:|ftp:|rdp:)");
//append any matches to Results
foreach (Match match in protMatches.Matches(theString))
{
results.AppendResult("Protocol", match.ToString(), 1, 0);
}
OUTPUT:
...
LoadLibrary ................... Generic
Protocol ...................... http://windows.microsoft.com
Wow64 ........................ aware
...
PE HEADERS - pe.cs - Windows Subsytem type fingerprint
PE header structures are available in pe.cs. There are a few PE headers identified by default, such as timestamp and pe sections.
PE.CS is comprised of a few sections:
- PE STRUCTURES
- PEparser class
- get functions
- PE fingerprint class
To add your own, create a 'get' function that differentiates between 32 and 64 bit PE headers, then returns the value. Here is a function to access Windows Subsystem type PE header.
In pe.cs, around line 272 you will find a list of get functions
Create a function like:
public uint Subsystem
{
get
{
if (is32bit)
{
//pe structure 32
return optionalHeader32.Subsystem;
}
else
{
//pe structure 64
return optionalHeader64.Subsystem;
}
}
}
Towards the end of pe.cs, in the fingerprint class, you can append matches to the results object - same as the other examples.
Append the fingerprint "PE Subsystem":
results.SetResult("PE Subsystem", reader.Subsystem.ToString("X2"), 1, 0);
//reader = PEparser.PEparser
//reader.Subsystem(newly added function)
//X2 = 2 digit formatting
Save cs file and run:
fp.exe c:\windows\notepad.exe
OUTPUT:
...
PE Sections ................... .text | .rdata | .data | .pdata
PE Subsystem .................. 02
Windows GDI/Common Controls ... yes
...
Consulting the PE/Coff specs - Windows Subsystem:
| IMAGE_SUBSYSTEM_NATIVE | 1 | Device drivers and native Windows processes |
| IMAGE_SUBSYSTEM_WINDOWS_GUI | 2 | The Windows graphical user interface (GUI) subsystem |
| IMAGE_SUBSYSTEM_WINDOWS_CUI | 3 | The Windows character subsystem |
The value for notepad.exe is 2, which is Subsystem Windows GUI.
Download Fingerprint
-- Chris Harrison