OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, May 6 2008 16:06.06 CDT

Printer Friendly ...

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec

Author: apridgen

# Views: 18587

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec
AKA: Dumping RBot.clj to a usable binary for analysis

This tutorial is quick and mostly, so I can remember how to use PE Dump,
LordPE, and then ImpRec.  This work is not any type of new hotness.  There is
actually a tutorial similar to this one [1], but it lacked the details I needed
to dump and convert the file into a usable executable, so I am writing this one.

What you will need:
1) Immunity Debug:  http://debugger.immunityinc.com/register.html
2) PE Dumper:  http://www.woodmann.com/collaborative/tools/index.php/PE_Dumper
2) LordPE:  http://www.woodmann.com/collaborative/tools/index.php/LordPE
3) ImpRec:  http://www.woodmann.com/collaborative/tools/index.php/ImpREC
4) An account on Offensive Computing to get the sample:  http://offensivecomputing.net

Once you get your account to Offensive Computing, perform a search for the following
malware md5sum:

59c661ba0c7c485f4480f7b142a9c084.

Save the file to disk and unzip the archive, supplying the archive password.

Make sure PE Dumper was installed in the Immunity Debug directory, so start Immunity
Debug and check the Plugins menu for "OllyDbg PE Dumper", if its not there, make sure
the plugin is in the right directory for example:

C:\Program Files\Immunity Inc\Immunity Debugger

Step 0: Unpack the Malware

Moving forward do File->Open and select the malware.exe.  Now first we need to unpack
the binary.  The Evilcodecave's Blog was helpful here [2].  First we will perform a
search for a sequence of commands:  Right Click in the CPU Window,
"Search for.."->"Sequence of Commands" or Ctrl+S.  Type in

POPAD<enter>
POPFD<enter>

These two instructions reverse the PUSHFD, PUSHAD, you should have seen when Immunity Dbg
first started and attached to the program.  Now, hit the down until you get to the 'jmp'
instruction.  Press <F9>, and the program should stop execution on this instruction.

Now, hit <enter> to go to the next instruction, this will not execute the instruction,
but it will jump the view down to the next instruction.  Now hit <Ctrl-A>, which will
analyze the data and treat is as code.  It was not treated as code previously, because before
this was all data.  When the unpacker executed, the code was written to these memory locations.

We still need to let the program execute a little more before we can dump it (Did you notice
the PUSHAD we landed on?).  Scroll down a little bit (Page Down 5 times, and place a break point
on the 'jmp' instruction (address = 0x004DCA84).  If you look up a little bit, youll notice the
POPAD ;).  Press <F9> again, and the execution should stop at the instruction.  Hit <F7>, and now
we are at the OEP of our binary, so now its time to dump it.

Step 2: Dump the Process
In Immunity Debug goto PE Dumper: Plugins->"OllyDbg PE Dumper"->"Make Dump of Process"

1) Make sure your target process is selected.
2) Click "Get EIP as OEP"
3) Put a check box in "Fix Raw sizes"
3) Put a check box in "Fix Raw sizes"
4) Put a check box in "Make header size 0x1000"
5) Click the Dump butten and save the file.
6) Leave the process paused.

Step 3: Rebuild the PE Image with LordPE
1) Start LordPE
2) Click the Options button and put a check mark next to "Full Dump: rebuild image"
3) Click the "Rebuild PE" Button and select the file that was just save in the previous step.

Step 4: Rebuild the IAT with ImpRec
Note:  Identifying the IAT can be tricky, but in this case, I simply looked at the address of a
function call for a known Windows API and jumped to that address.  Immunity Debug should resolve
the names to the function call, so it should be pretty easy to spot in the CPU Window.  Look for

CALL DWORD PTR DS:[42319C]               ;  kernel32.GetVersion

In the dump window, go to the expression (Ctrl+G) 0x42319C.  Make sure the data is being viewed as
Long-Addresses (Right Click in the Dump Window Long->Addresses).  Scroll up until the first import
can be seen.  Now open ImpRec.

1)  Select the target process that is open in the first step.
2)  Click on Options and check the "Import All By Ordinal," "Rebuild Original FT,"
"Fix EP to OEP," and "Create New IAT" Checkboxes
3)  Under the "RVAS Infos Needed" Section, enter the RVA of the program's IAT and OEP:
    Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3
4)  Hit the Get Imports button.
5)  Click the "Show Invalid," and remove anthing that is invalid by
Right Clicking in the Window -> Cut Thunks.
6)  Check the Add New Section
7)  Click on Fix Dump and select the previously saved file.

Final: Test in VMWare.
If it runs with out an exception, then you are likely now infected, cheers :)

Conclusion
Like I said, I know this has been done by several folks, but I can never find it when I need it, so
I figured I'd Document it once more for good measure.  I hope someone else finds this useful in the
future.  I know I will ;), Cheers.

1.  MUP With OllyDbg for Really Beginner
http://www.geocities.com/r_etarded/ollydump/ollydump.html

2.  [Malware] Backdoor.Win32.Rbot.clj Reversing,
http://evilcodecave.wordpress.com/2007/12/01/malware-backdoorwin32rbotclj-reversing/

Blog Comments

apridgen

Posted: Thursday, May 15 2008 11:47.08 CDT

Correcting some typos (doh!):

In Step 0,  before hitting <F9>, be sure to put breakpoints on the 'jmp' commands.  Otherwise, the malware will run out of your control.

Errg, more typos

This time in step 4 under:

3)  Under the "RVAS Infos Needed" Section, enter the RVA of the program's IAT and OEP:
    Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3

should be:

3)  Under the "IAT Infos Needed" Section, enter the RVA of the program's OEP and IAT:
    Enter this in the RVA Box:
         Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Enter this in the OEP Box:
         Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3

Thanks jpierce :)

apridgen

Posted: Thursday, May 15 2008 13:23.57 CDT

Forgot to mention how I found the IAT Offset for ImpRec:

One precondition is the CPU window is in the Malware�s code segment (e.g. user space) and it will be an address like 0042****.

Now, in the CPU window, I perform a search for all intermodular calls.  In the result you should see something like the following in the disassembly:

CALL DWORD PTR DS:[04230BC]

Now go to this address in the dump section of the CPU Window, and change the view to Long->Address with ASCII Dump.  Now Scroll up until you see 00000000, and no more Addresses with <DLL>.<Import>.  The address you come up with should be the address you use for the IAT.

jayanthd	Posted: Friday, July 13 2012 12:16.11 CDT
Please send me a copy of LordPE to internetuser2k11@gmail.com The files at the above links are infected.

There are 29,954 total registered users.

Recently Created Topics
Disassembling Motoro...	Jun/13
ida plugin writing f...	Jun/02
New version of RE-Go...	May/29
Decompiling raw bina...	May/22
Incorrect bitness wh...	May/20
PaiMei stalker modul...	May/19
Attach to program us...	May/13
IDA PRO how to make ...	May/12
FACT: OpenRCE is dead.	May/08
Int 3 anti debug?	May/05

Recent Forum Posts
Good Binary Code Pro...	alton
Int 3 anti debug?	SteveIRQL
Attach to program us...	SteveIRQL
Ollydbg 2.0 - Plugin...	openrce...
IDA PRO how to make ...	codeinject
FACT: OpenRCE is dead.	codeinject
IDA Resource Viewer ...	r2x64
FACT: OpenRCE is dead.	djnemo
FACT: OpenRCE is dead.	codeinject
FACT: OpenRCE is dead.	pedram

Recent Blog Entries
	lowpriority	Apr/13
OllyMigrate Plugin for Olly...
	everdox	Mar/08
2 anti-trace mechanisms spe...
	everdox	Mar/07
Advanced debugging techniques
	everdox	Mar/06
Branch tracing and LBR acce...
	everdox	Mar/05
Using pre-paged in virtual ...
More ...

Recent Blog Comments
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
	newlulu on:	Jun/10
Branch tracing and LBR acce...
	newlulu on:	Jun/10
Advanced debugging techniques
	newlulu on:	Jun/10
2 anti-trace mechanisms spe...
	newlulu on:	Jun/10
OllyMigrate Plugin for Olly...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit