.Hi,
I've been trying to reverse a piece of malware. Everything is fine until I came to a point where I can see traffic going out on to the Internet in Wireshark..but the code I am looking at in Olly cannot possibly be doing that [But it is].. I've set breakpoints and traffic appears only between those breakpoints.
So I'm thinking it is some other thread which is doing it somewhere else. I can use the Debug option to break when a Thread starts...or even switch to that thread after its created but this doesn't tell me where the traffic is getting generated from..it just goes into System DLL space.
For e.g.. I can see an SSL connection getting established but I don't know from where..
Here is a snapshot of the relevant assembly code from Olly:
-----------
0040D118 |> /68 E8030000 |/PUSH 3E8 ; /Timeout = 1000. ms
0040D11D |. |FF15 58004200 ||CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Some weird stuff here - 3 way handshake after sleep??? and only 1ce..
0040D123 |. |8B03 ||MOV EAX,DWORD PTR DS:[EBX]
0040D125 |. |8D4D 08 ||LEA ECX,DWORD PTR SS:[EBP+8]
0040D128 |. |51 ||PUSH ECX
0040D129 |. |53 ||PUSH EBX
0040D12A |FF50 7C ||CALL DWORD PTR DS:[EAX+7C] ; Funny stuff....system function accessing lifestream.aol.com
0040D12D |. |66:837D 08 00 ||CMP WORD PTR SS:[EBP+8],0
0040D132 |. |75 1A ||JNZ SHORT aolsbm_1.0040D14E
0040D134 |. |8B03 ||MOV EAX,DWORD PTR DS:[EBX]
0040D136 |. |8D4D E4 ||LEA ECX,DWORD PTR SS:[EBP-1C]
0040D139 |. |51 ||PUSH ECX
0040D13A |. |53 ||PUSH EBX
0040D13B |. |FF90 E0000000 ||CALL DWORD PTR DS:[EAX+E0]
0040D141 |. |837D E4 04 ||CMP DWORD PTR SS:[EBP-1C],4
0040D145 |. |74 07 ||JE SHORT aolsbm_1.0040D14E
0040D147 |. |C745 08 01000>||MOV DWORD PTR SS:[EBP+8],1
0040D14E |> |FF45 EC ||INC DWORD PTR SS:[EBP-14]
0040D151 |. |837D EC 28 ||CMP DWORD PTR SS:[EBP-14],28
0040D155 |. |7F 07 ||JG SHORT aolsbm_1.0040D15E
0040D157 |. |66:837D 08 00 ||CMP WORD PTR SS:[EBP+8],0
0040D15C |.^\75 BA |\JNZ SHORT aolsbm_1.0040D118
-----------
There are breakpoints(F2) at 0040D118 and 0040D15C. Its a loop from which the process exits only when a lot of data is sent.
Any ideas??
Thnx
Arvind
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}