Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Tracking and breaking inside specific thread

Topic created on: July 28, 2011 11:49 CDT by livedontexist .

Hi,
I've been trying to reverse a piece of malware. Everything is fine until I came to a point where I can see traffic going out on to the Internet in Wireshark..but the code I am looking at in Olly cannot possibly be doing that [But it is].. I've set breakpoints and traffic appears only between those breakpoints.

So I'm thinking it is some other thread which is doing it somewhere else. I can use the Debug option to  break when a Thread starts...or even switch to that thread after its created but this doesn't tell me where the traffic is getting generated from..it just goes into System DLL space.

For e.g.. I can see an SSL connection getting established but I don't know from where..

Here is a snapshot of the relevant assembly code from Olly:
-----------
0040D118  |> /68 E8030000   |/PUSH 3E8                                                      ; /Timeout = 1000. ms
0040D11D  |. |FF15 58004200 ||CALL DWORD PTR DS:[<&KERNEL32.Sleep>]                         ; \Some weird stuff here - 3 way handshake after sleep??? and only 1ce..
0040D123  |. |8B03          ||MOV EAX,DWORD PTR DS:[EBX]
0040D125  |. |8D4D 08       ||LEA ECX,DWORD PTR SS:[EBP+8]
0040D128  |. |51            ||PUSH ECX
0040D129  |. |53            ||PUSH EBX
0040D12A     |FF50 7C       ||CALL DWORD PTR DS:[EAX+7C]                                    ;  Funny stuff....system function accessing lifestream.aol.com
0040D12D  |. |66:837D 08 00 ||CMP WORD PTR SS:[EBP+8],0
0040D132  |. |75 1A         ||JNZ SHORT aolsbm_1.0040D14E
0040D134  |. |8B03          ||MOV EAX,DWORD PTR DS:[EBX]
0040D136  |. |8D4D E4       ||LEA ECX,DWORD PTR SS:[EBP-1C]
0040D139  |. |51            ||PUSH ECX
0040D13A  |. |53            ||PUSH EBX
0040D13B  |. |FF90 E0000000 ||CALL DWORD PTR DS:[EAX+E0]
0040D141  |. |837D E4 04    ||CMP DWORD PTR SS:[EBP-1C],4
0040D145  |. |74 07         ||JE SHORT aolsbm_1.0040D14E
0040D147  |. |C745 08 01000>||MOV DWORD PTR SS:[EBP+8],1
0040D14E  |> |FF45 EC       ||INC DWORD PTR SS:[EBP-14]
0040D151  |. |837D EC 28    ||CMP DWORD PTR SS:[EBP-14],28
0040D155  |. |7F 07         ||JG SHORT aolsbm_1.0040D15E
0040D157  |. |66:837D 08 00 ||CMP WORD PTR SS:[EBP+8],0
0040D15C  |.^\75 BA         |\JNZ SHORT aolsbm_1.0040D118
-----------

There are breakpoints(F2) at 0040D118 and 0040D15C. Its a loop from which the process exits only when a lot of data is sent.

Any ideas??

Thnx
Arvind

No posts found under this topic.
Note: Registration is required to post to the forums.

There are 31,099 total registered users.


Recently Created Topics
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15


Recent Forum Posts
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit