Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Tracking and breaking inside specific thread

Topic created on: July 28, 2011 11:49 CDT by livedontexist .

Hi,
I've been trying to reverse a piece of malware. Everything is fine until I came to a point where I can see traffic going out on to the Internet in Wireshark..but the code I am looking at in Olly cannot possibly be doing that [But it is].. I've set breakpoints and traffic appears only between those breakpoints.

So I'm thinking it is some other thread which is doing it somewhere else. I can use the Debug option to  break when a Thread starts...or even switch to that thread after its created but this doesn't tell me where the traffic is getting generated from..it just goes into System DLL space.

For e.g.. I can see an SSL connection getting established but I don't know from where..

Here is a snapshot of the relevant assembly code from Olly:
-----------
0040D118  |> /68 E8030000   |/PUSH 3E8                                                      ; /Timeout = 1000. ms
0040D11D  |. |FF15 58004200 ||CALL DWORD PTR DS:[<&KERNEL32.Sleep>]                         ; \Some weird stuff here - 3 way handshake after sleep??? and only 1ce..
0040D123  |. |8B03          ||MOV EAX,DWORD PTR DS:[EBX]
0040D125  |. |8D4D 08       ||LEA ECX,DWORD PTR SS:[EBP+8]
0040D128  |. |51            ||PUSH ECX
0040D129  |. |53            ||PUSH EBX
0040D12A     |FF50 7C       ||CALL DWORD PTR DS:[EAX+7C]                                    ;  Funny stuff....system function accessing lifestream.aol.com
0040D12D  |. |66:837D 08 00 ||CMP WORD PTR SS:[EBP+8],0
0040D132  |. |75 1A         ||JNZ SHORT aolsbm_1.0040D14E
0040D134  |. |8B03          ||MOV EAX,DWORD PTR DS:[EBX]
0040D136  |. |8D4D E4       ||LEA ECX,DWORD PTR SS:[EBP-1C]
0040D139  |. |51            ||PUSH ECX
0040D13A  |. |53            ||PUSH EBX
0040D13B  |. |FF90 E0000000 ||CALL DWORD PTR DS:[EAX+E0]
0040D141  |. |837D E4 04    ||CMP DWORD PTR SS:[EBP-1C],4
0040D145  |. |74 07         ||JE SHORT aolsbm_1.0040D14E
0040D147  |. |C745 08 01000>||MOV DWORD PTR SS:[EBP+8],1
0040D14E  |> |FF45 EC       ||INC DWORD PTR SS:[EBP-14]
0040D151  |. |837D EC 28    ||CMP DWORD PTR SS:[EBP-14],28
0040D155  |. |7F 07         ||JG SHORT aolsbm_1.0040D15E
0040D157  |. |66:837D 08 00 ||CMP WORD PTR SS:[EBP+8],0
0040D15C  |.^\75 BA         |\JNZ SHORT aolsbm_1.0040D118
-----------

There are breakpoints(F2) at 0040D118 and 0040D15C. Its a loop from which the process exits only when a lot of data is sent.

Any ideas??

Thnx
Arvind

  livedontexist   July 28, 2011 11:51.35 CDT
Please use this post to reply. I apologize for the double post.

Arvind

Note: Registration is required to post to the forums.

There are 31,040 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit