OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: November 29, 2011 10:56 CST by charlie .

I was debugging a virus which injects into svchost.exe,
I found the pid of the process and attached to it but ollydbg is breaking at ntdll.breakpoint.
Does anyone know how to stop at the right point ?
or any other clever way to do this.

The main objective is to see the code of the thread injected in to the process.
Thanks in advance
charlie

djnemo		December 4, 2011 02:34.39 CST
Runtime analysis is not good idea to do this, try IDA Pro or any other disassembler and find the injected function

waleedassar		December 10, 2011 14:28.21 CST
I can't say i understand you question quite well. But if the malicious thread is still alive, you should view all thread (View --> Threads) and check each thread Entry point. Could you elaborate more?

gebos		December 15, 2011 04:34.18 CST
you can check the address to which the virus will inject it 's code and change the begging entry point of that injected code to EB FE(save the old bytes) ,attach your self to the svchost go the address of the injected code change EB FE to the old values ,place a breakpoint and enjoy

waleedassar		December 25, 2011 12:12.25 CST
Is there Any physical change to svchost.exe(file on disk)? If so, diffing vs. The original svchost.exe is enough Or code is just injected at runtime e.g. By calling CreateRemoteThread? If so, attach to the suspected svchost instance and view all threads. Then you can search each stack for the entry point. You can also close the suspected svchost.exe instance and restart it in ollydbg, waiting for any new threads.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit