Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Help with 16-bit Malware Analysis!

Topic created on: October 3, 2012 11:56 CDT by Imprive .

Hello,

I am a student going for my BS in Network Engineering, and recently at my job I have been getting into Malware Analysis. Last week I managed to obtain a sample of the recent FBI moneypak virus that has been going around. It was in an .exe format so I figured it would be simply to run it through PEview to see whats up and then a debugger like Ollydbg to look under the hood.

Unfortunately the .exe is a 16-bit DOS executable. I think. When I first opened it with PEview, it only displayed the message "This program cannot be run in DOS mode". So I thought that it must be a packed 32-bit app somehow. But then I tried to run it through Ollydbg and after about 20 minutes I realized I was looking at NTVDM.exe and something called kernalba ( I think its actually kernalbase but for some reason ollydbg only showed kernalba), not the actual program.

Then I tried a short dynamic analysis to see what ran, and sure enough NTVDM.exe ran. I didn't see anything else so I wiped the computer and started over.

So now that I know I have a 16-bit DOS exe that I need to debug and I am looking for a debugger program. I heard that the IDA trial won't let me debug 16-bit and I have no clue what command I use to load this file into GRDB or even debug.exe

Do any of you guys know of a place that has GRDB or debug.exe tutorials? Or of a GUI 16-bit debugger?

Thanks,
Imprive

  anonymouse     October 4, 2012 04:21.42 CDT
I have no clue what command I use to load this file into GRDB or even debug.exe

ugh
so what did you try ? didnt even try doing grdb yourapp.ext ? the most commenest way for anyone who has tapped the computer keyboard a few times

didnt that produce anyresults whatsoever ?

i find that very hard to believe for someone going into a bs eng

or the way you state your problem is .............

to load an exe / com into grdb you need to do

grdb foo.com




C:\>cd %userprofile%\my*\gr*

C:\Documents and Settings\Admin\My Documents\grdbdl96>GRDB.EXE lr.com

Get Real Debugger Version 9.6  Copyright (c) 1997-2009 David Lindauer (LADSoft)
GRDB comes with ABSOLUTELY NO WARRANTY, for details type `?g'
This is free software, and you are welcome to redistribute it
under certain conditions; type `?gr' for details

DPMI Start code hooked
History enabled
eax:00000000 ebx:00000000 ecx:0000A900 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:00000100 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1EE8 es:1EE8 fs:1EE8 gs:1EE8 ss:1EE8 cs:1EE8
1EE8:0100 E9 D9 71       jmp          72DC
Size: 0000A900
->t

eax:00000000 ebx:00000000 ecx:0000A900 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:000072DC flag:000B3202 NV UP EI PL NZ NA PO NC
ds:1EE8 es:1EE8 fs:1EE8 gs:1EE8 ss:1EE8 cs:1EE8
1EE8:72DC E8 61 36       call         A940
->




C:\DOCUME~1\Admin\MYDOCU~1\grdbdl96>debug lr.com
-u
149A:0100 E9D971        JMP     72DC
149A:0103 B80000        MOV     AX,0000
149A:0106 E8BF71        CALL    72C8
149A:0109 C60672AA0F    MOV     BYTE PTR [AA72],0F
149A:010E C70670AA0000  MOV     WORD PTR [AA70],0000
149A:0114 E8EA69        CALL    6B01
149A:0117 85C0          TEST    AX,AX
149A:0119 7509          JNZ     0124
149A:011B C70670AA0100  MOV     WORD PTR [AA70],0001


some thing that is nearest to a gui is td turbo debugger
from ex old borland  (dos gui / console based gui)

ollydbg ui is based on td

an output of same com file executed in boralnd td


Turbo Debugger Log
CPU Pentium Pro
  cs:0100E9D971         jmp    72DC           
  cs:0103 B80000         mov    ax,0000        
  cs:0106 E8BF71         call   72C8            
  cs:0109 C60672AA0F     mov    byte ptr [AA72],
  cs:010E C70670AA0000   mov    word ptr [AA70],
  cs:0114 E8EA69         call   6B01            
  cs:0117 85C0           test   ax,ax          
  cs:0119 7509           jne    0124            
  cs:011B C70670AA0100   mov    word ptr [AA70],
  cs:0121 E95C01         jmp    0280            
  cs:0124 E8D45E         call   5FFB            
  cs:0127 E8C85C         call   5DF2            
  cs:012A A36EAA         mov    [AA6E],ax      
CPU Pentium Pro
  cs:0100E9D971         jmp    72DC           
  cs:0103 B80000         mov    ax,0000        
  cs:0106 E8BF71         call   72C8            
  cs:0109 C60672AA0F     mov    byte ptr [AA72],
  cs:010E C70670AA0000   mov    word ptr [AA70],
  cs:0114 E8EA69         call   6B01            
  cs:0117 85C0           test   ax,ax          
  cs:0119 7509           jne    0124            
  cs:011B C70670AA0100   mov    word ptr [AA70],
  cs:0121 E95C01         jmp    0280            
  cs:0124 E8D45E         call   5FFB            
  cs:0127 E8C85C         call   5DF2            
  cs:012A A36EAA         mov    [AA6E],ax      
an output of td borland dos gui debuger debugging a com file
CPU Pentium Pro
  cs:A940 BF8000         mov    di,0080        
  cs:A943 BE80A9         mov    si,A980        
  cs:A946 89F9           mov    cx,di          
  cs:A948 FC             cld                    
  cs:A949F3A4           rep movsb              
  cs:A94B E80400         call   A952            
  cs:A94E BD0000         mov    bp,0000        
  cs:A951 C3             ret                    
  cs:A952 B84000         mov    ax,0040        
  cs:A955 8EC0           mov    es,ax          
  cs:A957 BF6C00         mov    di,006C        
  cs:A95A 268A1D         mov    bl,es:[di]      
  cs:A95D 263A1D         cmp    bl,es:[di]      
Execution history
1AA3:A94E: mov    bp,0000                  
1AA3:A951: ret                              
1AA3:72DF: test   bp,bp                    
1AA3:72E1: jne    72E5                      
1AA3:72E3: mov    bp,ds                    
1AA3:72E5: mov    cs:[72DA],ds              

  Imprive   October 4, 2012 11:13.17 CDT
Wow, my first post on these forums and I can already feel the love and sense of community...

Of course I tried that, it was the first thing I tried! It's not like I've never seen a CLI before.

I cd'ed into the directory that held my file, and typed
"debug [filename]" and it simply said "file not found". Same thing with GRDB! I've tried to move the file to the C:\, no luck either.

Also, I think borderlands got rid of their old software on their site. I couldn't find the museam.

I did find a program with a gui called openwatcom but I don't think it works, everything is just zeros except for the first line, and when I try to step through it that goes to all zeros as well.

It COULD be that I am wrong once again, or this thing is obfuscated beyond belief, I really have no clue at this point in time.

  NickyBlue     October 4, 2012 12:41.56 CDT
Why trying 16-bit DOS file? why not try something of current time? Anyway if you really have to then try Sourcer from VCOMM.

It a commenting disassembler and can disect it with comments but I seen of DOS time it tends to generate garbage on complicated files. But newer version is there for 32 bit which you can use, might be better! Hope it is backward compatible. Usually ppl like them do.


And if wanna try debug.exe then type extension as well with filename on command line

ex: debug filename.exe

Then type ? to get help when once loaded at its "-" prompt. Will list the commands it supports. They are not that hard to understand. But it'll just give you disassembly. No comments. So better have Ralf Broown's Interrupt list handy by side. Have fun disassembling ....smile.

DarkAvenger

  Imprive   October 4, 2012 13:26.53 CDT
Hi Nicky,
Thanks for the tip I will try Sourcer.

Like I stated up above, this is a sample of the FBI moneypak malware that has been going around. It IS current time, but it appears that these crafty malware authors decided to put their program into a 16-bit app, I'm not sure if the app unpacks the actual program or what, that's what I am trying to figure out.

That command for debug does not work, please see my post above.

Thanks for replying,
Imprive

  NickyBlue     October 4, 2012 13:55.54 CDT
For debug to work type complete "file name + its extension" on command line after typing "debug". And make sure you are in that directory where file resides or else type it with complete path.

such as:

debug filename.exe

or

debug filename.com

got it! otherwise it won't load it and give you "File not found error".


yours Nicky

  anonymouse     October 5, 2012 00:21.08 CDT
> Imprive: Wow, my first post on these forums and I can already feel the love and sense of community...

oh first impressions do matter :) the way you posed your query drew the response that it deserved :)


> It COULD be that I am wrong once again, or this thing is obfuscated beyond belief, I really have no clue at this point in time.

well then the most crudest method is the most elegant method  load the crap in a simple binary file editor and start parsing it manually as if it is a blackbox dumped bin file with neither a header nor some tailers
have a scratchpad and start making notes
have internet ready to search for anything that might look like a hint



the more you stare at it the more patterns will start to emerge  haven't you heard about the story where ten blind souls describing an elephant


T was six men of Indostan
To learning much inclined,
Who went to see the Elephant
(Though all of them were blind),
That each by observation
Might satisfy his mind.

ii.

The First approached the Elephant,
And happening to fall
Against his broad and sturdy side,
At once began to bawl:
"God bless me!—but the Elephant
Is very like a wall!"

iii.

The Second, feeling of the tusk,
Cried:"Ho!—what have we here
So very round and smooth and sharp?
To me 't is mighty clear
This wonder of an Elephant
Is very like a spear!"

iv.

The Third approached the animal,
And happening to take
The squirming trunk within his hands,
Thus boldly up and spake:

"I see," quoth he, "the Elephant
Is very like a snake!"

v.

The Fourth reached out his eager hand,
And felt about the knee.
"What most this wondrous beast is like
Is mighty plain," quoth he;
"'T is clear enough the Elephant
Is very like a tree!"

vi.

The Fifth, who chanced to touch the ear,
Said: "E'en the blindest man
Can tell what this resembles most;
Deny the fact who can,
This marvel of an Elephant
Is very like a fan!"

vii.

The Sixth no sooner had begun
About the beast to grope,
Than, seizing on the swinging tail
That fell within his scope,
"I see," quoth he, "the Elephant
Is very like a rope!"

viii.

And so these men of Indostan
Disputed loud and long,
Each in his own opinion
Exceeding stiff and strong,
Though each was partly in the right,
And all were in the wrong!

moral.

So, oft in theologic wars
The disputants, I ween,
Rail on in utter ignorance
Of what each other mean,
And prate about an Elephant
Not one of them has seen!



“We have to remember that what we observe is not nature in itself, but nature exposed to our method of questioning.” -Werner Heisenberg


so if you can share the binary  zip it password it and upload it to some forum like woodmann.com / malware analysing forum

so some other blind man can feel the trunk and proclaim it to be a tree

else post a md5 sha1 sha256 digests of the app
so that some deaf can try comparing it with some collectors
jar  like openmalware.com and google for preexisting analysis if any

Note: Registration is required to post to the forums.

There are 31,056 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit