Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Unpacked [RESOLVED]

Topic created on: October 24, 2012 11:42 CDT by legola .

Hi guy,
i have a question for experienced malware reverser.
I'm newbie of reversing and i'm in trouble with an executable written in VB6 and obfuscated.

  waleedassar     October 24, 2012 13:13.18 CDT
I have seen some RunPE malware samples that don't use the "CreateProcessA/W" functions for spawning the suspended child process, they call the "CreateProcessInternalA/W" functions instead. Similarly for the "WriteProcessMemory", they use the ntdll "ZwWriteVirtualMemory" function.

This is why if you place your breakpoint on CreateProcessW, it will never get hit.

One very common thing between RunPE malware is that they all call the "ZwResumeThread" function at the final step. Try to place the BP there.

I wrote something about that a while ago. You can find it here:
http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html

  legola     October 25, 2012 05:55.13 CDT
Hi, thank thank you for your reply.

  waleedassar     October 25, 2012 13:48.17 CDT
I quickly analyzed it and found that it is a typical RunPE piece of malware.

Using my OllyVB OllyDbg plugin to find the DllFunctionCall calls, i found that it has only 5 calls (RegCreateKeyExA, RegSetValueExA, GetProcAddress, LoadLibraryA, and RtlMoveMemory). Amony them, only GetProcAddress and LoadLibraryA are of interest.

I placed BPs on LoadLibraryA and GetProcAddress to know which functions are being used.
Among the functions i found are:
1) GetModuleFileNameW and CreateProcessW.
The two functions are used by the process to spawn a copy of itself in a suspended state. Similar to this in C.
wchar_t path[MAX_PATH]={0};
GetModuleFileNameW(0,path,MAX_PATH*2);
PROCESS_INFORMATION PI;
STARTUPINFO SI={sizeof(SI)};
CreateProcessW(0,path,0,0,FALSE,CREATE_SUSPENDED,0,0,&SI,&PI);
At this point, we have another process in suspended state.

2) NtUnmapViewOfSection, VirtualAllocEx, and WriteProcessMemory.

NtUnmapViewOfSection(PI.hProcess,0x400000); //0x400000 is the ImageBase of the new spawned process.
pNew=VirtualAllocEx(PI.hProcess,0x400000,0x10000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); //Remember this.
WriteProcessMemory(PI.hProcess,0x400000,pNewImageHeader,0x400,0);
WriteProcessMemory(PI.hProcess,0x401000,pFirstSection,0x1800,0);
WriteProcessMemory(PI.hProcess,0x403000,pSecondSection,0x800,0);
WriteProcessMemory(PI.hProcess,0x404000,pThirdSection,0x200,0);
WriteProcessMemory(PI.hProcess,0x40F000,pFourthSection,0xC00,0);
This unmaps the original image off the new process address space. VirtualAllocEx is then called to allocate memory into the new process in place of the unmapped image. WriteProcessMemory is then used to copy the decrypted code to the new process.

3) GetThreadContext, SetThreadContext, and ResumeThread
CONTEXT CTX={CONTEXT_FULL};
GetThreadContext(&CTX);
CTX.EAX=NewEntryPointInRemoteProcess; //At offset 0xB0 from the start of the CONTEXT structure
SetThreadContext(&CTX); //sets the new entry point
ResumeThread(PI.hThread);

This retrieves the CONTEXT of the new suspended thread, sets a new entry point via changing value of EAX in the CONTEXT structure, flushes the CONTEXT structure back to the new process.
Once we are at the breakpoint on ResumeThread, we have a fully functioning process that is ready to harm.

Now, all you have to do is dump it using any memory dumping tool. Personally, i prefer VSD (Virtual Section Dumper)

Given the parameters passed to VirtualAllocEx, we can use VSD to dump the new image starting from 0x400000 with size 0x10000.

Now, we have the dumped file on disk say dump.exe, what is left is to fix that dump file as follows:
1) Fix the section table. Merge all sections into one big section.
2) Fix the EntryPoint.--> (Value of Eax of the  CONTEXT structure passed to SetThreadContext) minus 0x400000
Done.

OllyVB can be found at:
http://code.google.com/p/myollyplugins/downloads/detail?name=OllyVB.dll
VSD can be found at:
http://code.google.com/p/virtualsectiondumper/

  legola     October 26, 2012 13:45.07 CDT
Very very useful.  Thank you .

ps: i already use OllyVB :)

Note: Registration is required to post to the forums.

There are 31,054 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit