OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, May 6 2008 16:06.06 CDT

Printer Friendly ...

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec

Author: apridgen

# Views: 93932

Basic tutorial about how to dump a process and update the IAT using Immunity Debug, LordPE, and ImpRec
AKA: Dumping RBot.clj to a usable binary for analysis

This tutorial is quick and mostly, so I can remember how to use PE Dump,
LordPE, and then ImpRec.  This work is not any type of new hotness.  There is
actually a tutorial similar to this one [1], but it lacked the details I needed
to dump and convert the file into a usable executable, so I am writing this one.

What you will need:
1) Immunity Debug:  http://debugger.immunityinc.com/register.html
2) PE Dumper:  http://www.woodmann.com/collaborative/tools/index.php/PE_Dumper
2) LordPE:  http://www.woodmann.com/collaborative/tools/index.php/LordPE
3) ImpRec:  http://www.woodmann.com/collaborative/tools/index.php/ImpREC
4) An account on Offensive Computing to get the sample:  http://offensivecomputing.net

Once you get your account to Offensive Computing, perform a search for the following
malware md5sum:

59c661ba0c7c485f4480f7b142a9c084.

Save the file to disk and unzip the archive, supplying the archive password.

Make sure PE Dumper was installed in the Immunity Debug directory, so start Immunity
Debug and check the Plugins menu for "OllyDbg PE Dumper", if its not there, make sure
the plugin is in the right directory for example:

C:\Program Files\Immunity Inc\Immunity Debugger

Step 0: Unpack the Malware

Moving forward do File->Open and select the malware.exe.  Now first we need to unpack
the binary.  The Evilcodecave's Blog was helpful here [2].  First we will perform a
search for a sequence of commands:  Right Click in the CPU Window,
"Search for.."->"Sequence of Commands" or Ctrl+S.  Type in

POPAD<enter>
POPFD<enter>

These two instructions reverse the PUSHFD, PUSHAD, you should have seen when Immunity Dbg
first started and attached to the program.  Now, hit the down until you get to the 'jmp'
instruction.  Press <F9>, and the program should stop execution on this instruction.

Now, hit <enter> to go to the next instruction, this will not execute the instruction,
but it will jump the view down to the next instruction.  Now hit <Ctrl-A>, which will
analyze the data and treat is as code.  It was not treated as code previously, because before
this was all data.  When the unpacker executed, the code was written to these memory locations.

We still need to let the program execute a little more before we can dump it (Did you notice
the PUSHAD we landed on?).  Scroll down a little bit (Page Down 5 times, and place a break point
on the 'jmp' instruction (address = 0x004DCA84).  If you look up a little bit, youll notice the
POPAD ;).  Press <F9> again, and the execution should stop at the instruction.  Hit <F7>, and now
we are at the OEP of our binary, so now its time to dump it.

Step 2: Dump the Process
In Immunity Debug goto PE Dumper: Plugins->"OllyDbg PE Dumper"->"Make Dump of Process"

1) Make sure your target process is selected.
2) Click "Get EIP as OEP"
3) Put a check box in "Fix Raw sizes"
3) Put a check box in "Fix Raw sizes"
4) Put a check box in "Make header size 0x1000"
5) Click the Dump butten and save the file.
6) Leave the process paused.

Step 3: Rebuild the PE Image with LordPE
1) Start LordPE
2) Click the Options button and put a check mark next to "Full Dump: rebuild image"
3) Click the "Rebuild PE" Button and select the file that was just save in the previous step.

Step 4: Rebuild the IAT with ImpRec
Note:  Identifying the IAT can be tricky, but in this case, I simply looked at the address of a
function call for a known Windows API and jumped to that address.  Immunity Debug should resolve
the names to the function call, so it should be pretty easy to spot in the CPU Window.  Look for

CALL DWORD PTR DS:[42319C]               ;  kernel32.GetVersion

In the dump window, go to the expression (Ctrl+G) 0x42319C.  Make sure the data is being viewed as
Long-Addresses (Right Click in the Dump Window Long->Addresses).  Scroll up until the first import
can be seen.  Now open ImpRec.

1)  Select the target process that is open in the first step.
2)  Click on Options and check the "Import All By Ordinal," "Rebuild Original FT,"
"Fix EP to OEP," and "Create New IAT" Checkboxes
3)  Under the "RVAS Infos Needed" Section, enter the RVA of the program's IAT and OEP:
    Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3
4)  Hit the Get Imports button.
5)  Click the "Show Invalid," and remove anthing that is invalid by
Right Clicking in the Window -> Cut Thunks.
6)  Check the Add New Section
7)  Click on Fix Dump and select the previously saved file.

Final: Test in VMWare.
If it runs with out an exception, then you are likely now infected, cheers :)

Conclusion
Like I said, I know this has been done by several folks, but I can never find it when I need it, so
I figured I'd Document it once more for good measure.  I hope someone else finds this useful in the
future.  I know I will ;), Cheers.

1.  MUP With OllyDbg for Really Beginner
http://www.geocities.com/r_etarded/ollydump/ollydump.html

2.  [Malware] Backdoor.Win32.Rbot.clj Reversing,
http://evilcodecave.wordpress.com/2007/12/01/malware-backdoorwin32rbotclj-reversing/

Blog Comments

apridgen

Posted: Thursday, May 15 2008 11:47.08 CDT

Correcting some typos (doh!):

In Step 0,  before hitting <F9>, be sure to put breakpoints on the 'jmp' commands.  Otherwise, the malware will run out of your control.

Errg, more typos

This time in step 4 under:

3)  Under the "RVAS Infos Needed" Section, enter the RVA of the program's IAT and OEP:
    Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3

should be:

3)  Under the "IAT Infos Needed" Section, enter the RVA of the program's OEP and IAT:
    Enter this in the RVA Box:
         Address of the IAT - Image Base, in this case 0x00423000 - 0x00400000 = 0x00023000
    Enter this in the OEP Box:
         Address of the EIP - Image Base, in this case 0x0041A4E3 - 0x00400000 = 0x0001A4E3

Thanks jpierce :)

apridgen

Posted: Thursday, May 15 2008 13:23.57 CDT

Forgot to mention how I found the IAT Offset for ImpRec:

One precondition is the CPU window is in the Malware�s code segment (e.g. user space) and it will be an address like 0042****.

Now, in the CPU window, I perform a search for all intermodular calls.  In the result you should see something like the following in the disassembly:

CALL DWORD PTR DS:[04230BC]

Now go to this address in the dump section of the CPU Window, and change the view to Long->Address with ASCII Dump.  Now Scroll up until you see 00000000, and no more Addresses with <DLL>.<Import>.  The address you come up with should be the address you use for the IAT.

jayanthd	Posted: Friday, July 13 2012 12:16.11 CDT
Please send me a copy of LordPE to [email protected] The files at the above links are infected.

There are 31,311 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit