Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Process Explorer Bug

Topic created on: November 1, 2006 13:31 CST by nezumi .

all hail, how-d'ye-do, guys!
maybe you even know me, I'm author of
"hacker disassembling uncovered", "hacker debugging uncovered",
"shellcoder's programming uncovered", "code optimization" and some other books.

I found a bug in process explorer tool. well, not a bug, a feature :)
process explorer tries to determine start addresses of threads,
but it not always works.

get the file va_thread.c (attached), compile it, run and see the bug yourself.
process explorer correctly determines the start addresses of the two first threads,
but stumbles over third, created in the malware's manner
(it allocates memory on heap, copies malicious code and calls Create[Remote]Thread).

process explorer says: the start address of the third thread is:
KERNEL32.DLL+B700h, but it's definitely wrong!
actual start address has to look like 00520000h or somewhere around it.

I don't know how process explorer determines the start addresses of threads,
but I found very simply and quite reliable way to do that.
I noticed that the start address of the thread lies on the bottom
of the user stack in the second or third dword, followed by lpParameter.
this works under Windows 2000 and Windows Server 2003,
I didn't check out Windows XP yet, but I hope, it will be the same.

I wrote quick and dirty utility proclist.c correctly determines
start addresses in the most cases and discovers malware,
which allocating memory with VirtualAllocEx to "inject" into process,
or loads malicious DLL via creating remote thread, passing address
of the LoadLibraryA/W and places name of malicious library in lpParameter.

in the first case, start address of the malicious thread belongs to
MEM_PRIVATE area (instead of MEM_IMAGE like normal exe/dll does),
and in the second case start address matches LoadLibraryA/W.
I checked this method on my malware collection and got good result.

I hope, you will find this information useful :-)

with best regards,
kris kaspersky

  sa7ori     November 1, 2006 14:38.38 CST
Kris,
  I posted here about this a while back. Threads seem to actually be aligned about 0x1000h from an offset in PEB. If you walk through process space at this interval you can verify that you are at a thread by checking TIB for a pointer to PEB base. If its there, then you are in a thread! obviously this method goes out the window with ASLR, but what doesnt?

  sa7ori     November 1, 2006 14:42.18 CST
I suppose this information is only really useful to people doing forensic analysis on "dumped" or "snapshotted" processes. I guess it would help reconstruct what execution environment was like...

  sa7ori     November 1, 2006 14:44.45 CST
> sa7ori: Kris,
>   I posted here about this a while back. Threads seem to actually be aligned

s/Threads/Thread stacks/

  nezumi     November 1, 2006 14:58.58 CST
sorry, I didn't read your post, I just joined to this site.
the method I'd described does not about _base_ thread address,
it's about _real_ _start_ thread address and this address quite
different between "normal" and "malicious" thread.
I'd never seen the tool able to do that particular thing,
so, I decided to post this. sorry, if it's an accordion
(in rus: accordion is well-know fact, but posted over and over)

  Piotr     November 3, 2006 12:50.50 CST

I think this is what you have found (in general way):
http://piotrbania.com/all/anti-dattach2.asm (it was released on 03/09/2005)

have phun.

  McN     December 17, 2009 13:14.46 CST
i'm here, kris

Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit