A forum for reverse engineering, OS internals and malware analysis 

Wow64 Fs Redirection

Forum for discussion about user-mode development.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14995  by Tigzy
 Fri Aug 03, 2012 6:22 am
Thanks EP_X0FF.
My question was more "which tool do you use to disassemble x64 binary" :?

Unfortunately, my tool don't detect ASLR wiped-off on this, I'll try to get further

EDIT: By copying and analysing the x64 pathed file on a x86 box, my tool is able to fond the ASLR wiped off.
I suspect then a problem of directory reflection when accessing the file :mrgreen:

Wow64 Fs Redirection

 #15000  by nullptr
 Fri Aug 03, 2012 10:38 am
Tigzy wrote: I suspect then a problem of directory reflection when accessing the file :mrgreen:
Replace system32 with sysnative in the file path for 32 bit app running on x64.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15003  by Tigzy
 Fri Aug 03, 2012 3:43 pm
Replace system32 with sysnative in the file path for 32 bit app running on x64.
No I got better thing :)
...And I don't think replacing the path is enough.
Accessing some folders with x86 app trigger automatic reflection.

I do this : http://msdn.microsoft.com/en-us/library ... 85%29.aspx
Code: Select all
PVOID redi = NULL;
HMODULE hLib = LoadLibrary(L"kernel32.dll");
_disableRedir disableRedir = (_disableRedir) GetProcAddress(hLib, "Wow64DisableWow64FsRedirection");
_restorRedir restoreRedir = (_restorRedir) GetProcAddress(hLib, "Wow64RevertWow64FsRedirection");

...
@EP_X0FF

IDA Pro is .... for pros, and kinda expensive
Hiew is not a freeware too... But Hiew is not a disassembler ?

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15005  by Tigzy
 Fri Aug 03, 2012 4:57 pm
Good :)

I was having 2 problems.
- File redirection
- Different structure definition between PE32 and PE32+ : http://msdn.microsoft.com/en-us/library ... 85%29.aspx

IMAGE_OPTIONAL_HEADER32 / IMAGE_OPTIONAL_HEADER64
[05:20:0631] Get sections OK ; Section table : 0x1e0 -- 0x800
[05:22:0364] **** Check file c:\windows\system32\services_patchedx64.vir
[05:48:0582] **** Check ASLR : [0x0] c:\windows\system32\services_patchedx64.vir
[05:52:0297] Nb sections : 6
[05:52:0297] Parsing section : [6] .text
[05:52:0297] Parsing section at 0x800
[05:52:0467] Parsing section : [7] .rdata
[05:52:0467] Parsing section at 0x3d400
[05:52:0497] Parsing section : [6] .data
[05:52:0497] Parsing section at 0x47000
[05:52:0507] Parsing section : [7] .pdata
[05:52:0507] Parsing section at 0x48800
[05:52:0517] Parsing section : [6] .rsrc
[05:52:0517] Parsing section at 0x4b400
[05:52:0527] Parsing section : [7] .reloc
[05:52:0527] Parsing section at 0x50000
[05:52:0527] Found signature at 0x89 : 0x5a 0x77 0x51 0x75 0x65 0x72 0x79 0x45 0x61 0x46 0x69 0x6c 0x65
[05:57:0444] **** Found Sign ZeroAccess
Off topic ending , sorry for this :|
 Return to “User-Mode Development”