A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #33218  by null_wave
 Wed Oct 23, 2019 2:24 pm
Are there any good ways of dealing with analyzing malware that's jumps between different threads. I've been looking at a ransomware sample that has some network traffic that I'm interested in. I've made it to the breakpoints on the network calls but as I'm stepping though it seems to be jumping from thread to thread or if I hit a breakpoint some of the data will change. I assume this is from another thread making some changes. Oh and I'm using x32dbg.

 #33238  by R136a1
 Mon Oct 28, 2019 9:04 am
To get full control over the process you can set breakpoints on all thread entry points. Another idea would be to search for the creation of all threads (CreateThread, beginthread, ...) and modify it to CREATE_SUSPENDED for those not wanted to be run during analysis. But that may break execution of the whole program, it depends. It might be difficult overall, depends if the ransomware is properly coded with correct thread synchronisation. Don't forget that the program's main function is also a thread and if you have just one more thread being created it might jump between those two.