[jumbofreak]

I was wondering if any one has any links or sources where they have got some material about debugging at runtime.
I'm using ollydbg for my analysis

To be specific -
I was analyzing a malware which kills all process except few common ones like explorer, cmd.exe etc, I wanted to find the code or thread where it is monitoring what new process user runs, i want to know the tips to add breakpoint to correct location so that i find the right code.


Thanks

[EP_X0FF]

To be specific -
I was analyzing a malware

Which one? Attach it here please.

[jumbofreak]

there you go, attahced

[jumbofreak]

malware takes couple of mins to run, you will see a pop up after couple of mins.

[EP_X0FF]

Set break on NtFreeVirtualMemory. Once it called first time, dump memory address it tried to free. Inside will be fakeAV compressed with PECompact. Remove PECompact using any tutorial and inspect fakeAV body. Most of strings inside additionally encrypted. On a unpacked exe set breaks on Process32Next and lstrcmpiA. This (in theory) will reveal fakeAV blacklist. Patch TerminateProcess with return true, so fakeAV will always think operation was successful.

[jumbofreak]

Thanks EP_X0FF ,
I couldn't set BP on NtfreeVirtualMemory using my olly ( used Ctrl+G) instead i used ZwFreeVirtualMemory (how did you know to set break at this api, never seen any tutorials mentioning this api to break when unpacking or analysis), it worked fine and i was able to get PEcompact EP.(40afe8)

After this I dumped the file (attached) , then followed this tutorial http://comcrazy.net76.net/REA/Manual%20 ... 0Final.htm to get OEP , F9 ( run to exception for seh, then set mem breakpt on access on code section and then you break on rep instruction f3:a5 ( 340f13) and then Ctrl->f12 takes you to OEP(34026f) , After this set break on Process32Next and lstrcmpiA but the process didn't hit the break point instead process terminated. ( probably because of new threads? ) .
where do you think i went wrong ?

[EP_X0FF]

Thanks EP_X0FF ,
I couldn't set BP on NtfreeVirtualMemory using my olly ( used Ctrl+G) instead i used ZwFreeVirtualMemory

They are names of the same routine.

(how did you know to set break at this api, never seen any tutorials mentioning this api to break when unpacking or analysis)

Malware need to decrypt container somewhere so it firstly allocates memory then decrypts containter to it, overwrite original imagebase with new data, free temp buffer used for container (here we catch it) and then transfer control to decrypted code.

After this I dumped the file (attached)

You dumped wrong. I told you dump what NtFreeVirtualMemory trying to free, not exe itself as it not yet ready and this dump is full of fcuk. See attach for Pecompact.

After this set break on Process32Next and lstrcmpiA but the process didn't hit the break point instead process terminated. ( probably because of new threads? ) .

If you debug it under VM then Rogue/Winwebsec is it known to be able detect virtual machines (VMWare, VBox, VPC) and quit if they are found.

[jumbofreak]

Sorry for late reply, When you say
"I told you dump what NtFreeVirtualMemory trying to free, not exe itself as it not yet ready and this dump is full of fcuk. See attach for Pecompact."
When we stop Zwfreevirtualmemory , check the address , you mean "follow in dump" -> "rightclick on address" -> "save data to backupfile" ?

[EP_X0FF]

img1.png (60.83 KiB) Viewed 762 times

img2.png (17.23 KiB) Viewed 762 times

img3.png (43.7 KiB) Viewed 762 times

[jumbofreak]

gotcha, EP_X0FF thanks for your help.