A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #20487  by jumbofreak
 Wed Aug 14, 2013 4:07 pm
I was wondering if any one has any links or sources where they have got some material about debugging at runtime.
I'm using ollydbg for my analysis

To be specific -
I was analyzing a malware which kills all process except few common ones like explorer, cmd.exe etc, I wanted to find the code or thread where it is monitoring what new process user runs, i want to know the tips to add breakpoint to correct location so that i find the right code.


Thanks
 #20492  by EP_X0FF
 Thu Aug 15, 2013 1:31 am
jumbofreak wrote:To be specific -
I was analyzing a malware
Which one? Attach it here please.
 #20523  by jumbofreak
 Sun Aug 18, 2013 4:28 pm
there you go, attahced
Attachments
pass: infected
(391.78 KiB) Downloaded 33 times
Last edited by EP_X0FF on Mon Aug 19, 2013 6:26 am, edited 1 time in total. Reason: Malware samples must be placed in password protected archive
 #20528  by EP_X0FF
 Mon Aug 19, 2013 7:02 am
Set break on NtFreeVirtualMemory. Once it called first time, dump memory address it tried to free. Inside will be fakeAV compressed with PECompact. Remove PECompact using any tutorial and inspect fakeAV body. Most of strings inside additionally encrypted. On a unpacked exe set breaks on Process32Next and lstrcmpiA. This (in theory) will reveal fakeAV blacklist. Patch TerminateProcess with return true, so fakeAV will always think operation was successful.
 #20534  by jumbofreak
 Mon Aug 19, 2013 11:35 am
Thanks EP_X0FF ,
I couldn't set BP on NtfreeVirtualMemory using my olly ( used Ctrl+G) instead i used ZwFreeVirtualMemory (how did you know to set break at this api, never seen any tutorials mentioning this api to break when unpacking or analysis), it worked fine and i was able to get PEcompact EP.(40afe8)

After this I dumped the file (attached) , then followed this tutorial http://comcrazy.net76.net/REA/Manual%20 ... 0Final.htm to get OEP , F9 ( run to exception for seh, then set mem breakpt on access on code section and then you break on rep instruction f3:a5 ( 340f13) and then Ctrl->f12 takes you to OEP(34026f) , After this set break on Process32Next and lstrcmpiA but the process didn't hit the break point instead process terminated. ( probably because of new threads? ) .
where do you think i went wrong ?
Attachments
pw-infected
(380.21 KiB) Downloaded 33 times
 #20539  by EP_X0FF
 Tue Aug 20, 2013 3:20 am
jumbofreak wrote:Thanks EP_X0FF ,
I couldn't set BP on NtfreeVirtualMemory using my olly ( used Ctrl+G) instead i used ZwFreeVirtualMemory
They are names of the same routine.
(how did you know to set break at this api, never seen any tutorials mentioning this api to break when unpacking or analysis)
Malware need to decrypt container somewhere so it firstly allocates memory then decrypts containter to it, overwrite original imagebase with new data, free temp buffer used for container (here we catch it) and then transfer control to decrypted code.
After this I dumped the file (attached)
You dumped wrong. I told you dump what NtFreeVirtualMemory trying to free, not exe itself as it not yet ready and this dump is full of fcuk. See attach for Pecompact.
After this set break on Process32Next and lstrcmpiA but the process didn't hit the break point instead process terminated. ( probably because of new threads? ) .
If you debug it under VM then Rogue/Winwebsec is it known to be able detect virtual machines (VMWare, VBox, VPC) and quit if they are found.
Attachments
pass: infected
(379.25 KiB) Downloaded 34 times
 #20574  by jumbofreak
 Fri Aug 23, 2013 10:53 am
Sorry for late reply, When you say
"I told you dump what NtFreeVirtualMemory trying to free, not exe itself as it not yet ready and this dump is full of fcuk. See attach for Pecompact."
When we stop Zwfreevirtualmemory , check the address , you mean "follow in dump" -> "rightclick on address" -> "save data to backupfile" ?
 #20587  by EP_X0FF
 Sat Aug 24, 2013 3:19 am
img1.png
img1.png (60.83 KiB) Viewed 763 times
img2.png
img2.png (17.23 KiB) Viewed 763 times
img3.png
img3.png (43.7 KiB) Viewed 763 times