A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #16157  by hanan
 Fri Oct 19, 2012 1:23 pm
Hi,

I am currently analyzing a worm called YUNSIP, I am currently stuck at a function that i am trying to understand, so i need your help.
As you can see in the following picture the worm is accessing the PEB then to the LDR_DATA structure, but inside there i am currently stuck, since i am can't understand what is pointing at by 0x1C inside the LDR_DATA.

My another side question is how do i add the PEB structure to IDA, AFAICS (can see) there isn't such structure defined in the standard structures, is that mean that i am should build that manually ?

Image


Thanks.
 #16159  by EP_X0FF
 Fri Oct 19, 2012 1:36 pm
Code: Select all
lkd> dt nt!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr32 Void
   +0x00c InLoadOrderModuleList : _LIST_ENTRY
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY
   +0x024 EntryInProgress  : Ptr32 Void
 #16188  by acoustics
 Sun Oct 21, 2012 10:39 am
hanan wrote: blah, blah....

My another side question is how do i add the PEB structure to IDA, AFAICS (can see) there isn't such structure defined in the standard structures, is that mean that i am should build that manually ?

Thanks.
yes, you can build your structure and add to IDA.
1. Create your own .h file, such as:
Code: Select all
// pebStruct.h
typedef struct _PEB_LDR_DATA {
   ULONG        Length;
   BOOLEAN      Initialized;
   HANDLE       SsHandle;
   LIST_ENTRY   InLoadOrderModuleList;
   LIST_ENTRY   InMemoryOrderModuleList;
   LIST_ENTRY   InInitializationOrderModuleList;
   PVOID        EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
2. Go to file menu >> Load file >> Parse C header file... (Ctrl + F9) and open your .h file
3. Open subview : Structures(Shift+ F9) or Emumerations (Shift+ F10)
4. Edit >> Add struct type... (or press Insert)
5. Type _PEB_LDR_DATA and OK
 #16288  by SomeUnusedName
 Fri Oct 26, 2012 9:10 am
hanan wrote:i figured out that the above function (in the picture) actually returns (in eax) the base address of Kernel32.dll (in winXP at least). Please correct me if i am wrong.
Most probably right, very common for shellcode and malware. Afterwards they usually search for GetModuleHandle/LoadLibrary/GetProcAddress to resolve the remaining imports from other modules. Or they manually walk the export directories, hash the names and compare them against a list of wanted imports.