A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #25275  by fisher
 Wed Feb 18, 2015 10:49 am

I'm doing some study on Zeus 2.x, trying to wrap my head around how it works. By using the code at https://github.com/Visgean/Zeus I've built my own builder to work on my test environment (Virtualbox Windows 7 SP1 x64).

Right know I want to do a very specific thing, which is extracting from memory the webinjects configuration. The first experiments I did was to attach to iexplorer and monitor calls to functions I know Zeus hooks, like HttpSendRequest*. I was expecting that at some point while stepping through those executions I'd see the injections configuration loaded into memory. I've tried to automate the proccess setting a breakpoint upon call of this function and using OllyDbg's Memory Watch plugin, which dumps every string it encounters.

So now I want to pinpoint and understand exactly where should I look to see this decrypted configuration in memory.

My assumptions so far:
- I'm unable to see anything strange because the HttpSendRequestX function I'm setting a breakpoint is actually the original, unchanged from Wininet;
- Dumping memory of the machine and analysing it offline is not enough, since the structure which holds the webinjects (BinStorage) is loaded in memory when it's needed and then discarded (free'd)

At this point I was thinking to monitor calls to VirtualAlloc and place a breakpoint on memory write on those newly allocated areas (at some point Zeus is bound to place there the encrypted configuration and then decrypt it).

But this is still a longshot. Any ideas? Also I'm doing most of this work by attaching on iexplore.exe, should I do it on explorer.exe instead?

Any tips are appreciated :)

p.s I'm aware of how great volatility's plugin ZeusScan.py is and it's extremely useful for retrieving the RC4 keys. However I'm doing a different exercise
 #25284  by SomeUnusedName
 Thu Feb 19, 2015 11:47 am
Webinjects for Zeus are not in a simple plaintext file. Rather they have a complicated structure stored in a BinStorage format.

The easiest way to get the configuration BinStorage is intercepting and decrypting the traffic when it is receiving the injects from the server, or when they are read from the registry.

Regarding the hooked/not hooked Http* functions: If I remember correctly, Zeus hooks those APIs using simple "jmp" instructions patched in to hijack the code flow. So if you attach to a process
using Http* functions and they don't have a jmp as the first instruction, they are not hooked at all.