Learning Goals:
- Practice WinDbg for Inspecting Kernel Data Structure
- Use Packet Sniffer to Monitor Malware Network Activities
- Understand Frequently Used Network Activities by Malware
- Expose Hidden/Unreachable Control Flow of Malware
- Operating Systems
- Assembly Language
- Operating System Security
This tutorial explores the botnet client part of Max++. We assume that you have completed tutorial 31 where our lab setting directly results from its analysis. You should have the following before the analysis, as shown in Figure 1.
 |
| Figure 1. Process Network Message |
As shown in Figure 1, there is a big loop of calling zwReplyWaitReceivePortEx, which tries to wait for a message from the port. EAX represents the return code of the function, e.g., 0x0 represents OK and 0x102 represents time-out. If time-out, it calls function 0x35671D03. Otherwise, it proceeds to process the message.
Max++ first reads the 2nd word in the message, this is supposed to be an integer between 1 and 3. For case 3, it calls function 0x3567162D. for case 1, it calls function 0x3567204F. Note that all the four parameters of 0x3567204F are from the msg (5th, 7th, 8th and 10th words from the message respectively).
2. Execute Remote Command (#1).
Now let's delve into function 0x3567204F. Again, notice that this function gets executed ONLY WHEN the second word of the remote network message is 0x1. Figure 2 shows its function body.
 |
| Figure 2. Mysterious Function 0x3567204F |
As shown in Figure 2, one of the input parameters of the function is ESI register (pointing to 0x00181580). This is a mysterious data structure. We suspect that it is the COM interface of the fake JScript COM object (the remote max++.x86.dll). The COM interface wraps a C++ object so that the program (Max++) can call the functions available in the DLL.
Next, the function clears memory region 0x009FFEE8, and copies the first four parameters passed in the stack to this region. Notice that these four parameters are the 5th, 7th, 8th, and 10th words in the remote message. Then it saves 0x009FFFE8 to EBP-10.
Max++ then proceeds to call some function of the remote DLL (see the second highlighted area in Figure 2). It seems to be taking out the virtual function table of the object and it invokes the function located at offset 0x18. This function takes at least 7 parameters, and they are [ESI+18], [ESI+20], 0x356782A4, 0, 1, [EBP-20], and [EBP-10]. Here [ESI+18] and [ESI+20] must be some data attributes of the COM interface object, and [EBP-20] is a pointer to collect result. From the VariantClear call (see the last highlighted area of figure 2), we can infer that [EBP-20] is a pointer to VARIANTARG. Lastly notice that [EBP-10] stores 0x009FFEE8, which contains the four words from the remote message.
Although we have no access of the remote DLL, we can infer that this part of the malware is taking some command/parameters of the remote message, and execute some functions correspondingly. It looks like a bot-net client.
3. Initilization (command #3)
We now look at case #3 (where the 2nd word of the remote message is 3). In this case, function 0x3567162D is invoked.. To enforce the control flow into this case, we simply change the register values correspondingly. Figure 3 displays the body of function 0x3567162D.
 |
| Figure 3. Function Body of 0x3567162D |
As shown in Figure 3, function 0x3567162D extracts a file from the hidden drive into a newly allocated heap area. The contents of the file seem to be some special javascript tags and HTTP request headers. The file name is read from an absolute location 0x3567806C. Unless the address is being re-written, it's always reading the same file.
Then Max++ jumps to function 0x356719E4, as shown in Figure 4. Again, it's invoking the COM interface of the remote object which is not available. As shown in Figure 4, it loads the virtual function table of the COM object multiple times and calls several functions of that COM interface.
 |
| Figure 4. Calling COM Object |
4. Conclusion
Since the remote object is not available, we are not able to drill deeper into Max++. The bottomline via the analysis in this tutorial is that the maxware is able to listen to a port and receive commands from a remote server. The remote command has a fairly simple structure, the second word of the remote message decides the action to take at the max++ client side. #3 seems to be initializing service; and #1 seems to be executing some actions, where four words from the remote message serve as the parameters.
In the next tutorial, we will submit Max++ to various malware analysis engines and match their discovery with our manual analysis.
Great post.I like this one.Thanks for sharing.
ReplyDeleteI enjoyed the tips you are providing on your website. Remote IT Support can make one’s help technical service. Thanks for the information……..
ReplyDeletevery Informative and comprehensive data !
ReplyDeleteit’s takes advantages ..
enjoyed reading it !
Thanks for sharing...
Nice article, thanks for the information. You give me some idea's. I will bookmark for next reference.
ReplyDeleteก็อตซิลล่า 2015
BlueHost is definitely the best website hosting provider with plans for all of your hosting needs.
ReplyDeleteHow to improve chances of success in playing free slots no deposit and online games with no registration - 3 important tricks. Win money at 777spinslot.
ReplyDeleteI have used AVG anti virus for a couple of years now, and I'd recommend this solution to all you.
ReplyDeleteThere are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment?s pleasure, for the rest of their lives.
ReplyDeletespyhunter license key
Thanks for providing such a great Information, you can see
ReplyDeleteCustom Peptide Synthesis
Peptide Synthesis
I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. In my opinion, if all web owners and bloggers made good content as you did, the internet will be a lot more useful than ever before.
ReplyDeleteReverse Engineering in India
Reverse engineering design
Bisa pula pasangan berurutan kartu K-Q-J dari jenis yang berbeda. Jika kartu anda memenuhi syarat ini, maka anda memiliki masa depan yang cerah untuk melanjutkan ke tahap selanjutnya. Selain itu, jika mendapatkan kartu yang berurutan 2 sampai 10 juga merupakan awal yang baik.
ReplyDeleteasikqq
http://dewaqqq.club/
http://sumoqq.today/
interqq
pionpoker
bandar ceme terbaik
betgratis
paito warna terlengkap
forum prediksi
Thanks for sharing, very informative blog.
ReplyDeleteReverseEngineering
We focus on meeting all the needs of our clients by offering them with a reliable custom essay writing service USA and legitimate paper writing services delivering it on time.
ReplyDeleteCompanies offering affordable custom research papers should help students perform well by delivering papers prior to deadline. Early delivery of essay writing service nursing is very important because it results in good performance of learners.
ReplyDeleteNice blog!!!!!!!.
ReplyDeleteReverseEngineering
jigsy blogs
ReplyDeleteYour search for Custom Research Paper Writing Services ends here. Welcome to the home of best essay writers who are qualified in diverse fields. Our
ReplyDeleteResearch Paper Writing Service is proof that we are right near you. It is easy, place your order and get original plagiarism free assignments. What’s more, we keep everything confidential.
data sgp
ReplyDeletedata sydney
datahk
syair sydney
syairsgp
datasgp
paito warna
http://warungsgp.com/
live hk 6d
live sydney
We give the services of our expert assignment writers who are always there to resolve any type of issue regarding your final semester grade calculator
ReplyDeleteGreat information you have shared here, through this post. Thanks and keep sharing such valuable updates through your side. Are you looking for Essay Writing Help? Our writers can help you round the clock. Contact our website for best grades.
ReplyDeleteIt can be awful for any student who attains low grades due to low-quality Custom Research Papers. Luckily, you have a Research Papers for Sale Help online that will help you handle even the most challenging Affordable Term Papers.
ReplyDeleteAre you struggling with identifying an online Annotated Bibliography Services provider which is credible to undertake your task? Do not let tedious Custom Research Paper Services tasks sap you of energy unnecessarily, online Custom Research Paper Writing Service delivery comes with its own set of challenges.
ReplyDeleteGunakan kesempatan emas bermain di wedeqq dan juga fifaqq. Jangan lupa untuk bergabung juga di taipanqq beserta kebanggan situs lipoqq yang dapat memberikan kemenangan yang mutlak.
ReplyDeleteLihat juga halaman terkait lainnya dibawah ini :
jurusqq
priaqq
hokiqq
dewaqq
Do you ardently require Essay Writing Help Writing Services from a writing firm with a distinguished track record? Are you unsure of which Custom Essay Writing Service Provider to contract for your essays? Do not let a burdensome Custom Essay Writing Services task drag you down.
ReplyDeleteLegitimate Custom Coursework Services you acquire from the firm are of an unmatched standard for we produce the best Custom Coursework Writing Services and Professional Coursework Writing Services.
ReplyDelete