Tuesday, June 12, 2012

Malware Analysis Tutorial 30: Self-Overwriting COM Loading for Remote Loading DLL

Learning Goals:
  1. Practice WinDbg for Inspecting Kernel Data Structure
  2. Trace and Modify Control Flow Using IMM
  3. Understand the techniques employed at Max++ for hiding library loading
  4. Understand image loading notifier, asynchronous procedure call, kernel and normal routines.
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction

This tutorial analyzes the malicious DLL file \\.\C2CAD....\max++.00.x86. We will see a lot of interesting techniques for hiding its malicious behaviors.

2. Lab Configuration

The first step is to take out max++.00.x86 from the hidden drive. You can follow the similar techniques presented in Tutorial 28, The basic idea is to invoke zwCopyFileA after the file is available in the hidden drive.

Then, we have to get into the entry of max++.00.x86, which is located at offset +2DFF. This information is available in IMM, when you load max++.00.x86 as a DLL file in IMM. Then View -> Executable Modules, you can find out the +2DFF DLL entry and its base is 35670000.

Notice that, you do can execute max++.00.x86 step by step in IMM, however, it will not exhibit the "correct" malicious behaviors, because it's not running in the environment where Max++ has pre-hooked certain driver entries and exception handlers as needed. We have to, instead, use WinDbg to get to the DLL entry, following the "proper" execution flow of Max++.

In the following, we show how to step into the entry of max++.00.x86.

The configuration is similar to the setting of the WinDbg instance of Tutorial 20. In the win_debug instance, you need to set a breakpoint at 0x3C230F. This is the place right before the call of CALL WS2_32.WSASocketW, as shown in Figure 1 below.

Figure 1. Something that we do not know that we do not know



This is where Max++ is trying to access http://74.117.114.86\max++.x86.dll. Now press F8 in the IMM, you will stop in WinDbg twice on loading images. Now type the following to stop at the entry of max++.00.x86:

> bp 35672dff

Somehow WinDbg is not able to capture the breakpoint, but instead, the INT 3 is captured by the IMM instance as shown in Figure 2:

Figure 2. Entry of max++.00.x86

If you look at the instruction at 35672DFF (in Figure 2), you will notice that there is an 'INT 3' (single-step breakpoint) placed by WinDbg. We have to recover it to the original instruction PUSH EBP (we can learn about this information in the previous session that loads max++.00.x86 as a DLL in user mode IMM). The resetting of "PUSH EBP" has to be done, otherwise, the instruction at 0x35672E05 (MOV EAX, [EBP+C]) would not function correctly, because EBP is not set right. Please follow the instructions below in IMM:

(1) in the code pane, right click on the INT 3 instruction and select assemble, and then type "PUSH EBP".
(2) click the 2nd button (Python) on the tool bar to bring up the Python window and and run the following commands in the python window: imm.setReg("EIP", 0x35672DFF); This is to reset the EIP register. From no on, you can execute max++.00.x86 step by step.

3. Hiding DLL Loading
We now can explain why the remote DLL loading is not captured by IMM earlier in Tutorial 29. Look at figure 3 below.
Figure 3. Hide DLL Loading

The first call (shown in Figure 3), zwTestAlert clears the APC queue, and the second call DisableThreadLibraryCalls detaches DLL_LOAD signal so that the later DLL loading event will not be captured. Then the program plays a trick, it reads out the function addresses stored from 356761E0 to 35676200 one by one, and call each of them (see the high lighted area in the memory dump in Figure 3) one by one. These calls are 3567595c, 35675979, and etc..

Challenge 1. Find out all the functions (and their semantics) being called described in the above.

The logic is roughly described below:
(1) max++ first creates an AVL tree.
(2) then it copied the entry address of several ntdll functions such as ntWriteFile into global memory.
It's basically to prepare the data section (hard code it) in global memory. Then it calls 356752D7 (at 0x35672E5E).
(3) then it saves several dll names such as "kernel32.dll", "kernel32base.dll" into its stack.

4. Manipulation of System Kernel DLLs
Now we start the analysis from 0x356762D7. Figure 4 shows its function body.
Figure 4. Processing Kernel Modules


Function 0x356752D7 processes the related kernel DLLs one by one using a loop. The collection of DLL names is preset by Max++ (see the comments after challenge 1). The function tries to get the handle of each DLL, it proceeds to call 0x3567525C to process the header information of each DLL (only when the handle is successfully retrieved, i.e., the DLL is currently already alive in the system space).

We now look at the details of funciton 0x3657525C, as shown in Figure 5.
Figure 5. Function 0x3567525c

The major part, as shown in Figure 5, is a call of RtlImageDirectoryEntryToData. The undocumented system call (if you search it on ReactOS, you can find the source code) takes four parameters: (1) the image base of the DLL file, (2) whether it is regarded as an image file, (3) the ID of the entry to retrieve, and (4) the entry size. In this case, our ID is "1", reading the MSDN documentation of IMAGE_DIRECTORY of PE header, we can find that ID "1" stands for import table address and size. Now it's your job to find out what is the use of this information, i.e., what does Max++ plan to do with them?

Challenge 2. Find out the use of NT header information retrieved by code at 0x35675277 (hint: use data breakpoints to find out when and where the information is used).

Following function 0x356752D7 there are many technical details related to NT header information retrieval and resetting, whereas the analysis is similar. In the following, we directly jump to the other interesting parts of max++.00.x86.

5. Resetting Exception Handler (SEH)
We now look at an interesting behavior of max++.00.x86 that resets the SEH handler. Before max++.00.x86 does the trick, the current SEH chain is shown in Figure 6 (click View -> SEH chain in IMM).
Figure 6. SEH Chain before max++.00.x86 does the trick

As shown in Figure 6, when an exception occurs, it is first passed to ntdll.7C90E900 (3 times) and then kernel32.7C839AC0 (if 7C90E900 cannot handle it right). In fact, SEH chain is a very simple singly-listed data structure. Each SEH record has two elements as shown below:

  struct SEH_RECORD{
      SEH_RECORD *next;
      void*   handler_entry
 };

 For example, the first SEH record is locatd at 0x0012BF1C (this is usually at the bottom of the current stack frame of the current thread), as shown in Figure 7.

Figure 7. Memory dump of the first SEH record
As shown in Figure 7 (highlighted part), the next pointer points to 0x0012C1C8 (compare it with Figure 6), and the handler part has value 0x7C90E900.

Now, in Figure 8, we present the malicious code in max++.00.x86 which resets SEH. The basic idea is to construct a new SEH record and push it into the stack, and reset the value at FS:[0] (which is part of the kernel data that points to SEH chain). The important instructions are already highlighted.

Figure 8. Manipulates SEH Chain

Challenge 3. Explain in details (based on the instructions given in Figure 8, starting from 0x356754BC): why is 35675510 the new exception handler?

Challenge 4. Explain the logic of handler at 35675510 and investigate when it is called.

5. Loading Remote DLL
The next interesting part is located at 0x35672E6D. Figure 9 shows a call of zwCreateThread and its parameters. The thread's start routine (i.e., the function to execute when the thread is born) is 0x356718D2.
Figure 9. Create a new thread which invokes 0x356718D2

 Let's set a software breakpoint at 0x356718D2 and trace into it, as shown in Figure 10. There are two major functions: 0x35671797 and ole32.CoInitialize.

Figure 10. Thread Start Routine
Figure 11 displays the first part of the function body of 0x35671797.

Figure 11. First Part of 0x0035671797


As shown in Figure 11, The first important call in 0x35671797 is LdrFindEntryForAddress(0x0035670000, 0x009FFFA8). Search the documentation of LdrFindEntryForAddress, we could soon learn that the function finds the module entry (LDR_DATA_TABLE_ENTRY) for address 0x0035670000, and the pointer to LDR_DATA_TABLE_ENTRY is stored in 0x009FFFA8 (which contains value 0x00252A50 after the call. Dump the data structure using WinDbg (start the WinDbg inside the WIN_DEBUG VBox instance and attach the process max++ noninvasively, we have the following. Note that the FullDllName's type is _UNICODE string, while the real char array is stored at 0x002529c0.

:000> dt _LDR_DATA_TABLE_ENTRY 0x00252a50 -r1
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x252b10 - 0x252cd0 ]
      +0x000 Flink            : 0x00252b10 _LIST_ENTRY [ 0x252bd8 - 0x252a50 ]
      +0x004 Blink            : 0x00252cd0 _LIST_ENTRY [ 0x252a50 - 0x252900 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x252b18 - 0x252cd8 ]
      +0x000 Flink            : 0x00252b18 _LIST_ENTRY [ 0x252be0 - 0x252a58 ]
      +0x004 Blink            : 0x00252cd8 _LIST_ENTRY [ 0x252a58 - 0x252908 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x252d48 - 0x252be8 ]
      +0x000 Flink            : 0x00252d48 _LIST_ENTRY [ 0x252e08 - 0x252a60 ]
      +0x004 Blink            : 0x00252be8 _LIST_ENTRY [ 0x252a60 - 0x252b20 ]
   +0x018 DllBase          : 0x35670000 Void
   +0x01c EntryPoint       : 0x35672dff Void
   +0x020 SizeOfImage      : 0xc000
   +0x024 FullDllName      : _UNICODE_STRING "\\.\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86"
      +0x000 Length           : 0x6e
      +0x002 MaximumLength    : 0x72
      +0x004 Buffer           : 0x002529c0  "\\.\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86"

   ...

The next call is OLE32.LoadTypeLibrary("\\.\C2CAD...max++.00.x86", REGKIND_NONE, 0x009FFFAC), where a pointer to ITypeLib is stored at 0x009FFFAC. By dumping the RAM, we can find that the ITypeLib pointer is 0x00180F10.

Next comes the interesting part. It reads ECX = [EAX], as shown in Figure 11, then it calls [ECX+18], passing three parameters: 0x00180F10 (the "this" pointer for the ITypeLib interface itself), 0x003567696C, and 0x00356782A0 (and there might be other parameters, i.e., not necessarily 3). None of the 0x003567696c and 0x00356792a0 looks like inside code region. But which function is it calling?

We need to read the documentation of MSDN about ITypeLib carefully. According to MSDN, ITypeLib supports a number of functions such as FindName, GetDocumentation, etc.If we examine the memory contents of 0x00356782A0, before and after the call of [ECX+18], we might notice that its contents is changed. Thus, checking the list of functions available in ITypeLib, the only function that has the second parameter as output is ITypeLib::getTypeInfoOfGUID(int GUID, ITypeLib **).

Challenge 5. Verify if the above conjecture about getTypeInfoOfGUID is correct.


Now let us study the last interesting part of function 0x35671797, as shown in Figure 12.
Figure 12. Overwrite Module Information
As shown in Figure 12, it's a simple memcpy function that copies string "\\74.117.114.86\max++.x86.dll" into address 0x002529C0. Read the discussion after Figure 11 again, address 0x002529C0 stores  the name of the current module in the in-order-load module list!

Now, when the control flow returns from 0x35671797 (look at Figure 10, it calls Ole32.CoInitialize. Because the current module is registered as a type library, and Ole32 modules will try to reload it again somehow, which enforces the system to load the remote DLL \\74.117.114.86\max++.x86.dll.

The file \\74.117.114.86\max++.x86.dll is not available on the Internet anymore. The call of CoInitialize fails. We have to figure out a way to explore the rest of the logic. We will continue our exploration in our next tutorial.



77 comments:

  1. thank you so much for your sharing this nice article,
    I really like to reading your blog !

    ก็อตซิลล่า 2015

    ReplyDelete
  2. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  3. During my early days of binarytrades i fell into a lot of online scams, trying to trade bitcoin and invest in binarytilt. Which nearly wrecked me out, making me loose up to $295k

     very confused on what to do not until my boss introduced me to an online recovery agent Mrs maryshea. A recovery expert who helped me recover all my money back from the scammers. She's also able to recover funds of any form of scam.
    You can WhatsApp her with this number +15623847738
    Or email address Mrs maryshea03@gmail. Com
    Good luck

    ReplyDelete
  4. If you're looking to burn fat then you certainly need to start following this totally brand new custom keto meal plan diet.

    To produce this keto diet service, licensed nutritionists, personal trainers, and professional chefs have joined together to develop keto meal plans that are effective, suitable, cost-efficient, and satisfying.

    Since their first launch in 2019, 1000's of clients have already transformed their figure and health with the benefits a proper keto meal plan diet can offer.

    Speaking of benefits; in this link, you'll discover eight scientifically-confirmed ones provided by the keto meal plan diet.

    ReplyDelete
  5. Discover headings while in transit to setup the remote connection on your Canon Wireless Printer and moreover the best approach to reset the printer to plant settings.

    ReplyDelete
  6. HP Print And Scan Doctor Tool is outstanding amongst other free cost offered by HP to their user to oversee HP device. You can investigate basic issues with HP device with the help of print and sweep specialist instrument. On the off chance that you are confronting any specialized issue identified with this apparatus, at that point straightforwardly contact a specialist.

    ReplyDelete
  7. Nero Platinum 2020 Crack Suite: It can be downloaded from the download link below.
    With the full version of Nero 2020, you can sort, create, turn, walk and create movies, music, and photos for the best home entertainment and fun on the go.
    It provides 360-degree experience, easy-to-use video editing, advanced video file conversion technology for watching movies on any device, and authoring and backup support for an all-digital lifestyle.

    ReplyDelete
  8. Quickbooks Repair Tool is the combination of all necessary tools in one application. It is also known as Quickbooks Tool Hub.It can fix all major or minor issues which occurs while using Quickbooks Software.

    ReplyDelete
  9. Great Article
    Cyber Security Projects


    Networking Security Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

    ReplyDelete
  10. Angular Training covers a wide range of topics including components, angular directives, angular services, piping, security fundamentals, routing, and angular programmability.

    ReplyDelete
  11. Download Dr.Fone Crack + Registration Code Full Version
    Dr.Fone Keygen Complete Download is more effective for all types of data recovery. So, this is a fairly easy way to overcome more than 65000 versions of smartphones including Mac and Windows devices. Due to its wide applicability and work completeness, it is the most famous app among the people. Download link Dr. Fone 2021 Keygen file

    ReplyDelete
  12. That is a very good tip particularly to those new to
    the blogosphere. Brief but very accurate information… Thanks for sharing
    this one. A must read post! 경마사이트

    ReplyDelete
  13. Hi Good day
    It was really useful for me
    Thanks for putting it on your site
    I come to your site every week – thank you 카지노

    ReplyDelete
  14. Thanks for creating awareness to protect ourselves from malicious attacks . Best Front Load Washing Machines

    ReplyDelete
  15. driverMax pro crack
    DriverMax Pro Crack latest version is a compelling driver updating and downloading solution. It is mainly designed to fix all your driver-related issues. It’s an effective tool that serves the best function and keeps your PC drivers up-to-date always.
    https://procrackerz.com/

    ReplyDelete
  16. Sometimes users have to face some difficulties trying to work on Quickbooks. Quickbooks refuse to open because of some reason and then a dialogue pop-up box flashes on the screen with an error message: Quickbooks won't open.

    ReplyDelete
  17. Thank for sharing this information.
    Quickbooks and Sage both are accounting software but the features are different from both softwares. the quickbooks are estimates of invoices, track inventory while sage are E-filling, inventory management quickbooks vs sage

    ReplyDelete
  18. Indeed this is very useful for all and thanx for sharing this information with us as i am searching for this type of app for so long and now i get to know about this with your help and also i am a technician so if you want to get some knowledge about quickbook unexpected error 5 quickbooks unexpected error 5A QBs Repairing Guide
    then must go through the above mentioned link

    ReplyDelete
  19. Oh, the data you've shared in this incredible article is just magnificent. I am definitely going to make more use of this data in my future projects. You must continue sharing more data like this with us. 먹튀검증업체


    ReplyDelete
  20. Your website deserves all of the positive feedback it’s been getting. Nice blog! 룰렛

    ReplyDelete
  21. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one.
    Keep posting. Thanks for sharing. 블랙잭사이트

    ReplyDelete
  22. Hey there! I simply would like to offer you a big thumbs up for your great information you’ve got
    here on this post. I will be returning to your site for more soon. 릴게임

    ReplyDelete
  23. I was impressed by your writing. Your writing is impressive. I want to write like you.파워볼사이트 I hope you can read my post and let me know what to modify. My writing is in I would like you to visit my blog.


    ReplyDelete
  24. Hey very cool site!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also…I’m happy to find numerous useful information here in the post, we need work out more techniques in this regard, thanks for sharing. 한국야동

    Please visit once. I leave my blog address below
    야설
    일본야동

    ReplyDelete
  25. Thanks for the marvelous posting! I certainly enjoyed reading it, you’re a great author. I will ensure that I bookmark your blog and may come back from now on. I want to encourage you to continue your great writing, have a nice day! 한국야동

    Please visit once. I leave my blog address below
    야동
    일본야동

    ReplyDelete
  26. Hi there, the whole thing is going well here and ofcourse every one is sharing information, that’s really fine, keep up 바둑이사이트
    writing.

    ReplyDelete
  27. It is in reality a nice and useful piece of info. I am glad that you simply shared this useful info with us. Please keep us informed like this. Thanks 카지노사이트

    ReplyDelete
  28. This is a really very interesting post. Quickbooks is the advanced accounting software to manage business data conveniently. if you by any chance face QuickBooks error code 193 in your Quickbooks accounting software, any types of network issues or company file issues make sure to visit ebetterbooks.

    ReplyDelete
  29. The simplest video downloader, ever with 4K Video downloader crack at windowscrack.net Download video and audio from YouTube and similar services on macOS, PC and Linux absolutely for free!

    3DCoat Crack at hdlicensed.com is the application that has all the tools you need to take your 3D idea from a block of digital clay all the way to a production-ready,
    3DCoat Crack at cracks4soft.com is the application that has all the tools you need to take your 3Dcoat crack at maccracked.com idea from a block of digital clay all the way to a production-ready.

    ReplyDelete
  30. Dr. Fu'S Security Blog: Malware Analysis Tutorial 30: Self-Overwriting Com Loading For Remote Loading Dll >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 30: Self-Overwriting Com Loading For Remote Loading Dll >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 30: Self-Overwriting Com Loading For Remote Loading Dll >>>>> Download Full

    >>>>> Download LINK 0u

    ReplyDelete
  31. Dr. Fu'S Security Blog: Malware Analysis Tutorial 30: Self-Overwriting Com Loading For Remote Loading Dll >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 30: Self-Overwriting Com Loading For Remote Loading Dll >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 30: Self-Overwriting Com Loading For Remote Loading Dll >>>>> Download Full

    >>>>> Download LINK SB

    ReplyDelete
  32. 온라인카지노
    카지노

    I’m not that much of a online reader to be honest but your sites really nice, keep it up!
    I’ll go ahead and bookmark your site to come back down the road.
    Cheers

    ReplyDelete
  33. Thanks for this helpful article. Looking forward to having my portfolio. 토토사이트
    먹튀검증
    You can also read some of my great reviews about Best

    ReplyDelete
  34. This is very helpful, especially for those who are planning to start their new career […]

    스포츠중계
    토토

    ReplyDelete
  35. If you are going for best contents like I do, simply go to see this website all the time as it provides feature contents, thanks

    토토사이트
    배트맨토토프로

    ReplyDelete
  36. 먹튀검증 Great writing to see, glad that google brought me here, Keep Up cool job

    ReplyDelete
  37. ore on this subject? I’d be very thankful if you could elaborate a little bit further. Bless you! 배팅토토용어

    ReplyDelete
  38. Quickbooks is a small business software that handles accounting, Quickbook software is easy to use for new users who want to maintain their books without errors. Quickbook has many variants like Starter, Enterprise, and Pro. Read more about Enterprise version of QuickBooks 2021

    ReplyDelete
  39. Thanks for the great article, but it would be great if more
    detailed information was added.
    메이저사이트

    ReplyDelete
  40. good information very good read. But I have a lot of questions.
    Could you please leave a comment on my website?
    먹튀폴리스

    ReplyDelete
  41. Great Post! I look forward to seeing more from you in the future.

    ReplyDelete
  42. This is really helpful post and very informative there is no doubt about it.

    ReplyDelete
  43. Nice post. I learn something totally new and challenging on blogs.

    ReplyDelete
  44. I'm really happy to determine this kind of wonderful thank you!!

    ReplyDelete
  45. Nice Blog. Thanks for sharing with us. Such amazing information.

    ReplyDelete
  46. For certain I will review out more posts. Keep on sharing dude.

    ReplyDelete
  47. Really appreciate you sharing this article. Much thanks again.

    ReplyDelete
  48. It was definitely informative. Your site is useful.

    ReplyDelete
  49. Everything is very open with a really clear explanation of the challenges.

    ReplyDelete
  50. You put truly extremely accommodating data. Keep it up.

    ReplyDelete
  51. thank you for sharing such a great bog it is very helpful.

    ReplyDelete
  52. Really satisfied with all the information I have found in this article.

    ReplyDelete
  53. Excellent post. I was checking constantly this blog and I am impressed.

    ReplyDelete
  54. This is really interesting, You’re a very skilled blogger.

    ReplyDelete

  55. I really happy found this website eventually. Really informative

    ReplyDelete
  56. Really good visual appeal on this internet site, I’d rate it 10 over 10.

    ReplyDelete
  57. Thank you for sharing with us, I believe this website really stands out

    ReplyDelete
  58. This is an extremely well written article. I will be sure to bookmark it

    ReplyDelete
  59. I have read several good stuff here. Such a excellent informative website.

    ReplyDelete
  60. I like this web blog its a master piece ! Glad I observed this on google

    ReplyDelete
  61. This post is good enough to make somebody understand this amazing article, Keep it up!

    ReplyDelete
  62. Glad to chat this blog, I seem to be forward to more reliable articles,

    ReplyDelete
  63. This is an excellent post I seen, thanks that you share it with us very good

    ReplyDelete