Saturday, August 4, 2012

Malware Analysis Tutorial 31: Exposing Hidden Control Flow

Learning Goals:
  1. Practice WinDbg for Inspecting Kernel Data Structure
  2. Use Packet Sniffer to Monitor Malware Network Activities
  3. Understand Frequently Used Network Activities by Malware
  4. Expose Hidden/Unreachable Control Flow of Malware
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction

This tutorial analyzes the network activity performed by max++.00.x86 when its efforts to load 147.47.xx.xx\max++.x86.dll fails. We show the use of network sniffer to assist the analysis. We show the use of debugger to expose and analyze the hidden/unreachable control flow of a malware.

2. Lab Configuration

We assume that you have finished Tutorial 30 and max++.00.x86 is already resident on the system. .Now set a breakpoint at 0x35671797 (this is where the malware tries to modify the kernel data structure about library path of max++. Later it will call Ole32.CoInitialize to load the remote). Now at the Ubuntu server, start the Wireshark packet sniffer and listen on the local area network (use ifconfig to find out which adapter to listen to).

Now press F9 until you hit 0x35671797. At this moment, in the Wireshark window, no packets should be intercepted yet. Execute the program step by step until we reach 0x35671D8B. This is right before the call of ole32.CoInitialize.

Figure 1. The Code Which Tires to Load Remote DLL

3. Wireshark Assisted Analysis
Now the intersting part, just one more step in the WinDbg instance, the Ole32.CoInitialize is called. Then you can notice that there is a lot of communication between (our WinDbg instance) and From Figure 2, you can tell that it's using a special HTTP method PROPFIND to retrieve max.x86.dll (note that PROPFIND is a method provided by the WebDav protocol which is an extension of HTTP).

Figure 2. Network Trace of Ole32.CoInitialize
However, interestingly, if we directly F9 from 0x35671797, we got the following in Figure 3. Notice the difference!

Figure 3. A slightly different network trace
 Clearly, the malware is trying to invoke the /install/setup.ppc.php at! Now the question is: who is sending this request and why didn't we capture it when we step by step the execution?

Challenge 1. Find a way to trace back to the sender of the packet to

 4. Run Malware without Remote DLL
We are interested in looking at the rest of the malware logic and would like to have a rough idea of Max++.00.x86's behavior what if is loaded. This would need us to tweak the control flow a little bit to observe the behavior. We need to perform the following lab configuration:

(1) set a breakpoint at 0x35671D8D and run to it. See Figure 4. This is right before the ole32.CoInitialize() call, which tries to load the remote However, the file is not available any more and the call will fail and terminate the entire process. We need to skip this call so that we could examine the rest of the malware logic.
Figure 4. Breakpoint to Divert Control Flow When Remote DLL Loading Fails

(2) Click the 2nd button on the toolbar (the Python window) and then type
  imm.setReg("EIP", 0x35671D93)
 This is to skip the call of ole32.coInitialize and jump to the next instruction

(3) Now in the register window, change the value of EAX to 0 (to indicate that the call is a success).

After the control flow diverting is successful, max++.00.x86 jumps to function 0x35674737, whose function body is shown in Figure 5.
Figure 5. Function 0x35674737 - Allocate Memory in Heap
Then the malware calls function 0x35671E37 [note at this moment 0x00182130 is the beginning address of allocated heap memory]. As shown in Figure 6, it is constructing some data structure at 0x00182130 (size: 0x24 bytes).

Challenge 2. Use data breakpoints to find out what is the type of the data structure constructed by 0x35671E37.

Figure 6. Function 0x35671E37 constructs some data structure
The control soon flows to 0x35671C4A. This function has several interesting calls, as shown in Figure 7. It seems to be creating a port and listens to it. To figure out the logic, we have to carefully handle the execution of function 0x35671E61 (because it is invoking functions in the remote max++.x86.dll, which is not loaded due to network failure).

Figure 7. Function body of 0x35671C4A
Now let's delve into function 0x35671E61 first,Figure 8 shows its first part. It's a call to ole32.CLSIDFromProgID("JavaScript"). The function locates registry entry based on program ID information. But this call triggers the remote DLL. We'll need to look at the details.
Figure 8. A Call That Triggers remote max++.x86.dll

By tracing into the old32.CLSIDFromProgID("JavaScript") call, we notice that at theole32.CoGetComCatalog call, it is stuck on loading the As shown in figure 9. It seems that CoGetComCatalog visits the loaded module again (and reads the manipulated information of the current module and thus trying to load the remote module. This is similar to the CoInitialize call in discussed in  Tutorial 30).
Figure 9. CLSIDFromProgID Stuck on CoGetComCatalog
Since the remote module name causes the problem, we could try to reset it back. From Tutorial 30, we know that the module name/path information is located at 0x002529c0. We could change it back to the original name "\\.\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\max++.00.x86". (Right click on address 002529c0 in memory dump, select Binary Edit, then enter the path string in the UNICODE box).
Figure 10. Modify the Module Name - Convert it Back

Now let's let's observe the second parameter of CLSIDFromProgID in Figure 8. Via a simple analysis we can identify that the second parameter is located at 0x009FFF48, as shown in Figure 11.

Figure 11. Successful Completion of CLSIDFromProgID

As shown in Figure 11, address 0x009FFF48 stores the class ID. Pay attention to the byte order (you should read the first 4 bytes in the reversed order). For example, for the first 4 bytes (60 C2 14 F4), it should read as 0xf414c260. Searching f414c260 in regedit, we found CLSID {f414c260-6ac0-11cf...}, as shown in Figure 11. You can verify that it matches the highlighted area in the IMM memory dump pane. Reading more details about CLSID {f414c260-6ac0-11cf...}, we can find that the CLSID is mapped to jscript.dll in the system directory, this is as expected (i.e., the CLSIDFromProgID works correctly, given that the broken remote library link did not crash the CoGetComCatalog call in figure 10).

However, notice that, there is a possibility that the remote library when loaded, will re-write the registry entry so that later when JSScript object is used, it is actually referring to the functions of the remote library. As we do not have the binary, we have no way to tell.

4.1 Rest of Logic of Function 0x35671E61
We now continue from the call of CLSIDFromProgID.  Again, notice that the CLSID is stored at 0x009FFF48.

Figure 12 shows the rest of the logic of the function 0x35671E61. The major part is a call of CoCreateInstance which constructs a unique instance of the JScript COM object. Note that its second last parameter rrid is the id of the interface that is used to communicate with JScript. However, as the co-initialize function fails, the CoCreateInstance() returns an error code 0x800410F0 (means the COM interface not initialized correctly). In such case, we have to modify the EAX register at 0x35671E90 to force the logic through.

It can be seen that, in Figure 12, three calls related to JScript COM object are placed. However, due to the failed co-initialize, we have no way to know about the details of these three functions. Lastly, function 0x35671E61 returns.

Figure 12. Interacting with COM Object

4.2 Function 0x3567162D
Using the similar technique, we can enforce the logic into function 0x3567162D. Figure 13 shows its function body. As shown in Figure 13, Max++ is readling from \??\C2CAD...6cc2 and allocates 0x15b bytes at 0x003E0000 and extracts the contents fro mthe file into 0x003E0000.

Figure 13. Loading New Malicious Logic

The rest of functio n0x3567162D is shown in Figure 14. It applies 2 layers of decryption to extract the contents at 0x003E0000. As shown in Figure 14, at 0x003E0000 it looks like an XML spec. At this moment, we do not know the meaning of "<jst>" tag. But if you look at the contents, it looks like a URL to download from and the rest looks like the HTTP request header.

Figure 14. Extraction of Encrypted Contents
Challenge 2. Analyze the logic of function 0x35671ECF. Notice that you have to carefully rewire the logic when it tries to invoke functions in remote DLL.

4.3 Function 0x356713AC. 
At the end of functio n0x3567162D, it calls function 0x356713AC, which is shown below. Its function is pretty similar to 0x3567162D. It reads from another hidden file, resolve the IP of and constructs request payload.
Figure 15. Function 0x356713AC
At the end of function 0x356713AC, it calls 0x356712D8, whose function body is shown as below. It prepares the necessary resources (UUIDs) for socket communication, in 0x35674237, which calls function 0x3567417c.
Figure 16. Function 0x356712D8 First Half

The function body of 0x3567417C is shown in Figure 17. Note that the first call of ws32_socket will fail. The most interesting part (see highlighted) is the call of BindIoCompletionCallBack. It sets 0x356740D4 as the handler on any IoCompletion on handle of the network communication. Let's set a breakpoint and see if it's getting called. This breakpoint, under the current setting will never get hit because the WSASocket call fails. However, the analysis of its binary code is still possible. We leave it as a homework for readers.

Figure 17. Function Body of 0x3567417C
Challenge 3. Analyze the function of 0x356740D4.

The rest of of 0x356712D8 deals with sending out packets (mainly to and there are too many errors as the network initialization of WSASocketW fails. Let's go back to 0x35671C6F and see what's the logic here.

Figure 18. Port Service Open
As shown in Figure 18, clearly, Max++ is opening a port (using zwCreatePort), and then there is a big loop and during each iteration, it is calling ZwReplyWaitReceivePortEx to try to listen to the port.

Challenge 4. Find out the port number that Max++ is using. Notice that since TCP/IP stack service is hijacked by Max++, netstat command won't get you any interesting information!

In the next tutorial, we will tweak the control flow of Max++ to get into each of the switch case of the zwReplyWaitReceivePortEx call and check out if Max++ is serving as a bot-client of a bot-net.


  1. Kartu yang baik untuk menaikan taruhan (raise) : Jika anda mendapatkan sepasang kartu yang memiliki nilai sama atau pair, maka sebaiknya anda meningkatkan taruhan. Selain itu, kartu A-K-Q-J juga merupakan awal yang baik untuk meningkatkan taruhan.
    bandar ceme terbaik
    paito warna terlengkap
    forum prediksi

  2. Thanks for sharing, very informative blog.

  3. Thanks for sharing this awesome post, you seem to have good information about it and did deep research also. Your information was awesome I know a great place named CoinIT ideal for the work. Thanks again.

  4. During my early days of binarytrades i fell into a lot of online scams, trying to trade bitcoin and invest in binarytilt. Which nearly wrecked me out, making me loose up to $295k

     very confused on what to do not until my boss introduced me to an online recovery agent Mrs maryshea. A recovery expert who helped me recover all my money back from the scammers. She's also able to recover funds of any form of scam.
    You can WhatsApp her with this number +15623847738
    Or email address Mrs maryshea03@gmail. Com
    Good luck

  5. If you're looking to lose pounds then you absolutely have to start following this brand new custom keto plan.

    To create this keto diet service, licenced nutritionists, fitness couches, and chefs united to provide keto meal plans that are useful, painless, money-efficient, and delicious.

    From their grand opening in early 2019, 1000's of clients have already completely transformed their body and health with the benefits a good keto plan can provide.

    Speaking of benefits: clicking this link, you'll discover eight scientifically-confirmed ones provided by the keto plan.

  6. The vast majority of the occasions HP Laptop Shuts Down Problem arbitrarily because of overheating and unnecessary use. Distinguish the issue and fix haphazardly shut down issue of HP laptop,

  7. Sangat relevan sekali artikel ini, terima kasih atas penjelasannya jangan lupa untuk klik Bandar Togel Terpercaya

  8. Nero Platinum 2020 Crack Suite: It can be downloaded from the download link below.
    With the full version of Nero 2020, you can sort, create, turn, walk and create movies, music, and photos for the best home entertainment and fun on the go.
    It provides 360-degree experience, easy-to-use video editing, advanced video file conversion technology for watching movies on any device, and authoring and backup support for an all-digital lifestyle.

  9. Omega is one of the highest quality production suites we have ever built.

    We brought in some thousands of hours of combined experience with some of the best sound designers in the music industry, as well as

    world class songwriters and musicians.He worked day and night with our in-house production team Recording Instruments, experimented with new syntates, performed several songwriting sessions, and did more MUVs. get Link Cymatics Omega Production Suite

  10. SData Tool Crack is used to change the SD card or USB storage. It is advanced software and the best for it.sdatatoolcrack

  11. Full Version iZotope Ozone Advanced Key Download is a complete audio mixing and mastering software that can be used in almost any DAW (Digital Audi Workstation) program, such as Ableton Live, FL Studio, Adobe Audition, SONAR, Reaper, and others.izotopeozoneadvancedkey

  12. Bandicam Full Crack Download is a lightweight video recording tool designed to bring screenshot activity to video files. It consists of three modes.fulldownloadbandicam

  13. Revo Uninstaller Pro Crack is an excellent application to completely remove the software from your PC. This software allows you to uninstall your software which cannot be completely removed with the default Windows uninstaller.revouninstallerpro

  14. Ableton Live Crack for Windows and Mac is a complete digital audio studio and celebration with a feature set for developing great soundtracks and featured performances.abletonlivecrack

  15. DroidJack Android Crack + Product Key Free Download is an Android remote management tool that allows the user to remotely control someone’s smartphone.crackfordroidjack

  16. IntelliJ IDEA 2020.2.3 Crack is a Java-based IDE (Integrated Development Environment) that is widely used by software companies.intellijideakey

  17. Avast Secureline VPN 5.6 Crack allows secure admittance to the boundless online substance. The product gives genuine security to the client. avastsecurelinevpnwithkeygen

  18. MorphVOX Pro 4.5 Crack can be simply actually a robust “Voice changer program.crackformorphvoxpro

  19. Final Draft 11.1.3 Crack Build 83 is an excellent application for writing and formatting scripts. More than 95% of the entertainment industry uses this scripting app.finaldraftoroductkey

  20. PhoneRescue Crack is a very powerful and exceptional application that allows users to easily restore all lost or deleted data.phonerescuetorrent

  21. ETABS Crack is the ultimate integrated software package for static analysis and building design.etabswithserialkey

  22. Splice Sounds – Medasin x Quickly Quickly Crack Free Download: Medasin’s latest collaboration was fast with the Portland producer and multi-agency. freedownloadmedasinxquicklyquickly

  23. BATTERY 4 Mac Crack Download combines an up-to-date library with a radically intuitive workflow that continues to focus on creativity.battery4freedownload

  24. Mindjet MindManager Crack Keygen: A complete organizer for PC users who want to find everything in their daily lives.mindjetmindmanagerfreedownload

  25. iExplorer Crack is the latest variant is an extreme answer for overseeing Apple gadgets like the iPhone 11, iPod, iPad, and so forth.iexplorerfreedownload

  26. Synthesia Crack is a fun way to play and experience the piano even if you don’t own it a real keyboard./downloadsynthesiacrack

  27. Before CONNECTING EPSON PRINTER TO WI-FI, make sure that your router is connected to the wireless network and your computer is connected to it wirelessly.

  28. Windows Movie Maker Registration Key allows you to record all screen actions, vote, and record videos. From there, you can also live stream your video to the internet with just one click. From here, you can easily add special effects to your videos like noise, transition, slow motion, etc.

  29. Follow How to connect hp deskjet 3630 to wifi guide. Check out the guidelines for HP Deskjet 3630 wireless setup, connect to wi-fi, wireless direct printing.

  30. Thanks for sharing this amazing idea. I love your article and I will try to share it as well.
    Price Of washing machine stand

  31. Thank you for sharing your thoughts. I really appreciate your efforts and I will be waiting for your further post thank you once again.

    Online Dissertation Proposal

  32. Rather than wasting this self-centred time on useless activities, why not put it to work? For a great optimization tool for your PC that lets you manage it according to your tastes, I recommend you visit

  33. This comment has been removed by the author.

  34. It seems normal that after a good year for 2017 action movies, 2016 is inevitably slowing down. Outside of Okja, Bong Joon-ho's allegorical cross-border adventure on Netflix, there weren't too many new releases from top directors to look forward to or look forward to (at least on the Australian calendar).

  35. PC Cleaner Pro Crack
    PC Cleaner Pro 2021 Crack is a complete software program to clean your system from undesired data, hateful files, and waste data. And also to protect your system privacy.PC Cleaner Pro Full Crack is software designed to improve computer performance and speed up the system by increasing speed. Speed up your computer by increasing startup speed, optimizing the registry

  36. Phpstorm Crack
    JetBrains PhpStorm mac 2021 Torrent all work will be monitored accurately. With broken PHPS brings the support of PHPDook Linux, code manager, quick fix, and much more. This will help you to write down a good number and save it. In addition, the cracked PhpStorm Linux provides recovery and rewriting code for resizing and reversing, moving, erasing line adjustment, and much more.

  37. pleasant piece of writing and fastidious urging commented at this place, I am genuinely enjoying by these. 바카라사이트

  38. I am really thankful to tthe owner of this website who haas shared this impressive paragraph at at this place. 토토사이트

  39. What’s up Dear, are you genuinely visiting this web page
    daily, if so then you will definitely take good knowledge. 스포츠토토

  40. I’m not that much of a online reader to be honest but your sites really nice, keep it up!
    I’ll go ahead and bookmark your site to come back down the road.

  41. Fine way of explaining, and nice piece of writing to get facts concerning my presentation focus, which i am going to deliver in institution of higher education. 바카라

  42. Awesome write-up. I am a regular visitor of your website and appreciate you taking the time to maintain the excellent site. I will be a frequent visitor for a long time. 스포츠토토

  43. Thank you for sharing informative post. You discuss related to manage hidden content. I found more information through this video. Further, The Gutter cleaning Brookline deliver the best performance for gutter cleaning.

  44. This article explains everything in great detail, and it is very interesting and insightful. I thank you for sharing it, and I wish you continued success in future articles. Here is a profile about CPS Counter. CPS tests count mouse clicks online. It is best to test click speed at 60 seconds.

  45. wow

    Windows 10 Activator Crack Windows 10 is a major release of the
    Windows NT operating system developed by Microsoft. It is the successor to Windows 8.1, which was released nearly two
    years earlier, and itself was released to manufacturing on July 15, 2015.

  46. Windows 11 Activator Crack is a powerful and up-to-date tool to enable all newer versions of Windows 11 Crack 2022. With this latest Activator, you can activate Windows 11 Education, Windows 11 Home, and many more. Microsoft is bringing a great revolution to your digital life by introducing the versions of Windows 11 Crack 2022.

  47. You can practice on your own. A pitching device permits you to established the pace in the ball. By launching a number of baseballs in the unit, you are able to process hitting without the need for a pitcher. This electronic machine is great for those who would like to practice baseball by yourself. Pitching models could be found in your neighborhood athletic items shop.

  48. Getting a exercise routine partner can significantly improve your muscle tissue-developing effects. Your partner might be a beneficial way to obtain inspiration for staying on your exercise routine treatment, and forcing one to improve your initiatives when you workout. Possessing a reputable spouse to determine with will also help keep you harmless simply because you will always use a spotter.

  49. card test, Proudly brought to you by the SD Technology team in London, Dayton, and Amsterdam

  50. This is a really awesome and helpful article for me. I really Amapiano 2022 Mp3 download your work for providing such useful information, thank you so much!

  51. Thank you for this post. This is very interesting information for me สมัครสมาชิก 123betting

  52. I enjoy your blog and completely agree with you.

  53. Dr. Fu'S Security Blog: Malware Analysis Tutorial 31: Exposing Hidden Control Flow >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 31: Exposing Hidden Control Flow >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 31: Exposing Hidden Control Flow >>>>> Download Full

    >>>>> Download LINK

  54. Dr. Fu'S Security Blog: Malware Analysis Tutorial 31: Exposing Hidden Control Flow >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 31: Exposing Hidden Control Flow >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 31: Exposing Hidden Control Flow >>>>> Download Full

    >>>>> Download LINK P8

  55. Well I truly enjoyed studying it. This article offered by you is very useful for proper planning. 토토사이트

  56. Thank you for sharing excellent informations. Your website is very cool. I’m impressed by the details that you have on this site. It reveals how nicely you perceive this subject. 경마

  57. Rattling wonderful visual appeal on this web site, I’d value it 10 over 10. 사설토토


  58. We provide full body massage services in noida,Spa in Noida for body massages we have outstanding and world-class full body massage center in noida. We at Lispa is totally equipped with latest modern facilities you will have high-quality ambiance, well maintained room with ac, clean rooms. We have 100% repeat client just because of our Excellency in the services.

  59. If you’re a Noida resident, driving down to Delhi for every little thing can be a bit of a pain, especially if you’re looking to relax and unwind. We’ve shortlisted our list of spas in Noida to save you from unnecessary traffic and headaches. Bookmark these for the weekend! body massage in Noida

  60. Great goods from you. I have understand your stuff previous to and you’re just too fantastic. I really like what you have acquired here, certainly like what you are saying and the way in which you say it. You make it enjoyable and you still care for to keep it sensible. 슬롯머신777사이트

  61. Yes, mobile repairing center near me providers offer multiple repair services which includes screen display repair.Mobile Phone & Smartphone Repairing Service In Delhi You just to contact us and we are here for your service. Get your mobile repaired by the Experts. Apple.

  62. When you select Full Body to Body Massage by Female, body massage spa kolkata at our CARE & HEALTH Kolkata Center your head to your toes and feet square measure massaged each front

  63. I’m impressed, I have to admit. Truly rarely should i encounter a blog that’s both educative and entertaining, and without a doubt, you’ve hit the nail within the head. Your notion is outstanding; the pain is an issue that insufficient everyone is speaking intelligently about. I am very happy that we stumbled across this inside my try to find some thing relating to this. 메이저토토추천

  64. Hey! Someone in my Facebook group shared this site with us so I came to give it a look. I’m definitely enjoying the information. I’m bookmarking and will be tweeting this to my followers! Great blog and wonderful design.
    Mobirise Crack
    Ultra Adware Killer Crack
    VideoProc Crack
    Adobe XD CC Crack
    OHSoft OCam Crack
    XSplit VCam Crack
    360 Total Security Premium Crack
    Loaris Trojan Remover Crack
    GSA Search Engine Ranker Crack
    DriverEasy Pro Crack

  65. QuickBooks Error Code 193 solution can only be discovered once you know the reason behind it. In this article we have discussed all about this error with it's complete solution steps.

  66. You absolutely have wonderful stories.


  67. Great post. Thank you for providing this information.

  68. This is very good and useful information.


  69. I appreciate your information in this article.

  70. thank you for giving such useful information that is often difficult to come by. Good job.


  71. the good thing is i learned much more than i expected


  72. Thank you for letting me know the good content.

  73. "Thanks for the insightful read! Looking forward to more." for more information visit us on