aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-29 20:04:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

adding more static images

Browse Source
This commit is contained in:
Amanda Rousseau
2017-03-24 11:50:12 -07:00
parent f43ad5228a
commit 55de337944
5 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
static.md
View File

@@ -11,12 +11,15 @@ title: Static Analysis
### Possible Packer?
Notice in CFF explorer that there is UPX in the header.
![alt text](https://securedorg.github.io/images/triage2.png "UPX")
When you open the executable in IDA, you will notice large section of non-disassembled code.
![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")
Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")
### Reopen the executable in IDA.
@@ -32,9 +35,11 @@ So far we can assume:
Navigate to the **String** window.
Here is an interesting string that we should start with:
![alt text](https://securedorg.github.io/images/static1.png "Strings window")
Using the **X** key we can jump to the reference of that string in the assembly code.
![alt text](https://securedorg.github.io/images/static2.gif "Strings window")
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
@@ -43,6 +48,22 @@ We should rename this function **SetRegkey**.
---
Jump up to the calling function using **X** on **SetRegkey**. Scroll up until you see some interesting API.
Notice it's calling [InternetOpen](https://msdn.microsoft.com/en-us/library/windows/desktop/aa385096.aspx) which opens a HTTP session.
This function call has the following arguments:
```c++
HINTERNET InternetOpen(
_In_ LPCTSTR lpszAgent, //URL
_In_ DWORD dwAccessType,
_In_ LPCTSTR lpszProxyName,
_In_ LPCTSTR lpszProxyBypass,
_In_ DWORD dwFlags
);
```
![alt text](https://securedorg.github.io/images/static3.png "Strings window")
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)