aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-25 09:54:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
515d5e8c297091fe469e9fb81e7241093af8e59e
securedorg.github.io/static.md
Amanda Rousseau 515d5e8c29 fixing code
2017-03-24 11:52:25 -07:00

3.1 KiB
Raw Blame History

layout, permalink, title
layout permalink title
default /RE101/section5/ Static Analysis

Go Back to Reverse Engineering Malware 101

Section 5: Static Analysis

LAB 2

Possible Packer?

Notice in CFF explorer that there is UPX in the header.

alt text

When you open the executable in IDA, you will notice large section of non-disassembled code.

alt text

Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.

alt text

Reopen the executable in IDA.

The next step is getting a sense as to what the program is doing. So far we can assume:

  • This exe is connecting to the internet somehow
  • This exe is using a string encryption function
  • This exe might be spawning a shell

Navigate to the String window.

Here is an interesting string that we should start with:

alt text

Using the X key we can jump to the reference of that string in the assembly code.

alt text

This function is offset 00401340. Notice in that function is setting a registry key using Window API RegOpenKeyEx.

We should rename this function SetRegkey.

Jump up to the calling function using X on SetRegkey. Scroll up until you see some interesting API.

Notice it's calling InternetOpen which opens a HTTP session.

This function call has the following arguments:

C++

HINTERNET InternetOpen(
  _In_ LPCTSTR lpszAgent,      // Arg 1 = URL
  _In_ DWORD   dwAccessType,   // Arg 2
  _In_ LPCTSTR lpszProxyName,  // Arg 3
  _In_ LPCTSTR lpszProxyBypass,// Arg 4
  _In_ DWORD   dwFlags         // Arg 5
);

We need to figure out what register esi is because it contains the URL we are looking for.

Assembly x86

push 0    ; Arg 5
push 0    ; Arg 4
push 0    ; Arg 3
push 1    ; Arg 2
push esi  ; Arg 1 URL
call ds: InternetOpenA

Right before the first push 0 there is a mov esi,eax which means esi = eax.

When a function returns, the return value is stored in eax. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), and.

alt text

Scroll down until you find xor al, 5Ah. Eventually you will be able to recognize when a string loop is being processed. In this case it is xor a byte with 5Ah which is Z in ascii.

alt text

Section 4 <- Back | Next -> Section 6