aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2026-01-07 00:04:22 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
515d5e8c297091fe469e9fb81e7241093af8e59e
securedorg.github.io/static.md
Amanda Rousseau 515d5e8c29 fixing code
2017-03-24 11:52:25 -07:00

93 lines
3.1 KiB
Markdown
Raw Blame History

---
layout: default
permalink: /RE101/section5/
title: Static Analysis
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 5: Static Analysis #
## LAB 2
### Possible Packer?
Notice in CFF explorer that there is UPX in the header.
![alt text](https://securedorg.github.io/images/triage2.png "UPX")
When you open the executable in IDA, you will notice large section of non-disassembled code.
![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")
Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")
### Reopen the executable in IDA.
The next step is getting a sense as to what the program is doing.
So far we can assume:
* This exe is connecting to the internet somehow
* This exe is using a string encryption function
* This exe might be spawning a shell
---
Navigate to the **String** window.
Here is an interesting string that we should start with:
![alt text](https://securedorg.github.io/images/static1.png "Strings window")
Using the **X** key we can jump to the reference of that string in the assembly code.
![alt text](https://securedorg.github.io/images/static2.gif "Strings window")
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
We should rename this function **SetRegkey**.
---
Jump up to the calling function using **X** on **SetRegkey**. Scroll up until you see some interesting API.
Notice it's calling [InternetOpen](https://msdn.microsoft.com/en-us/library/windows/desktop/aa385096.aspx) which opens a HTTP session.
This function call has the following arguments:
**C++**
```c++
HINTERNET InternetOpen(
_In_ LPCTSTR lpszAgent, // Arg 1 = URL
_In_ DWORD dwAccessType, // Arg 2
_In_ LPCTSTR lpszProxyName, // Arg 3
_In_ LPCTSTR lpszProxyBypass,// Arg 4
_In_ DWORD dwFlags // Arg 5
);
```
We need to figure out what register **esi** is because it contains the URL we are looking for.
**Assembly x86**
```assembly
push 0 ; Arg 5
push 0 ; Arg 4
push 0 ; Arg 3
push 1 ; Arg 2
push esi ; Arg 1 URL
call ds: InternetOpenA
```
Right before the first **push 0** there is a **mov esi,eax** which means esi = eax.
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), and.
![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed. In this case it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
![alt text](https://securedorg.github.io/images/static4.png "Xor routine")
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
Reference in New Issue View Git Blame Copy Permalink