aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-30 04:14:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
f5ca8c856422766ead426e49ad5ebc9b780c48a0
securedorg.github.io/RE102/re102_section4.3.md
SECURED.ORG 297573e23b Update re102_section4.3.md
2017-08-12 09:05:29 -07:00

3.0 KiB
Raw Blame History

layout, permalink, title
layout permalink title
default /RE102/section4.3/ Setup

Go Back to Reverse Engineering Malware 102

Section 4.3: Convert the Shellcode Into an Exe

Now you have the decrypted shellcode. This section will go over converting the shellcode into an executable so that you can view the disassembly in IDA.

Keep in mind that you dont need to do this step, but converting it into an executable will help you in debugging and understanding the deployed VM evasion techniques which are heavily discussed in Section 5. You can open the decrypted_shellcode.bin in IDA and notice that the disassembly is not parsing functions properly. The malware author has inserted extraneous assembly instructions to through off malware analysis. 0x78 means assembly instruction js or Jump short if sign (SF=1).

00000000: 7878 7878 7878 7878 7878 7878 7878 7878  xxxxxxxxxxxxxxxx
00000010: 8b45 088b 4034 55e9 6761 0000 786a 6866  .E..@4U.ga..xjhf
00000020: 8995 34ff ffff 5a6a 7266 8995 36ff ffff  ..4...Zjrf..6...
00000030: 5ae9 2506 0000 7878 7878 7878 7878 7878  Z.%...xxxxxxxxxx
00000040: 7878 7878 7878 7858 6a74 6689 45c8 58e9  xxxxxxxXjtf.E.X.
00000050: 0229 0000 7878 7878 7878 7878 7878 7878  .)..xxxxxxxxxxxx
00000060: 7878 7878 7878 7889 5d88 e8af 3b00 0081  xxxxxxx.]...;...
...

There are many tools and scripts available that help you convert shellcode into an exe like shellcode2exe.py. However I have found that Hexacon provided a nice easy tutorial for converting shellcode into an executable. This section will be using this YASM and GoLink to create the executable while using CFF explorer to edit the binary header.

  1. Download Yasm yasm-1.3.0-win32.exe
  2. Extract yasm-1.3.0-win32.exe and rename it to yasm.exe
  3. Download GoLink linker Golink.zip
  4. Extract golink.exe
  5. Create a decrypted_shellcode.asm file with the following instructions
Global Start 
SECTION 'AyyLmao' write, execute,read 
Start:       
incbin "decrypted_shellcode.bin"
  1. From a command line run the following command to assemble the code:
yasm.exe -f win32 -o decrypted_shellcode.obj decrypted_shellcode.asm
  1. Now run the linker
golink /ni /entry Start decrypted_shellcode.obj
  1. Open shellcode.exe with CFF explorer and open the NT Headers->Optional Headers->AddressOfEntryPoint. Add the current value to 0x42B7 which was the offset of where the malware was going to return to in function sub_45B794. AddressOfEntryPoint should be 000052B7. This will ensure that IDA knows where to start the disassembly.

Finally, open the decrypted_shellcode.exe into IDA for Section 5.

Section 4.2 <- Back | Next -> Section 5