explorer.exe
, Lab12-01.dll
, and psapi.dll
.Next, we use basic dynamic techniques to see what the malware does when it runs. When we run the malware, it creates a message box every minute (quite annoying when you are trying to use analysis tools). Procmon doesn’t have any useful information, Process Explorer shows no obvious process running, and no network functions appear to be imported, so we shift to IDA Pro to determine what is producing the message boxes.
A few lines from the start of the main
function, we see the malware resolving functions for Windows process enumeration within psapi.dll. contains one example of the three functions the malware manually resolves using LoadLibraryA
and GetProcAddress
.
dword_408714
to myEnumProcessModules
at ❶.After the dynamic resolution of the functions, the code calls dword_408710
(EnumProcesses
), which retrieves a PID for each process object in the system. EnumProcesses
returns an array of the PIDs referenced by the local variable dwProcessId
. dwProcessId
is used in a loop to iterate through the process list and call sub_401000
for each PID.
When we examine sub_401000
, we see that the dynamically resolved import EnumProcessModules
is called after OpenProcess
for the PID passed to the function. Next, we see a call to dword_40870C
(GetModuleBaseNameA
) at ❶, as shown in .
hProcess
will be used to manipulate the process.VirtualAllocEx
at ❶. This dynamically allocates memory in the explorer.exe process: 0x104 bytes are allocated by pushing dwSize
at ❷. If VirtualAllocEx
is successful, a pointer to the allocated memory will be moved into lpParameter
at ❸, to be passed with the process handle to WriteProcessMemory
at ❹, in order to write data to explorer.exe. The data written to the process is referenced by the Buffer
parameter in bold.In order to understand what is injected, we trace the code back to where Buffer
is set. We find it set to the path of the current directory appended with Lab12-01.dll
. We can now conclude that this malware writes the path of Lab12-01.dll into the explorer.exe process.
If the malware successfully writes the path of the DLL into explorer.exe, the code in will execute.
GetModuleHandleA
and GetProcAddress
(in bold) will be used to get the address to LoadLibraryA
. The address of LoadLibraryA
will be the same in explorer.exe as it is in the malware (Lab12-01.exe) with the address of LoadLibraryA
inserted into lpStartAddress
shown at ❶. lpStartAddress
is provided to CreateRemoteThread
at ❷ in order to force explorer.exe to call Load
LibraryA
. , we select explorer.exe in the process listing, and then choose View ▸ Show Lower Pane and View ▸ Lower Pane View ▸ DLLs. Scrolling through the resulting window, we see Lab12-01.dll listed as being loaded into explorer.exe’s memory space. Using Process Explorer is an easy way to spot DLL injection and useful in confirming our IDA Pro analysis. To stop the pop-ups, we can use Process Explorer to kill explorer.exe, and then restart it by selecting File ▸ Run and entering explorer
.Example C-67. Analyzing the thread created by Lab12-01.dll
10001046 mov ecx, [ebp+var_18] 10001049 push ecx 1000104A push offset Format ; "Practical Malware Analysis %d" 1000104F lea edx, [ebp+Parameter] 10001052 push edx ; Dest 10001053 call _sprintf ❷ 10001058 add esp, 0Ch 1000105B push 0 ; lpThreadId 1000105D push 0 ; dwCreationFlags 1000105F lea eax, [ebp+Parameter] 10001062 push eax ; lpParameter 10001063 push offsetStartAddress
❶ ; lpStartAddress 10001068 push 0 ; dwStackSize 1000106A push 0 ; lpThreadAttributes 1000106C call ds:CreateThread
10001072 push 0EA60h ; dwMilliseconds 10001077 call ds:Sleep
1000107D mov ecx, [ebp+var_18
] 10001080 add ecx, 1 ❸ 10001083 mov [ebp+var_18], ecx
The new thread at ❶, labeled StartAddress
by IDA Pro, creates the message box that says “Press OK to reboot,” and takes a parameter for the title of the box that is set by the sprintf
at ❷. This parameter is the format string "Practical Malware Analysis %d"
, where %d
is replaced with a counter stored in var_18
that increments at ❸. We conclude that this DLL does nothing other than produce annoying message boxes that increment by one every minute.