, we know that we are probably dealing with some form of process injection. Therefore, our first goal should be to determine the code that is being injected and into which process. Examining the strings in the malware, we see some notable ones, including explorer.exe, Lab12-01.dll, and psapi.dll.

Next, we use basic dynamic techniques to see what the malware does when it runs. When we run the malware, it creates a message box every minute (quite annoying when you are trying to use analysis tools). Procmon doesn’t have any useful information, Process Explorer shows no obvious process running, and no network functions appear to be imported, so we shift to IDA Pro to determine what is producing the message boxes.

A few lines from the start of the main function, we see the malware resolving functions for Windows process enumeration within psapi.dll. contains one example of the three functions the malware manually resolves using LoadLibraryA and GetProcAddress.

, we should rename dword_408714 to myEnumProcessModules at ❶.

After the dynamic resolution of the functions, the code calls dword_408710 (EnumProcesses), which retrieves a PID for each process object in the system. EnumProcesses returns an array of the PIDs referenced by the local variable dwProcessId. dwProcessId is used in a loop to iterate through the process list and call sub_401000 for each PID.

When we examine sub_401000, we see that the dynamically resolved import EnumProcessModules is called after OpenProcess for the PID passed to the function. Next, we see a call to dword_40870C (GetModuleBaseNameA) at ❶, as shown in .

will execute, and the handle hProcess will be used to manipulate the process.

, we see a call to VirtualAllocEx at ❶. This dynamically allocates memory in the explorer.exe process: 0x104 bytes are allocated by pushing dwSize at ❷. If VirtualAllocEx is successful, a pointer to the allocated memory will be moved into lpParameter at ❸, to be passed with the process handle to WriteProcessMemory at ❹, in order to write data to explorer.exe. The data written to the process is referenced by the Buffer parameter in bold.

In order to understand what is injected, we trace the code back to where Buffer is set. We find it set to the path of the current directory appended with Lab12-01.dll. We can now conclude that this malware writes the path of Lab12-01.dll into the explorer.exe process.

If the malware successfully writes the path of the DLL into explorer.exe, the code in will execute.

, the calls to GetModuleHandleA and GetProcAddress (in bold) will be used to get the address to LoadLibraryA. The address of LoadLibraryA will be the same in explorer.exe as it is in the malware (Lab12-01.exe) with the address of LoadLibraryA inserted into lpStartAddress shown at ❶. lpStartAddress is provided to CreateRemoteThread at ❷ in order to force explorer.exe to call LoadLibraryA. , we select explorer.exe in the process listing, and then choose View ▸ Show Lower Pane and View ▸ Lower Pane View ▸ DLLs. Scrolling through the resulting window, we see Lab12-01.dll listed as being loaded into explorer.exe’s memory space. Using Process Explorer is an easy way to spot DLL injection and useful in confirming our IDA Pro analysis. To stop the pop-ups, we can use Process Explorer to kill explorer.exe, and then restart it by selecting File ▸ Run and entering explorer.

is from the first thread, a loop that creates a thread every minute (0xEA60 milliseconds).

Example C-67. Analyzing the thread created by Lab12-01.dll

10001046         mov     ecx, [ebp+var_18] 10001049         push    ecx 1000104A         push    offset Format    ; "Practical Malware Analysis %d" 1000104F         lea     edx, [ebp+Parameter] 10001052         push    edx                     ; Dest 10001053         call    _sprintf ❷ 10001058         add     esp, 0Ch 1000105B         push    0                       ; lpThreadId 1000105D         push    0                       ; dwCreationFlags 1000105F         lea     eax, [ebp+Parameter] 10001062         push    eax                     ; lpParameter 10001063         push    offset StartAddress ❶  ; lpStartAddress 10001068         push    0                       ; dwStackSize 1000106A         push    0                       ; lpThreadAttributes 1000106C         call    ds:CreateThread 10001072         push    0EA60h                  ; dwMilliseconds 10001077         call    ds:Sleep 1000107D         mov     ecx, [ebp+var_18] 10001080         add     ecx, 1 ❸ 10001083         mov     [ebp+var_18], ecx

The new thread at ❶, labeled StartAddress by IDA Pro, creates the message box that says “Press OK to reboot,” and takes a parameter for the title of the box that is set by the sprintf at ❷. This parameter is the format string "Practical Malware Analysis %d", where %d is replaced with a counter stored in var_18 that increments at ❸. We conclude that this DLL does nothing other than produce annoying message boxes that increment by one every minute.

Назад: Lab 11-3 Solutions

Дальше: Lab 12-2 Solutions

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: