Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 12-3 Solutions
Дальше: Lab 13-1 Solutions

, as shown in .

.

also shows one of the three functions the malware manually resolves using LoadLibraryA at and GetProcAddress at .

The malware saves the function pointer to dword_40312C (here at ), dword_403128, and dword_403124. We’ll change the names of these global variables to make it easier to identify calls to the function later in our analysis, renaming them to myEnumProcessModules, myGetModuleBaseNameA, and myEnumProcesses.

Once the malware checks the values of the function pointers, it arrives at 0x00401423 and the call myEnumProcesses, as shown in at . The goal of the code in this listing is to return an array of PIDs on the system. The start of the array is referenced by the local variable dwProcessId shown at .

. We see an index into the array referenced by dwProcessId, which is calculated before calling sub_401000.

. The variable Str1 will contain the string "<not real>", and Str2 will contain "winlogon.exe".

. The handle returned from OpenProcess is stored in EAX and passed to the myEnumProcessModules function at , which returns an array of handles for each module loaded into a process.

, the malware attempts to get the base name of the module’s PID by using GetModuleBaseNameA. If it succeeds, Str1 will contain the string of the base name of the module for the PID passed to this subroutine; if not, it will keep the initialized value "<not real>".

that the return value in EAX is tested to see if it is 0. If so, the code jumps to loc_4014CF, incrementing the loop counter and rerunning the PIDLookup function with a new PID. Otherwise, if the PID matched winlogon.exe, then the PID will be passed to the sub_401174, as seen at in the listing.

.

Following the SeDebugPrivilege escalation function, we see sfc_os.dll passed to LoadLibraryA, as shown at in . Next, GetProcAddress is called on the handle to sfc_os.dll and ordinal 2 (an undocumented Windows function). Ordinal 2 is pushed onto the stack at . The function pointer of ordinal 2 is saved to lpStartAddress at (the label provided by IDA Pro). The malware then calls OpenProcess on the PID of winlogon.exe and dwDesiredAccess of 0x1F0FFF (symbolic constant for PROCESS_ALL_ACCESS). The handle to winlogon.exe is saved to hProcess at .

calls CreateRemoteThread. Examining the arguments for CreateRemoteThread, we see that the hProcess parameter at is EDX, our winlogon.exe handle. The lpStartAddress passed at is a pointer to the function at sfc_os.dll at ordinal 2 that injects a thread into winlogon.exe. (Because sfc_os.dll is already loaded inside winlogon.exe, there is no need to load the DLL within the newly created remote thread, so we don’t have a call to WriteProcessMemory.) That thread is ordinal 2 of sfc_os.dll.

executes, building a string. When the code executes, GetWindowsDirectoryA at returns a pointer to the current Windows directory (usually C:\Windows), and the malware passes this string and \system32\wupdmgr.exe to an _snprintf call, as shown at and . This code will typically build the string "C:\Windows\system32\wupdmgr.exe", which will be stored in ExistingFileName. Wupdmgr.exe is used for Windows updates under Windows XP.

, we see another string being built. A call to GetTempPathA at gives us a pointer to the current user’s temporary directory, usually C:\Documents and Settings\<username>\Local\Temp. The temporary directory path is then passed to another _snprintf call with the parameter \\winup.exe, as seen at and , creating the string "C:\Documents and Settings\username\Local\Temp\winup.exe", which is stored in NewFileName.

at . The MoveFileA function will move the Windows Update binary to the user’s temporary directory.

, we see the malware calling GetModuleHandleA at , which returns a module handle for the current process. We then see a series of resources section APIs, specifically, FindResourceA with parameters #101 and BIN. As we guessed as a result of our earlier basic analysis, the malware is extracting its resource section to disk.

sss
sss

© RuTLib.com 2015-2018