...Example C-187. Imported functions that have not been recognized by IDA Pro
00404000 dword_404000 dd 77E371E9h 00404004 dword_404004 dd 77E37EB1h 00404008 dword_404008 dd 77DF697Eh 0040400C align 10h 00404010 dword_404010 dd 7C862AC1h 00404014 dword_404014 dd 7C810BACh
To make the unpacked code easier to analyze, we turn to OllyDbg to find out which function is stored at those locations. The easiest way to identify which imported function is stored at a given address in OllyDbg is to change the value of any register to the address you want to look up. For example, to identify the imported function stored at dword_404004, double-click eax and enter the value 0x77E37EB1. We see that OllyDbg labels the address as Advapi32.StartServiceCtrlDispatcherA. We can rename the DWORD address in IDA Pro to StartServiceCtrlDispatcherA. Now whenever the malware calls the recently renamed address, it will be labeled as StartServiceCtrlDispatcherA, instead of dword_404004.
We can repeat this process for each imported function, and then we will have a program that we can analyze in IDA Pro as if it were never packed. We still have not created a working version of the unpacked file, but it doesn’t really matter, because we can analyze the file without it. Looking at the file, we can tell that this is the same as Lab07-01.exe.
Назад: Lab 18-4 Solutions
Дальше: Lab 19-1 Solutions
Войти в систему
Войти с помощью соц. сетей:
Example C-187. Imported functions that have not been recognized by IDA Pro
00404000 dword_404000 dd 77E371E9h 00404004 dword_404004 dd 77E37EB1h 00404008 dword_404008 dd 77DF697Eh 0040400C align 10h 00404010 dword_404010 dd 7C862AC1h 00404014 dword_404014 dd 7C810BACh
To make the unpacked code easier to analyze, we turn to OllyDbg to find out which function is stored at those locations. The easiest way to identify which imported function is stored at a given address in OllyDbg is to change the value of any register to the address you want to look up. For example, to identify the imported function stored at dword_404004, double-click eax and enter the value 0x77E37EB1. We see that OllyDbg labels the address as Advapi32.StartServiceCtrlDispatcherA. We can rename the DWORD address in IDA Pro to StartServiceCtrlDispatcherA. Now whenever the malware calls the recently renamed address, it will be labeled as StartServiceCtrlDispatcherA, instead of dword_404004.
We can repeat this process for each imported function, and then we will have a program that we can analyze in IDA Pro as if it were never packed. We still have not created a working version of the unpacked file, but it doesn’t really matter, because we can analyze the file without it. Looking at the file, we can tell that this is the same as Lab07-01.exe.
Войти в систему
Войти с помощью соц. сетей: