. Let’s start by examining the new strings found in this binary, as follows:..Next, we move our analysis to IDA Pro to find out how the malware uses IsWow64Process. We see that Lab21-02.exe begins with the same code as Lab12-01.exe, which dynamically resolves the API functions for iterating through the process list. After those functions are resolved, the code deviates and attempts to dynamically resolve the IsWow64Process function, as shown in .
at ❶.. Then the malware calls EnumProcesses and loops through the process list looking for a module base name of explorer.exe using the strnicmp function.Finally, the malware performs DLL injection of Lab21-02.dll into explorer.exe using VirtualAllocEx and CreateRemoteThread. This method of DLL injection is identical to . Comparing the MD5 hash of Lab21-02.dll with Lab12-01.dll, we see that they are identical. Therefore, we conclude that this malware operates the same as when it is run on a 32-bit machine. We must investigate the x64 code path to figure out if this malware operates differently on a 64-bit machine.
.. at ❶.Example C-235. Code that uses QueryFullProcessImageNameA to look for the explorer.exe process
00000001400010FA call cs:QueryFullProcessImageNameA 0000000140001100 lea rdx, aExplorer_exe ❶ ; "explorer.exe" 0000000140001107 lea rcx, [rsp+138h+var_118] 000000014000110C call sub_140001368This code is called within the process iteration loop, and the result of QueryFullProcessImageNameA is passed with explorer.exe to sub_140001368. By inference, we can conclude that this is some sort of string-comparison function that the IDA Pro FLIRT library didn’t recognize.
This malware operates in the same way as the x86 version by injecting into explorer.exe. However, this 64-bit version injects into the 64-bit version of Explorer. We open Lab21-02x.dll in the advanced version of IDA Pro and see that it is identical to Lab21-02.dll, but compiled for x64.
Назад: Lab 21-1 Solutions
Дальше: Index
Войти в систему
Войти с помощью соц. сетей:
Next, we move our analysis to IDA Pro to find out how the malware uses IsWow64Process. We see that Lab21-02.exe begins with the same code as Lab12-01.exe, which dynamically resolves the API functions for iterating through the process list. After those functions are resolved, the code deviates and attempts to dynamically resolve the IsWow64Process function, as shown in .
EnumProcesses and loops through the process list looking for a module base name of explorer.exe using the strnicmp function.Finally, the malware performs DLL injection of Lab21-02.dll into explorer.exe using VirtualAllocEx and CreateRemoteThread. This method of DLL injection is identical to . Comparing the MD5 hash of Lab21-02.dll with Lab12-01.dll, we see that they are identical. Therefore, we conclude that this malware operates the same as when it is run on a 32-bit machine. We must investigate the x64 code path to figure out if this malware operates differently on a 64-bit machine.
.. at ❶.Example C-235. Code that uses QueryFullProcessImageNameA to look for the explorer.exe process
00000001400010FA call cs:QueryFullProcessImageNameA 0000000140001100 lea rdx, aExplorer_exe ❶ ; "explorer.exe" 0000000140001107 lea rcx, [rsp+138h+var_118] 000000014000110C call sub_140001368This code is called within the process iteration loop, and the result of QueryFullProcessImageNameA is passed with explorer.exe to sub_140001368. By inference, we can conclude that this is some sort of string-comparison function that the IDA Pro FLIRT library didn’t recognize.
This malware operates in the same way as the x86 version by injecting into explorer.exe. However, this 64-bit version injects into the 64-bit version of Explorer. We open Lab21-02x.dll in the advanced version of IDA Pro and see that it is identical to Lab21-02.dll, but compiled for x64.
Example C-235. Code that uses QueryFullProcessImageNameA to look for the explorer.exe process
00000001400010FA call cs:QueryFullProcessImageNameA 0000000140001100 lea rdx, aExplorer_exe ❶ ; "explorer.exe" 0000000140001107 lea rcx, [rsp+138h+var_118] 000000014000110C call sub_140001368This code is called within the process iteration loop, and the result of QueryFullProcessImageNameA is passed with explorer.exe to sub_140001368. By inference, we can conclude that this is some sort of string-comparison function that the IDA Pro FLIRT library didn’t recognize.
This malware operates in the same way as the x86 version by injecting into explorer.exe. However, this 64-bit version injects into the 64-bit version of Explorer. We open Lab21-02x.dll in the advanced version of IDA Pro and see that it is identical to Lab21-02.dll, but compiled for x64.
Войти в систему
Войти с помощью соц. сетей: