klaymen
April 6th, 2008, 07:35
Hi all,
This is probably a simple one, but I didn't find any solution for this yet. A malware I'm analysing is creating a new process in suspended mode, injects code into it, and the resumes the new process. I managed to patch the EP of the new process inside OllyDbug (using OllyAdvanced) in order to force an endless loop at the EP, then attaching to the new process, and changing the 2 bytes so I can observe what's going on in the new process, all very nice (thanks to this forum btw :-).
I'd very much like to dump the process to disk though so I can also check it out inside IdaPro. In former versions of this malware, that did not yet create a new process but worked "in itself", I usually just run the process until it created its IAT, then dumped it from inside OllyDbg (without IAT reconstruction), then attached ImportRec to the process, and finally used UIF (universal import fixer) to reconstruct the IAT.
The problem I'm having now is that after attaching to the new process, I lost all section information - it's just one big blob at 400000, type "Priv 00021004, RW". I can dump it without setting any section info, and even managed to apply ImportRec and UIF onto that - but for further analysis, the section information must somehow also be fixed. Is there any "easy" way to do this, or do I have to somehow try to guess and fix it manually?
I do have of course the info from the WriteProcessMemory calls used before creating the process, something like this:
Full data block VirtualAllocEx, 0x22000 bytes at 0x400000:
Followed by these WriteProcessMemory calls:
Note: I skipped a read and write call that are seemingly used to read/set the base of code (400000) at 7FFDE008
Finally followed by setting the right protections again (VirtualProtextEx's):
So I could of course use that info to set guessed section infos... I'm just wondering if there's a standard way to deal with that situation?
Thanks, klaymen
This is probably a simple one, but I didn't find any solution for this yet. A malware I'm analysing is creating a new process in suspended mode, injects code into it, and the resumes the new process. I managed to patch the EP of the new process inside OllyDbug (using OllyAdvanced) in order to force an endless loop at the EP, then attaching to the new process, and changing the 2 bytes so I can observe what's going on in the new process, all very nice (thanks to this forum btw :-).
I'd very much like to dump the process to disk though so I can also check it out inside IdaPro. In former versions of this malware, that did not yet create a new process but worked "in itself", I usually just run the process until it created its IAT, then dumped it from inside OllyDbg (without IAT reconstruction), then attached ImportRec to the process, and finally used UIF (universal import fixer) to reconstruct the IAT.
The problem I'm having now is that after attaching to the new process, I lost all section information - it's just one big blob at 400000, type "Priv 00021004, RW". I can dump it without setting any section info, and even managed to apply ImportRec and UIF onto that - but for further analysis, the section information must somehow also be fixed. Is there any "easy" way to do this, or do I have to somehow try to guess and fix it manually?
I do have of course the info from the WriteProcessMemory calls used before creating the process, something like this:
Full data block VirtualAllocEx, 0x22000 bytes at 0x400000:
Code:
0012FE08 00000044
0012FE0C 00400000
0012FE10 00022000
0012FE14 00003000
0012FE18 00000004
Followed by these WriteProcessMemory calls:
Code:
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 00400000 |Address = 400000
0012FE10 0086002C |Buffer = 0086002C
0012FE14 00000400 |BytesToWrite = 400 (1024.)
0012FE18 0012FF70 \pBytesWritten = 0012FF70
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 00401000 |Address = 401000
0012FE10 0086042C |Buffer = 0086042C
0012FE14 00008E00 |BytesToWrite = 8E00 (36352.)
0012FE18 0012FF70 \pBytesWritten = 0012FF70
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 0040F000 |Address = 40F000
0012FE10 0086922C |Buffer = 0086922C
0012FE14 00000A00 |BytesToWrite = A00 (2560.)
0012FE18 0012FF70 \pBytesWritten = 0012FF70
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 00411000 |Address = 411000
0012FE10 00869C2C |Buffer = 00869C2C
0012FE14 00001200 |BytesToWrite = 1200 (4608.)
0012FE18 0012FF70 \pBytesWritten = 0012FF70
Finally followed by setting the right protections again (VirtualProtextEx's):
Code:
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 00401000 |Address = 401000
0012FE10 0000DD02 |Size = DD02 (56578.)
0012FE14 00000002 |NewProtect = PAGE_READONLY
0012FE18 0012FF6C \pOldProtect = 0012FF6C
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 0040F000 |Address = 0040F000
0012FE10 0000133C |Size = 133C (4924.)
0012FE14 00000040 |NewProtect = PAGE_EXECUTE_READWRITE
0012FE18 0012FF6C \pOldProtect = 0012FF6C
0012FE08 00000044 |hProcess = 00000044 (window)
0012FE0C 00411000 |Address = 00411000
0012FE10 00011000 |Size = 11000 (69632.)
0012FE14 00000002 |NewProtect = PAGE_READONLY
0012FE18 0012FF6C \pOldProtect = 0012FF6C
So I could of course use that info to set guessed section infos... I'm just wondering if there's a standard way to deal with that situation?
Thanks, klaymen