View Full Version : Packed Malware - Double Packed?
vect0r
July 23rd, 2008, 06:13
Malware
AVG - Dropper.Delf
Avast - Win32:Hupigon-LII
Packers detected: PE_PATCH, ASPACK
Hi guys,
Been visiting the site for a few months now and it's about time I get active. I have seen a few samples been uploaded to avail of assistance on unpacking. I have tried to manually unpack this sample and it seems there are 2 levels of obsfucation.
A scan at Jotti, suggests it is packed with PE-Patch and ASPack. A run through RDG also suggest its ASPack2.12. So, I have carried out the usual ESP 'trick' which has led me to somewhere else. I can go no further than this it seems. I have dumped it after this point and rescanned, this then tells me it seems to recognised Ponernah.PNH. I have stepped through to try and decode it, but as of yet nothing.
So, if any of you have any spare time maybe you could have a look? Or alternatively any advice would be welcome. Thanks for any input. Otherwise let me know and I can get rid of it!
Pass for file: infected
evaluator
July 23rd, 2008, 07:28
it last packer-layer is ASPACK, then code 418000 wants NT/XP system.. maybe later will look;
but actually you///YOU\\\YYYYUUUUOOOO
(
oetry(:
You do not respect WOODMANN>RCE Messageboard's Regroupment>Malware Analysis and Unpacking Forum>FAQ>JMI
evaluator
July 24th, 2008, 10:17
wow, quite heavy work.
finally i rich EXE, which conteins in RSRC other EXE packed with ???
name in RSRC
VHHL719R..
uffff.
BTW, i miss execution! & then see code of VHHL719R in SYSTEM proccess!
evaluator
July 24th, 2008, 10:22
i corrected some incompatibilies in your EXE, so it will run on your PC;
vect0r
July 24th, 2008, 12:50
Yes, it did seem like it was alot of work. What were the issues with it? Thank you for spending time looking at it.
evaluator
July 24th, 2008, 16:31
INT 2C
was there, expected retern of some Pointer - where stored some magic_byte for decryption;
but under XP was Error_code; so i bruteforced & found that byte..
also some 4byte code expexted in Kernel32, here i kill "JNE"..
this "MALWARE" seems very trickie & advanced. i will look further.. maybe!
Kayaker
July 24th, 2008, 23:45
Quote:
| [Originally Posted by evaluator;76134]INT 2C |
Hi eval
INT 2C? That sounds familiar, also seen in Win32.Virtob, see
http://www.woodmann.com/forum/showthread.php?t=11078
http://www.woodmann.com/forum/showthread.php?t=11075
In XP, Int2C -> ntoskrnl!KiSetLowWaitHighThread
possible return value (in XP) = STATUS_NO_EVENT_PAIR , or possibly STATUS_ASSERTION_FAILURE
So did you actually find another use of Int 2C? What was it doing and what did it look like?
Generation of a magic_byte as you mention is a likely use for something like this. Why else use such a silly thing?
Any opcode/command that (is presumed to) always return a specific error code when it's not used in the proper context might be useful as a seed or decryption bytes. In production code you would never presume that a specific error code would be generated, but for hacky malware purposes and ignoring OS dependancies, there's no loss if you're right 90% of the time.
If you know (presume) for example that an interrupt always returns a particular non-(TRUE/FALSE) error code when called in user mode, then there's a possible 32 bits returned to play with.
Cheers,
Kayaker
blabberer
July 25th, 2008, 00:25
nah its not the error value that matters to these int2c its the return value in edx
in some cases it will return a valid address in virtob i believe its 40102b or 0xffffffff
in some cases edx will remain 0xffffffff which will cause an access violation in subsequent
mov al dword ptr ds:[edx]
if edx remained 0xffffffff then r3 apps cant get whats in [0xffffffff] and since there is no seh handler it will terminate itself
Kayaker
July 25th, 2008, 01:06
That's a good point blabberer, there's also that edx effect with Int 2C. In the sample I looked at, edx was never referenced though. And if you refer to Zairon's post, he was the one who discovered the edx effect and wrote a clever example, but it wasn't from real virus code iirc. I like your seh twist though.
vect0r
July 25th, 2008, 04:42
The malware does terminate after that Int 2c was reached, when tracing. I had actually read that tutorial, when trying to understand what the int 2c was doing, Kayaker
evaluator
July 25th, 2008, 06:45
i uploaded in VIRUS TOTAL site unpacked file from RSRC, so it best name is
Trojan.Spy.Wsnpoem.BX
(BitDefender 7.2)
bcoz it creates "wsnpoem" in SYSDIR
is this old virus? or new? code looks as very good job. worth to discover. but can be discovered already, ye!?
evaluator
July 25th, 2008, 07:28
>>mov al, [edx]
value in AL i discovered with BRUTing, was 57h
and actually Zairon was right:
>>edx contains the address of the instruction that follows the int 2c instruction.
yep, next instruction is PUSH EDI;
while bruting, better search forum.. uh!
yet unclean for me is: on what system happens this? or Debugger changes EDX?
on clean_XP(sp0) nothing changes EDX.
more FUN happens in next mangle_Layer: NtSetLDTEntries!
and i jump on CS=227h, wow that was griEt!
can be more greIt!! maybe, i will make crackme!?!?!?
wait! i will search forum before!!
evaluator
July 25th, 2008, 07:35
nah, not in forum, but from google to:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
blabberer
July 25th, 2008, 13:47
Quote:
[Originally Posted by evaluator;76150]>>mov al, [edx]
more FUN happens in next mangle_Layer: NtSetLDTEntries!
and i jump on CS=227h, wow that was griEt!
can be more greIt!! maybe, i will make crackme!?!?!?
wait! i will search forum before!! |
here is more fun as i too saw ZwSetLdtEntries() in another malware
Code:
#include <stdio.h>
#include <windows.h>
typedef DWORD (NTAPI *NTSETLDTENTRIES)(
DWORD BLAH,
DWORD BLAH1,
DWORD BLAH2,
DWORD BLAH3,
DWORD BLAH4,
DWORD BLAH5
);
typedef DWORD (WINAPI *TRICK)(
DWORD foo,
char *foo1,
char *foo2,
DWORD foo3
);
int (*func)();
char changeds[] = "\xba\xef\x08\x00\x00\x8e\xda\xb9\x1d\x30\x2c\x00\x8b\x01\xba\x23\x00\x00\x00\x8e\xda\xc3";
int main (void)
{
NTSETLDTENTRIES ntsetldt;
TRICK wtf;
ntsetldt = (NTSETLDTENTRIES) GetProcAddress( (LoadLibrary("ntdll.dll"
),"ZwSetLdtEntries"
;
ntsetldt(0x8ef,0xb16bff86,0xc0fa14,0,0,0);
func = (int (*)()) changeds;
wtf = (TRICK)(*func)();
wtf(NULL,"trick of ldt","howzzzzat",NULL);
return 1;
}
so what are those magic constants the pointer to struct ldtentry anyone kayaker ?
for debugging fun i attach src and binary
Kayaker
July 25th, 2008, 15:35
ZwSetLdtEntries as VMWare detection?
http://eeyeresearch.typepad.com/blog/2006/09/another_vmware_.html
Kayaker
July 25th, 2008, 20:06
<div style="margin:20px; margin-top:5px; "><div class="smallfont" style="margin-bottom:2px">Quote:</div><table cellpadding="6" cellspacing="0" border="1" width="90%"><tr><td class="alt2" style="border:1px inset"><i>[Originally Posted by blabberer;76157]so what are those magic constants the pointer to struct ldtentry anyone kayaker ? </i></td></tr></table></div>
Damn tease Nice reverseme 
<div style="margin:20px; margin-top:5px"><div class="smallfont" style="margin-bottom:2px">Code:</div><pre class="alt2" style="margin:0px; padding:6px; border:solid 1px; width:90%; height:80px; overflow:auto"><div dir="ltr" style="text-align:left;">
ZwSetLdtEntries(
ULONG Selector1,
LDT_ENTRY LdtEntry1,
ULONG Selector2,
LDT_ENTRY LdtEntry2
);
typedef struct _LDT_ENTRY {
WORD LimitLow; //The low-order part of the address of the last byte in the segment.
WORD BaseLow; //The low-order part of the base address of the segment.
union {
struct {
BYTE BaseMid; //Middle bits (16–23) of the base address of the segment
BYTE Flags1; //Values of the Type, Dpl, and Pres members in the Bits structure.
BYTE Flags2; //Values of the LimitHi, Sys, Reserved_0, Default_Big, and Granularity members in the Bits structure.
BYTE BaseHi; //High bits (24–31) of the base address of the segment.
} Bytes;
struct {
DWORD BaseMid :8;
DWORD Type :5;
DWORD Dpl :2;
DWORD Pres :1;
DWORD LimitHi :4;
DWORD Sys :1;
DWORD Reserved_0 :1;
DWORD Default_Big :1;
DWORD Granularity :1;
DWORD BaseHi :8;
} Bits;
} HighWord; //The high-order portion of the descriptor.
//This member may be interpreted as bytes or collections of bits, depending on the level of detail required.
} LDT_ENTRY,
*PLDT_ENTRY;
</div></pre></div>
ntsetldt(0x8ef,0xb16bff86,0xc0fa14,0,0,0);
LDT_ENTRY.LimitLow = 0FF86
LDT_ENTRY.BaseLow = 0B16B
LDT_ENTRY.HighWord = 0C0FA14
14 BaseMid
FA Flags1
1 Pres
11 Dpl
11010 Type
C0 Flags2
1 Granularity
1 Default_Big
0 Reserved_0
0 Sys
0000 LimitHi
00 BaseHi
LDT_ENTRY(BaseHi + BaseMid + BaseLow) = 0014B16B
...
400000 - 14B16B == 8ef:2b4e95 "MZ" header current process
2c301d == offset to MsgBox
vect0r
July 26th, 2008, 06:40
Kayaker,
What is the purpose of that code and magic constants? Is the malware trying stop the vmware emulation?
Thanks for the info, although a bit beyond me!
Kayaker
July 26th, 2008, 12:37
I don't know what the malware is using it for, I didn't look at it, others can probably tell you better. The VMWare detection angle is just something I found while searching for Nt/ZwSetLdtEntries. There are other possible uses:
http://uninformed.org/index.cgi?v=8&a=2&p=9
http://archives.neohapsis.com/archives/fulldisclosure/2004-04/0457.html
http://vx.netlux.org/lib/vzo13.html
In the crackme, ZwSetLdtEntries essentially creates a copy of the PE image beginning at 400000 and moves it to the new ds:address based on LDT_ENTRY(Base). ntoskrnl!_PsSetLdtEntries is the real function which does this.
The segment switch occurs here, realizing the significance of the "magic" number here requires examining the file.
Code:
:00409128 sub_409128 proc near
:00409128 BA EF 08 00 00 mov edx, 8EFh
:0040912D 8E DA mov ds, dx
:0040912F B9 1D 30 2C 00 mov ecx, 2C301Dh
:00409134 8B 01 mov eax, [ecx]
:00409136 BA 23 00 00 00 mov edx, 23h
:0040913B 8E DA mov ds, dx
:0040913D C3 retn
:0040913D sub_409128 endp
I'm still not sure if there's any significance to the choice of LDT_ENTRY.LimitLow, or if I'm missing any other understanding of what's going on. Maestro?
evaluator
July 26th, 2008, 15:08
that will like crypt of real/linear address; BTW other DATA segs are loosing in SYS_CALL..
fun is changing CS; you will HATE 01B soon
now i already formatted LDT_CRACME idea, it will hardDDDD, i fill.. ~:00
Kayaker
July 26th, 2008, 18:12
Quote:
| [Originally Posted by evaluator;76128]i corrected some incompatibilies in your EXE, so it will run on your PC; |
rar password?
evaluator
July 27th, 2008, 03:51
i removed pass bcoz in fact i enlarged malware run-system!
here cleared Layer3.exe; for look trace code;
OllyDbg how loves other CS!? is it antiOlly?
evaluator
July 27th, 2008, 08:00
that's all "WNSPOEM" folks!
Conteiner_L1.ex! < main state as found
Conteiner_L2.exe < aspack removed (& all body)
Conteiner_L3.EXE < L2 removed (& all body)
Conteiner_UN.ex! < UNpacked conteiner
PACKED_VHHL719R.EX! < from conteiner's RSRC
UNPACKED_VHHL719R.exe < starter code added; works after INT_3
DE_VHHL719R.exe < for analyze; 99% unmangled strings, 99% IAT rebuilt;
some thunks prob.ly dinamicaly changes. or..
MALWARE!
vect0r
July 27th, 2008, 18:37
That is some good work! I would be interested to identify what the procedure is to extract the Container from the RSRC section? Did you you just trace into it and dump?
Glad, I could provide a weekend's entertainment for you
evaluator
July 28th, 2008, 10:38
what you are asking, is complete YOUR job for understand..
for be clear: Conteiner i called, which CONTEINS something..
vect0r
August 3rd, 2008, 18:23
I have still not been able to discover how to extract the file you say from rsrc. I have read a number of documents and tuts, but can't seem to get anywhere. Is there anything in particular I should be focusing on?
Thanks again
evaluator
August 6th, 2008, 23:52
why you must extract??
run "CONTEINER.EXE" in debugger & see how IT extracts from RSRC to MEMory that file!
ye!?
vect0r
August 7th, 2008, 06:13
Ok, I shall try that. I was trying to get there from layer 1. The errors in debugging are killing the debugger. Thanks for update
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.