PDA

View Full Version : Unable to open !?

Maze
May 1st, 2009, 11:17
I'm working on some malware that attaches to explorer and other programs via dlls.
I was able to work with them in the past via OllyDbg, but now I can't and I'm
not sure what changed.... has anyone ever run into this ??

YES, the files are there and permissions look good and the malware is running.


Log data
Address Message
OllyDbg v2.00 (intermediate version - under development!)

Attached to 'C:\WINDOWS\system32\notepad.exe'
New process (ID 00000EDC) created
Main thread (ID 00000EE0) created
7C94FFE3 New thread 2. (ID 00000FC8) created
01000000 Module C:\WINDOWS\system32\notepad.exe
3A220000 Module C:\WINDOWS\system32\ntobdis.dll << MALWARE
Unable to open executable file
5AD70000 Module C:\WINDOWS\system32\UxTheme.dll
5CB70000 Module C:\WINDOWS\system32\ShimEng.dll
6F880000 Module C:\WINDOWS\AppPatch\AcGenral.DLL
71AA0000 Module C:\WINDOWS\system32\WS2HELP.dll
....etc


Attached to 'C:\WINDOWS\Explorer.EXE'
New process (ID 00000638) created
Main thread (ID 0000063C) created
7C8106E9 New thread 2. (ID 00000648) created
7C8106E9 New thread 3. (ID 00000650) created
7C8106E9 New thread 4. (ID 00000658) created
7C8106E9 New thread 5. (ID 00000660) created
7C8106E9 New thread 6. (ID 00000730) created
7C8106E9 New thread 7. (ID 000007DC) created
7C8106E9 New thread 8. (ID 000007F8) created
7C8106E9 New thread 9. (ID 000000A8) created
7C8106E9 New thread 10. (ID 000000AC) created
7C8106E9 New thread 11. (ID 000000B0) created
7C8106E9 New thread 12. (ID 000000C4) created
7C8106E9 New thread 13. (ID 000000C8) created
7C8106E9 New thread 14. (ID 000000B8) created
7C8106E9 New thread 15. (ID 000000A4) created
7C8106E9 New thread 16. (ID 000000CC) created
7C8106E9 New thread 17. (ID 000000D0) created
7C8106E9 New thread 18. (ID 000000D8) created
7C8106E9 New thread 19. (ID 000000E0) created
7C8106E9 New thread 20. (ID 000000E4) created
7C8106E9 New thread 21. (ID 000000E8) created
7C8106E9 New thread 22. (ID 00000118) created
7C8106E9 New thread 23. (ID 00000128) created
7C8106E9 New thread 24. (ID 00000078) created
7C8106E9 New thread 25. (ID 00000440) created
7C8106E9 New thread 26. (ID 00000CEC) created
7C8106E9 New thread 27. (ID 00000ACC) created
7C94FFE3 New thread 28. (ID 00000B60) created
01000000 Module C:\WINDOWS\Explorer.EXE
00400000 Module C:\WINDOWS\system32\Normaliz.dll
01480000 Module C:\WINDOWS\system32\xpsp2res.dll
018A0000 Module C:\WINDOWS\system32\vmhgfs1.dll
02C20000 Module C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
10000000 Module C:\WINDOWS\system32\urlamnic\codihcat\rtfagdat.dll << MALWARE
Unable to open executable file
3A220000 Module C:\WINDOWS\system32\ntobdis.dll << MALWARE
Unable to open executable file
3E000000 Module C:\WINDOWS\system32\crtoxnet.dll << MALWARE
Unable to open executable file
42E40000 Module C:\WINDOWS\system32\webcheck.dll
42EF0000 Module C:\WINDOWS\system32\ieframe.dll
478C0000 Module C:\WINDOWS\system32\dot3api.dll
4D4F0000 Module C:\WINDOWS\system32\winhttp.dll
...etc
evlncrn8
May 1st, 2009, 14:36
if you're running on vista, you might need to run olly as admin, because those locations would have restricted access
Maze
May 1st, 2009, 15:40
Quote:
[Originally Posted by evlncrn8;80350]if you're running on vista, you might need to run olly as admin, because those locations would have restricted access


Nop, not vista.. XP SP3

I'm going to do a fresh VM and try again.
dELTA
May 3rd, 2009, 12:45
I guess the malware could either have locked its own files with exclusive access, or even used "rootkit methods" to lock/hide them?
Maze
May 3rd, 2009, 19:27
Quote:
[Originally Posted by dELTA;80372]I guess the malware could either have locked its own files with exclusive access, or even used "rootkit methods" to lock/hide them?


I just tried with a fresh vm with no luck.

At one point in the past I was able to start ollydbg, attach to explorer.exe, View Modules, double click on the malware dll and view the code, names..etc. I forgot, but I might have done this on a real machine and not in a vm, I'll have give that a try.
dELTA
May 4th, 2009, 04:54
One thing you could try:


Search for open handles to the malware files, using Process Explorer, and not what process is having them (probably Explorer.exe).
Kill all these handles.
Copy the files to a separate location.
Disassemble them (unpack first if necessary).
Then you'll at least have their code for analysis, and also have strings you can search for in memory to locate this code inside e.g. Explorer.exe.
Maze
May 7th, 2009, 15:21
I have no problem finding the files and looking at them manually,
but I wanted to use OllyDbg on them while the malware is running.

Using Process Explorer is a good idea, thanks !

The malware connects to its server via https and receives commands.
I'm able to catch the info using an API monitor, but the unencrypted
data is still scrambled somehow. I want to work on the malware while its
running... which is hard because its attached to explorer.exe.