live_dont_exist
July 1st, 2011, 01:04
Hi All,
I've been reading the reversing book written by Eldad Eilam and stepping through a malware reversing exercise which he conducted with a trojan called HackArmy.
Now I have understood how it works and even managed to interact with it, so I have learned a bit there. There are two points though where I am a little confused. I'll try and explain:
1) The original executable is called Webcam Shots.scr. This runs for a while; then copies itself to the System32 directory and terminates itself. The new executable (now called ZoneLockup.exe) starts running [Can see this with ProcessMonitor]. However the exact same process fails in a debugger. As in, if I step through the code with Olly, I can trace it till the Exit call of the first process but it does NOT automatically start the ZoneLockup process. I then have to attach Olly manually to the new process and continue. Is this normal behavior? Why is there a difference?
2) While stepping through the ZoneLockup process, the binary suddenly locks up. Olly says [Bottom left - status bar] that the process is currently in Dnsapi.dll or Secur32.dll or some other system DLL. I cannot Step Over, Step Into or Run the program. It just hangs. I can only restart the program in Olly. Why does this happen? When the Exe works perfectly outside; why should it hang in a debugger? I am not too sure this is 'debugger aware' malware either as it did let me do a lot of other stuff.
Here is the link for the Code download if you're interested -
http://media.wiley.com/product_ancillary/17/07645748/DOWNLOAD/574817_code_updtd_07_12_2005.zip
You will find the malware in question in the Chapter 8 folder and the program you need to decrypt it in Chapter 6.
Thanks
Arvind
I've been reading the reversing book written by Eldad Eilam and stepping through a malware reversing exercise which he conducted with a trojan called HackArmy.
Now I have understood how it works and even managed to interact with it, so I have learned a bit there. There are two points though where I am a little confused. I'll try and explain:
1) The original executable is called Webcam Shots.scr. This runs for a while; then copies itself to the System32 directory and terminates itself. The new executable (now called ZoneLockup.exe) starts running [Can see this with ProcessMonitor]. However the exact same process fails in a debugger. As in, if I step through the code with Olly, I can trace it till the Exit call of the first process but it does NOT automatically start the ZoneLockup process. I then have to attach Olly manually to the new process and continue. Is this normal behavior? Why is there a difference?
2) While stepping through the ZoneLockup process, the binary suddenly locks up. Olly says [Bottom left - status bar] that the process is currently in Dnsapi.dll or Secur32.dll or some other system DLL. I cannot Step Over, Step Into or Run the program. It just hangs. I can only restart the program in Olly. Why does this happen? When the Exe works perfectly outside; why should it hang in a debugger? I am not too sure this is 'debugger aware' malware either as it did let me do a lot of other stuff.
Here is the link for the Code download if you're interested -
http://media.wiley.com/product_ancillary/17/07645748/DOWNLOAD/574817_code_updtd_07_12_2005.zip
You will find the malware in question in the Chapter 8 folder and the program you need to decrypt it in Chapter 6.
Thanks
Arvind