I am analyzing one malware which injects code into explorer.exe using WriteProcessMemory().

Once it injects the malicious code, it then runs this code using CreateRemoteThread().

Now, moment I step over the call to CreateRemoteThread instruction, the malware runs inside the debugger.

I want step over the code injected into explorer.exe and analyze it.

In order to do so, I attached another Olly Debugger to explorer.exe. Now it brings me to ntdll.DbgBreakPoint

it freezes the VM, probably because explorer.exe is paused inside the debugger.

Next, I modified the values passed by malware to OpenProcess so that now it injects the code in another process like calc.exe instead of explorer.exe

Once again, after reaching the Call to CreateRemoteThread() inside the virus code, I attached another Olly Debugger to calc.exe process.

I used the base address of code which was passed as a parameter to CreateRemoteThread() and checked it in calc.exe inside Olly Debugger. I can see the code injected.

Now, I want to be able to trigger this code and execute it step by step.

If I step over the CreateRemoteThread() instruction in virus, it will crash because calc.exe is already paused inside debugger. So, Remote Thread will not execute.

Is there a way to analyze the Remote Thread?

It has worked

bpx ZwContinue.

I just noticed that this method will not work. Since, it creates a mutex using the process id of calc.exe

the mutex name contains the pid.

later on, it retrieves the process id of explorer.exe. then it again forms the mutex name using the pid of explorer.exe

now when it tries to open the mutex, it will fail. so it again follows the same code sequence of injecting code in the process address space of explorer.exe, followed by CreateRemoteThread.

tried manipulating and changing the pid to calc.exe's pid ??

if shareable zip password and upload the malware

Yes, I need to try that. I guess there are 2 ways to go about it:

When it creates a mutex using the calc.exe's PID, I can manipulate the mutex name parameter before it is passed to CreateMutex API.

Reason being, the mutex name string stores the PID. Since I already know the PID of explorer.exe, I can modify the mutex name before CreateMutex is executed.

As a next step, when the virus uses OpenMutex to open a mutex with name that has the pid of explorer.exe in it, it will identify the right mutex. I guess, it should help.

I am right now away from my computer, so will try this later.

@blabberer: I will PM you.

Could you pm it to me as well.