live_dont_exist
July 31st, 2012, 10:04
Hi All,
So I have been trying to reverse a piece of malware that is here - http://www.offensivecomputing.net/?q=ocsearch&ocq=976dd8be30df45c6fb2b4aaaa9ce9106 [I am guessing its the same coz the site didnt allow me to upload my file saying it had a copy]. It is called SkypeLauncher.exe.
So everything is fine so far and I can reverse it okay. I however have a few doubts with respect to how threads work in this sample and generally.
a) What happens is - 1 thread is created in Suspended state and ResumeThread is immediately called; it returns 1. The call back function is NOT triggered immediately (although documentation says if 1 is returned it should start immediately).
b) The original code continues and eventually a sleep(1000) is called. At this point that old suspended thread suddenly gets called. I'd put a BP there previously; so I know. Question is...what decides the instant the suspended thread is called? Does the OS see..Oh main thread sleeping...no work..let me call a suspended thread to use resources well? Is this the logic?
c) The third problem IMO is a very interesting one. While it has not stopped me from reversing, I really do not know why it works. The second thread continues running normally; remember first thread is still in sleep(1000). Eventually the 2nd thread comes to a recursive loop that seems to run for a very long time; I used Animate Over in Olly and it keeps going between the same instructions many many many times (I did not count how many though). The disassembly for this loop is in 1.png [attached]. It never exits; I'm sure I tried for at least 10-15 seconds. Didn't see the point in waiting longer. Now comes the interesting part (to me at least
). Instead of Trace or Animate over I ran the program [F9]. Immediately it seemed to break out of the loop and "resume" the previous sleep(1000) thread. This is shown in 2.png [attached]. I am sure it did not break out of that loop because I also ran a Hit Trace (Olly 2.01) and the instructions after that loop never got triggered even once. What is the difference wrt Thread Resumption between Trace/Animate and Run?
Am I making sense? I have also attached the malware if you want to take a look at it yourselves. All opinions of course are always welcome as usual
Thanks
Arvind
So I have been trying to reverse a piece of malware that is here - http://www.offensivecomputing.net/?q=ocsearch&ocq=976dd8be30df45c6fb2b4aaaa9ce9106 [I am guessing its the same coz the site didnt allow me to upload my file saying it had a copy]. It is called SkypeLauncher.exe.
So everything is fine so far and I can reverse it okay. I however have a few doubts with respect to how threads work in this sample and generally.
a) What happens is - 1 thread is created in Suspended state and ResumeThread is immediately called; it returns 1. The call back function is NOT triggered immediately (although documentation says if 1 is returned it should start immediately).
b) The original code continues and eventually a sleep(1000) is called. At this point that old suspended thread suddenly gets called. I'd put a BP there previously; so I know. Question is...what decides the instant the suspended thread is called? Does the OS see..Oh main thread sleeping...no work..let me call a suspended thread to use resources well? Is this the logic?
c) The third problem IMO is a very interesting one. While it has not stopped me from reversing, I really do not know why it works. The second thread continues running normally; remember first thread is still in sleep(1000). Eventually the 2nd thread comes to a recursive loop that seems to run for a very long time; I used Animate Over in Olly and it keeps going between the same instructions many many many times (I did not count how many though). The disassembly for this loop is in 1.png [attached]. It never exits; I'm sure I tried for at least 10-15 seconds. Didn't see the point in waiting longer. Now comes the interesting part (to me at least
). Instead of Trace or Animate over I ran the program [F9]. Immediately it seemed to break out of the loop and "resume" the previous sleep(1000) thread. This is shown in 2.png [attached]. I am sure it did not break out of that loop because I also ran a Hit Trace (Olly 2.01) and the instructions after that loop never got triggered even once. What is the difference wrt Thread Resumption between Trace/Animate and Run?Am I making sense? I have also attached the malware if you want to take a look at it yourselves. All opinions of course are always welcome as usual
Thanks
Arvind