Log in

View Full Version : Break on ResumeThread

NeonFlash
April 20th, 2013, 08:44
Hi,

I am analyzing a malware which follows the below sequence:

1. calls CreateProcessW and starts another instance of itself (CREATE_SUSPENDED state)
2. calls zwUnmapViewofSection on the new process memory (at image base address so that virtual memory is not reserved).
3. calls VirtualAllocEx and allocates 0x27000 bytes and protection set to PAGE_EXECUTE_READWRITE
4. uses WriteProcessMemory to write 400 bytes from a malicious executable embedded in this process to the destination process.

after calling WriteProcessMemory multiple times, it finally calls GetThreadContext, SetThreadContext and ResumeThread to start the execution of thread in remote process.

I want to debug the new thread in the remote process.

So, I thought of patching the data written to remote process.

When it calls WriteProcessMemory to write 400 bytes (starting from MZ header), I can patch the OEP.

I locate the OEP (PE Header + 0x28) and it shows up as:

Code:
01610120  95 6D 01 00 00 10 00 00 00 20 02 00 00 00 40 00  •m..... ...@.


The AddressOfEntryPoint is: 0x00016d95

The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

My question is, do I just edit this OEP to ebfe?

I need to patch the bytes at the memory address, 0x00016d95 to ebfe but 0x00016d95 is not a valid address.

so where do I patch?

Note: My question is very similar to this thread:

t-11437.html

The solution says, "Before the ResumeThread call is invoked, change the entrypoint instruction to a EBFE instruction".

Can someone elaborate this?

where do I need to patch?

thanks.
Indy
April 20th, 2013, 09:21
VA = RVA + Base
blabberer
April 20th, 2013, 13:26
Quote:
The AddressOfEntryPoint is: 0x00016d95

The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

My question is, do I just edit this OEP to ebfe?


do you mean that you edit the header to ebfe

no that isnt going to work

the addr of entrypoint 0x16XXX means the address of entry point will be at

base of image (viz 0x400000 in default cases or anywhere in special cases ) + 0x16XXXX

so you need to know where Base of image is
most probably it would be what was returned by an earlier virtualalloc case

say it to be 0x60500000 for example then you need to patch the bytes at 0x60500000 + 0x16XXX == 60516XXX

also be aware SetThreadContext has a Full Context that includes EIP that would be executed on resume
yekhni
September 19th, 2013, 07:37
HI

Suspended Processes wont let debuggers attach , cause when process is hallowed PEB is not initialized
The best solution would be ,

1 : Set a Breakpoint at ZwResumeThread
2: inject a Dummy Sleep Thread using CreateRemoteThread, to Initialize the PEB of Foreign process
3: Attach to debugger and resume from OEP

Cheers!
Indy
September 23rd, 2013, 16:34
side tools.