Log in

View Full Version : IDCDumpFix

dELTA
October 24th, 2006, 06:08
Does anyone have any experience with IDCDumpFix, out of the "Malcode Analyst Pack" / "Malcode Analysis Pack" from iDefense?

http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack

If you don't know it, I guess it (and the other tools on that page) could be worth a look. Seems like some kind of import fixer for dumped packed executables.

Btw, isn't it great that "malware analysis" has become such a legitimate thing that big companies publish dumpers and import fixers, and Ilfak regularly publishes tutorials about unpacking?
LLXX
October 25th, 2006, 02:41
I still trust the old ImpRec and LordPE

Served me well for over 5 years (the days of Fravia and +HCU... wow that was a long time ago...)
JMI
October 25th, 2006, 02:59
Minor clarification. "40, 50, or more years ago" may be a "reasonably long time ago," but those of us who can look back with at least that much time behind us find it rather difficult to look back just "5 years" and call it "a long time ago."

But then, they say "Time is relative" (either to the beholder, or Einstein, or sombody). After all, I still have my working original Mac, circa 1984, and that still seems like "just yesterday."

But then, through "all those years" I've also learned it's often not wise to argue with a lady.

Regards,
Kayaker
October 25th, 2006, 22:44
Quote:
[Originally Posted by dELTA]Does anyone have any experience with IDCDumpFix


OK, so I just spent the last 5 minutes becoming a 10-minute expert on this. What do you wanna know? We do have a requirement here that members do their own research before asking questions you know

Well it works, could certainly be useful for some situations. The idea is to produce a quick readable disassembly of say a packed malware from an attached image dump. What you do is execute the malware, dump the running image with i.e. LordPE, attach to the image with OllyDbg and have Olly search for all intermodular calls. Then you copy the table of intermodular calls into IDCDumpfix and have it produce an IDC file which you can apply to the dumped image disassembly.

Instead of getting this (UPX-ed notepad):
Code:


UPX0:01001000 dword_1001000   dd 77DFD5FDh    ; DATA XREF: sub_10063B4+18



UPX0:010063CC                 call    dword_1001000


You get this, which is certainly much better:
Code:


UPX0:01001000 ; BOOL __stdcall IsTextUnicode_(const LPVOID lpBuffer,int cb,LPINT lpi)

UPX0:01001000 IsTextUnicode_  dd 77DFD5FDh   ; DATA XREF: sub_10063B4+18



UPX0:010063CC                 call    IsTextUnicode_


It works great. I'd like to see the same thing implemented for kernel mode actually. I've had occasion to dump a driver from image, where the driver file has been "embedded" and can't be disassembled from an original sys file directly. All ntoskrnl functions become absolute addresses in this case and the disassembly is difficult to work with to say the least.

The key would be to duplicate Olly's "Search for intermodular calls" function but for kernel mode, using WinDbg. I wonder if something approaching this already exists for WinDbg, if not a debugger extension could probably be made up, matching ntoskrnl addresses with their symbolic/export names which could then be converted to an IDC file.

As far as that goes, WinDbg could probably use a usermode/kernelmode PE dumper function actually. Does such a debugger extension already exist?
Slightly On-topic..
https://www.rootkit.com/board.php?thread=8161&did=edge0&disp=8161

Kayaker