Archive for October, 2010

Using Appcall and DPC for analyzing hash resolution

October 17, 2010

Last week I went through a very nice blog of Elias Bachaalany (http://www.hexblog.com/?p=193). It was an extremely nice read to demonstrate the power of Appcall feature of IDA Pro and how it helps to explore the analysis of malware interesting and easy.

In the same time, I was also thinking about the legendary Pedram’s PAIMEI and decided to play with the same malware using PAIMEI and cameron’s Debugee Procedure Call.

Just a short recap of EB’s blog: The incident is about a malware that uses hash of the library code as the key to resolve the API at runtime and the idea is to use DPC to invoke the function of the malware (the function responsible for resolving the APIs through hash) at our will to explore the behavior.

 

DPC in action

DPC in action

 

It worked like charm.

Now, what remains a mystery is why the great pydbg and all of the scripts stresses that it has to be attached to a malware instead of “loading” it from the scratch despite In many cases loading a malware would be ideal.

Cheers 🙂

Advertisements