Archive for May, 2011

Analyzing Process hollowing with a look into Thread Context structure

May 19, 2011

In the previous blog, We have seen how we can use Procexplorer to analyze hollow processes.

In this blog, we shall extend the analysis and see how the Thread context registers actually gets manipulated before resuming the thread.

1. The first step, the victim process gets created in “Suspended mode”. Please note the flag CREATE_SUSPENDED.

Create Process with Suspended mode

Create Process with Suspended mode

In this case, the victim is C:\windows\system32\notepad.exe.
Once, the process is started in suspended mode, a call ZwUnmapviewsection is made to make the memory available.

The snapshot shows the hollowed out memory.

Hollowed out process memory

Hollowed out process memory

Then the hollowed process memory is written with the PE header and the PE sections of the replacement process.

After call to "WriteProcessMemory"

After call to "WriteProcessMemory"

Then a call to GetThreadContext returns the Thread CONTEXT data structure. The snapshot below shows the ThreadContext structure dump before manipulation. You can see that it’s EAX register contains the Entrypoint of notepad.exe

pcontext_structure_before_manipulation_containing_notepad_EP

pcontext_structure_before_manipulation_containing_notepad_EP

Now, the EAX register value in the Context register is manipulated to contain the Entrypoint of the winmine.exe (replacement process)

pcontext_structure_modifying_EAX_to_Point_to_winmine

pcontext_structure_modifying_EAX_to_Point_to_winmine

Once, it is done, the suspended thread is resumed with a call to Resume Thread.

Hope you have enjoyed the read. Cheers 🙂

Advertisements

Analyzing hollow process using Sysinternals Process explorer

May 18, 2011

Before moving to the analysis, thanks to Michael and his team for their great work and codereversing blog admin for posting a follow up blog on process hollowing.

In this blog, I am going to discuss how I used sysinternals process explorer to analyze the process hollowing trick.

First the sample is started with two arguments (1) the victim process (2) the process that will replace the victim

Hollowing the notepad.exe and replacing with winmine.exe

Hollowing the notepad.exe and replacing with winmine.exe

Since, the PEB is not touched, the process explorer still shows the path and name of the process as C:\windows\system32\ and notepad.exe

Now, to confirm we can use sysinternals strings tab and check the strings at image and at memory. The following snaps illustrate it.

Strings from Memory image

Strings from Memory image

strings from disk image

Now that shows the obvious difference. To be more precise, here is the diff.

snapshot of diff between strings

snapshot of diff between strings

Hope you have enjoyed the read. Cheers 🙂

Android Zsone malware analysis

May 15, 2011

Earlier lastweek, it is found that a pack of malicious applications were taken down shortly after being identified for maliciousness. In this blogpost, I am presenting a quick analysis and payload of the sample.

There is nothing fancy about the payload. It is a typical SMSer Trojan. However the interesting point is the Trojan is very cautious in not alerting the user with a flood of SMS. It creates a bookkeeping information file (a XML file) to keep track of the subscriptions.

Tracing the sample’s SMS sender module:

SMS sender module

SMS sender module

A look at the memory footprint:

memory footprint

memory footprint

As mentioned, the Trojan checks that the user is not already victimised before sending the SMS. It does it by maintaining the state information in an XML file.

You can see that the iBookT.xml is the file that has the information about the victim. Here is the snapshot of the content of the XML file.

The value “Y” stands for already infected. This value is checked before sending the SMS. The next snapshot shows the code that does this logical checking.

The code snippet that implements the logic:

Hope you have enjoyed the read. Cheers 🙂