Archive for the ‘Tools and Frameworks’ Category

Analyzing hollow process using Sysinternals Process explorer

May 18, 2011

Before moving to the analysis, thanks to Michael and his team for their great work and codereversing blog admin for posting a follow up blog on process hollowing.

In this blog, I am going to discuss how I used sysinternals process explorer to analyze the process hollowing trick.

First the sample is started with two arguments (1) the victim process (2) the process that will replace the victim

Hollowing the notepad.exe and replacing with winmine.exe

Hollowing the notepad.exe and replacing with winmine.exe

Since, the PEB is not touched, the process explorer still shows the path and name of the process as C:\windows\system32\ and notepad.exe

Now, to confirm we can use sysinternals strings tab and check the strings at image and at memory. The following snaps illustrate it.

Strings from Memory image

Strings from Memory image

strings from disk image

Now that shows the obvious difference. To be more precise, here is the diff.

snapshot of diff between strings

snapshot of diff between strings

Hope you have enjoyed the read. Cheers 🙂


Android Zsone malware analysis

May 15, 2011

Earlier lastweek, it is found that a pack of malicious applications were taken down shortly after being identified for maliciousness. In this blogpost, I am presenting a quick analysis and payload of the sample.

There is nothing fancy about the payload. It is a typical SMSer Trojan. However the interesting point is the Trojan is very cautious in not alerting the user with a flood of SMS. It creates a bookkeeping information file (a XML file) to keep track of the subscriptions.

Tracing the sample’s SMS sender module:

SMS sender module

SMS sender module

A look at the memory footprint:

memory footprint

memory footprint

As mentioned, the Trojan checks that the user is not already victimised before sending the SMS. It does it by maintaining the state information in an XML file.

You can see that the iBookT.xml is the file that has the information about the victim. Here is the snapshot of the content of the XML file.

The value “Y” stands for already infected. This value is checked before sending the SMS. The next snapshot shows the code that does this logical checking.

The code snippet that implements the logic:

Hope you have enjoyed the read. Cheers 🙂

IDA Pro plugin for parsing Java class files constant pool table

February 20, 2011

I am working on a IDAPython plugin to parse the ConstantPool table of a Java class. Here is the snapshot of the output of the beta grade plugin.

Java Constant Pool parser output

Java Constant Pool parser output

I am just having few plans to enhance this to annotate the IDA Pro’s disassembly of Java Bytecode and to improve the readability.  I am not sure whether it is too simple otherwise thinking to submit it for Plugin contest.

Cheers 🙂

Hardware Breakpoint is now supported by VirtualBox (Bug:477)

December 5, 2010

Just a good news for VirtualBox users (especially Reverse Engineers). The earlier versions of virtualbox VMM/RAW module was not supporting hardware execution breakpoint in Ollydebugger. I just gave it a try with 3.2.12 and it has got fixed. Strange that this does not got mentioned in the release notes.


Hardware BP in action

Hardware BP in action

Cheers 🙂

Using Appcall and DPC for analyzing hash resolution

October 17, 2010

Last week I went through a very nice blog of Elias Bachaalany ( It was an extremely nice read to demonstrate the power of Appcall feature of IDA Pro and how it helps to explore the analysis of malware interesting and easy.

In the same time, I was also thinking about the legendary Pedram’s PAIMEI and decided to play with the same malware using PAIMEI and cameron’s Debugee Procedure Call.

Just a short recap of EB’s blog: The incident is about a malware that uses hash of the library code as the key to resolve the API at runtime and the idea is to use DPC to invoke the function of the malware (the function responsible for resolving the APIs through hash) at our will to explore the behavior.


DPC in action

DPC in action


It worked like charm.

Now, what remains a mystery is why the great pydbg and all of the scripts stresses that it has to be attached to a malware instead of “loading” it from the scratch despite In many cases loading a malware would be ideal.

Cheers 🙂

Graph theory for Malware Analysis

July 1, 2010

Thanks to Ero Carrera.

Last few days, I have been practicing applying Graph Theory for malware classification and analysis. The basic idea is to convert the disassembly of the sample into a directed graph and calculate the following four metrices.

  1. Cyclomatic Complexity
  2. Indegree of the procedures
  3. Outdegree of the procedures
  4. Histogram of the significant instructions

I have built a simple utility on top of IDA Python that can query the IDB file and create a easy navigatable HTML file with interactive javascripts to load the procedures.

Disassembly of the malware

Disassembly of the malware

Once the auto-analysis is completed, run the utility.

Once the utility completes its execution it produces a DHTML file which will look like this while starting.

Output DHTML file

Output DHTML file

Then, selecting the core payload procedure and loading it results in displaying the plotted graph for that function.

And processing different variants (probably created by some Trojan Development Kits) yield the same metrics regardless of their different structure and size.

I am further studying this approach to come up with some more solid results.

Cheers 🙂

VirusTotal on Android

May 31, 2010

I just got this idea while going through the Android Scripting Environment (ASE) for Python. How many of us would have liked to have a Virus Total client for Android smartphone? Obviously the number would be extremely low. However got this idea of experimenting a VT client for Android smart phones.

So lets start a small experiment:

Main Menu of Android application

Android Main Menu

Now, Click the ASE ( Android Scripting Environment ). Please note the emulator is already installed with the ASE and Python scripts. Please refer the google code page if any help is needed regarding ASE installation.

The experimental script in action

Script in action

Now, enter the md5sum value that needs to be queried and press enter

Results of the script

Results for the MD5

I just tried this script as a HelloWorld exercise for Python in Android.  I will write something more useful in the near future and post it.

Cheers 🙂

FileWatcher for the dynamic analysis of File infecting parasitic virus

May 14, 2010

Have you ever felt the need of a simple FileWatcher utility that can monitor the files modifed and newly created file in a directory during a program’s execution?

Of course, the obvious choice would be Sysinternals’ ProcMon/FileMon that can achieve this with surgeon’s precision and there could not be any better utility to beat the functionality. However I often felt that while replicating a file infecting parasitic virus, it would be great to have a very simple utility that can monitor for the modified files / newly dropped files and copy them into separate folders automatically.

This utility is developed to address that need.

Starting the application

Starting the application

Once the filewatcher is started, you can start the replication of file infector. (Typically you can watch any mounted network hgfs share). When any files in the target folder is modified the filewatcher will trigger a chain of events to copy the modified file into C:\ModifiedFiles folder.

Picking Modified files

Picking Modified files

Similarly, the newly dropped files will be picked and copied to C:\NewFiles

To keep things simple, the filewatcher runs as a single threaded application hence it will not respond to any other events. Hence to stop the execution one must copy a file called “final.txt” in the folder where FileWatcher is running.

The output:

colected files

colected files

Cheers 🙂

A Malware stalker that speaks

May 7, 2010

The idea is to create a very simple sandbox system which accepts a malware sample as input and produce a .mp3 file and a .txt file that has the replication data of the malware.

I have started believing  in automating malware analysis only after I got introduced to the great Pedram’s PAIMEI framework and Ero’s Pefile module. IMHO, it is one of the most powerful and elegant, extensible framework for automating reverse engineering.

Some time back, I played with the sample hook application that comes with the PAIMEI’s hook container and started customizing it. Just to add some spice, i have integrated PySpeech to speak the stalking information of malware execution.

Here are few snapshots:

Start Stalker

Once started, the stalker will break on every dll load event and allow you to set breakpoints any APIs exported in the dll.

Adding hook in WriteFile

Sample execution

Type something in notepad and try to save the file to trigger WriteFile API. Since we have registered a hook on the WriteFile, the arguments and the response will be recorded.


The stalker also can operate in a mode where you can exclude the API calls made from library functions.

I am working on the known issues to improve and hopefully make this as a useful sandbox sooner.

My sincere thanks to Pedram, Ero for their wonderful python libraries.

Cheers 🙂