To keep track of the posts in all our Malware: Unpacking Waledac
Posted 01-12-2009 at 02:15 PM by joren
Open the file in OllyDbg. Will look something like the following:
The call at the bottom is not always ExitProcess (GlobalLock, VirtualProtect, etc)
Go to address 00401000 in the dump and set a Breakpoint -> Hardware, on access -> Byte and run with F9
An access violation will occur on 00401092. This is intentional, press Shift+F9 to pass exception to the program
Your breakpoint will eventually hit and you may need to re-analyze (ctrl-a):
Execute the return. You will then land in an area like the following:
Execute the return here as well. You will then land in an area like the following:
Remove all breakpoints at this point. Note the CALL EAX at 00401810. Step into this call:
Continue single-stepping. Once you step over the call located at 00921777 you will see some modules were loaded (Alt-e). We are getting somewhere..
At this point go to the memory map (Alt-m), right-click the malware's .text section -> Set break-on-access. Now run with F9 again. You should get a break-on-access when writing to 00401000:
Now we know we have required modules loaded and we are writing code...Scroll down a bit and you will see:
Looks like your typical UPX jump to OEP code... Remove all breakpoints and set a hardware breakpoint on execution on the JMP (004ED28C) and run with F9. The breakpoint should hit and now single-step execute the instruction. You should land here:
At this point we can dump the debugged process and fix the imports. As a note, Olly had some issues dumping this (atleast for me) so I simply used LordPE. This method is obviously not the shortest, but was the initial flow I took when attempting to unpack it. Again, the addresses will obviously change, but the areas of code and this unpacking method seem to work well.
Nothing too difficult, but someone may learn/benefit from the above. Ping me if you see any errors...
Code:
00401023 >/$ 55 PUSH EBP 00401024 |. 8BEC MOV EBP,ESP 00401026 |. 6A FF PUSH -1 00401028 |. 68 DC254000 PUSH card.004025DC 0040102D |. 68 E1104000 PUSH card.004010E1 ; SE handler installation .... 0040108D |. B8 56224000 MOV EAX,card.00402256 00401092 |. 8902 MOV DWORD PTR DS:[EDX],EAX 00401094 |. 50 PUSH EAX ; /ExitCode => 402256 00401095 \. FF15 4C304600 CALL DWORD PTR DS:[<&kernel32.ExitProces>; \ExitProcess
Go to address 00401000 in the dump and set a Breakpoint -> Hardware, on access -> Byte and run with F9
An access violation will occur on 00401092. This is intentional, press Shift+F9 to pass exception to the program
Your breakpoint will eventually hit and you may need to re-analyze (ctrl-a):
Code:
004011C3 |. 89C1 MOV ECX,EAX ; landed here 004011C5 |. 83E1 03 AND ECX,3 004011C8 |. 83C6 03 ADD ESI,3 004011CB |. 83C7 03 ADD EDI,3 004011CE |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 004011D0 |. FC CLD 004011D1 |> 5F POP EDI 004011D2 |. 5E POP ESI 004011D3 \. C3 RETN
Code:
00401663 |> 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C] 00401666 |. 52 |PUSH EDX 00401667 |. 6A 40 |PUSH 40 .... 00401681 |. FF4D F0 |DEC DWORD PTR SS:[EBP-10] 00401684 |.^75 8F \JNZ SHORT card.00401615 00401686 |> 5F POP EDI 00401687 |. 5E POP ESI 00401688 |. 5B POP EBX 00401689 |. 8BE5 MOV ESP,EBP 0040168B |. 5D POP EBP 0040168C \. C2 1000 RETN 10
Code:
004017FF |. 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4] 00401803 |. 2BF3 SUB ESI,EBX 00401805 |. BF E8164000 MOV EDI,card.004016E8 0040180A |. 03FE ADD EDI,ESI 0040180C |. 89F8 MOV EAX,EDI 0040180E |. 53 PUSH EBX 0040180F |. 56 PUSH ESI 00401810 |. FFD0 CALL EAX
Code:
009216E8 55 PUSH EBP .... 0092176A E8 29FDFFFF CALL 00921498 0092176F 8BCB MOV ECX,EBX 00921771 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00921774 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00921777 E8 30FDFFFF CALL 009214AC 0092177C 83F8 01 CMP EAX,1 0092177F 75 20 JNZ SHORT 009217A1 .... 0092179A FF13 CALL DWORD PTR DS:[EBX] ; kernel32.CreateThread 0092179C 6A FF PUSH -1 0092179E FF53 04 CALL DWORD PTR DS:[EBX+4] ; kernel32.Sleep 009217A1 6A 00 PUSH 0 009217A3 FF53 24 CALL DWORD PTR DS:[EBX+24]
At this point go to the memory map (Alt-m), right-click the malware's .text section -> Set break-on-access. Now run with F9 again. You should get a break-on-access when writing to 00401000:
Code:
004ED0F3 8807 MOV BYTE PTR DS:[EDI],AL ; bp hits here 004ED0F5 47 INC EDI 004ED0F6 01DB ADD EBX,EBX 004ED0F8 75 07 JNZ SHORT card.004ED101 004ED0FA 8B1E MOV EBX,DWORD PTR DS:[ESI] 004ED0FC 83EE FC SUB ESI,-4 004ED0FF 11DB ADC EBX,EBX 004ED101 ^72 ED JB SHORT card.004ED0F0 004ED103 B8 01000000 MOV EAX,1 004ED108 01DB ADD EBX,EBX 004ED10A 75 07 JNZ SHORT card.004ED113
Code:
004ED27E 61 POPAD ; restore registers 004ED27F 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80] 004ED283 6A 00 PUSH 0 004ED285 39C4 CMP ESP,EAX 004ED287 ^75 FA JNZ SHORT card.004ED283 004ED289 83EC 80 SUB ESP,-80 004ED28C ^E9 0121FAFF JMP card.0048F392 ; jmp to OEP 004ED291 0000 ADD BYTE PTR DS:[EAX],AL
Code:
0048F392 E8 3AC50000 CALL card.0049B8D1 ; OEP 0048F397 ^E9 16FEFFFF JMP card.0048F1B2 0048F39C CC INT3
Nothing too difficult, but someone may learn/benefit from the above. Ping me if you see any errors...
Total Comments 0
Comments
Total Trackbacks 0
