![]() If there is anything messed up, you have to restore the snapshot because Max++ automatically removes its binary executable from the disk drive so that you will not be able to find it again.ĭLLs, like. Up to this point, you are doing it right. (9) Shift +F9 again, you will be hitting 0x401417, and then SHIFT+F9 again, you will be hitting 0x3C24FB again! You might notice that now has value -2 and if you F7, you will trace into a lot of details of the malicious logic. If you execute several steps, you might notice that it soon returns, because the value at is 1. The first instruction at 0x3C24FB should be CMP DWORD PTR SS:, -2. (Figure 3 shows the code that you should be able to see. This is because the LdrLoadDll will try to call the entry point of the DLL. The current sequence should be you hit 0x7C90D500 twice, and then hit 0x3C24FB. You have to RESTART (Debug->Restart), and repeat steps (1) to (6) [yes, clear all BP and hardBPs). If you hit 0x401417 directly, something wrong is with IMM (strangely, I cannot explain). (7) If you hit SHIFT+F9 (probably twice), you will hit 0x3C24FB. This is because the malware author did not do a good job at resetting the binary PE information (executable code section size messed up - see Tutorial 12 for details). (You will see a warning which says your BP is out of the range. Goto 0x3C24FB and set a SOFTWARE BREAKPOINT there. Press SHIFT+F9 several times, until you hit 0x7C90D500 (this is somwhere inside ntdll.zwMapViewSection which is being called by LdrLoadDll). (6) Now we will set a breakpoint at 0x3C24FB. This is right after the call of LdrLoadDll("lz32.dll"), where Max++ finishes the loading of lz32.dll. (4) Now scroll down about 2 pages and set a SOFTWARE BREAKPOINT at 0x401417. If you go to 0x3C24FB at this moment, IMM will complain that this address is not accessible. At this point, the code at 0x3C24FB has not been extracted. As you can see, this is right before the call of RtlAddVectoredException, where hardware BP is set to break the LdrLoadDll call (see Tutorial 11 for details). Figure 1 shows the code that should be able to see. Pay special attention that once you go to 0x4012DC, directly right click on the line to set hardware BP (currently it's gibberish code). ![]() (why not software bp? Because that region will be self-extracted and overwritten and the software BP will be lost). (2) Go to 0x4012DC and set a hardware breakpoint there. (1) clear all breakpoints and hardware breakpoints in IMM (see View->Breakpoints and View->Hardware Breakpoints). Today, we will discuss some basic background information related to DLL entry point and analyze the first part of lz32.dll (it's not the real "lz32.dll", but the malicious code of Max++ planted into it). Check Tutorial 11 for how to find out the correct entry address of lz32.dll). (In your VBox instance, this entry address might vary. In the following, we use " lz32.dll" to refer to this malicious code starting at 0x003C24FB. In Tutorial 11, we have shown you the trick played by Max++ to load its own malicious executable using the "corpse" of another DLL called "lz32.dll".Beginning from this tutorial, we will analyze the functionality of the malicious DLL. ![]()
0 Comments
Leave a Reply. |