Thursday, December 15, 2011

Spyeye function name hashing(masm32)

In my last post I had written a C program to find the corresponding hashes of the function names - I spent the morning writing the same in masm32. The following code isn't that good though; i'm pushing and popping all registers just because im too lazy to lookup which registers get destroyed(print destroys ecx and edx?).

You can find the code here.

Wednesday, November 30, 2011

Spyeye function name hashing


I have been analyzing SpyEye for a while now and like most malware/shellcode around today, it looks around for functions based on the hash of the name it calculates. Below is a small snippet the I used to figure out how the hashes map to various functions - its not much; an masm32 script that locates kernel32 from the InInitializationOrderModuleList, gets to the export table, then to the function names might be the better way to do this. In anycase, here goes :-

$ strings kernel32.dll | sort | uniq > kernel32names
$ cat findnames.c
#include<stdio.h>
#include<string.h>
char line[100];
int y;
char flag = 0;
int stuff =0 ;
void process() {
asm(".intel_syntax noprefix\n");
asm("mov ecx, offset line\n");
asm("mov edx, ecx\n");
asm("mov cl, [edx]\n");
asm("xor eax, eax\n");
asm("jmp A\n");
asm("A:\n");
asm("test cl, cl\n");
asm("jz B\n");
asm("movsx ecx, cl\n");
asm("rol eax, 7\n");
asm("xor eax, ecx\n");
asm("inc edx\n");
asm("mov cl, [edx]\n");
asm("jmp A\n");
asm("B:\n");
asm("mov ecx, offset stuff\n");
asm("mov [ecx], eax\n");
}
int main() {
FILE *fp = fopen("kernel32names", "r");
int ch;
int index = 0;
while((ch=getc(fp))!=EOF) {
if(ch == '\n') {
flag = 0;
line[index] = '\0';
index = 0;
y = 0xA48D6762;
process();
switch(stuff) {
case 0xA48D6762: 
case 0x6E72656B: 
case 0x32336C65:
case 0x6C6C642E:
case 0x6A582465:
case 0x20088E6A:
case 0x6C64746E:
case 0x4C44544E: 
printf("stuff=%08x\t line=%s\n", stuff, line);
break;
}
stuff = 0;
}
else {
line[index] = ch;
++index;
}
}
}
$ gcc -o findnames findnames.c -masm=intel
$ ./findnames
stuff=a48d6762 line=GetModuleHandleA
stuff=20088e6a line=LoadLibraryExA
stuff=6a582465 line=VirtualQuery

Friday, October 28, 2011

Using NtGlobalFlag

This is probably not the right way to go about implementing a NtGlobalFlag check in a exe; I looked around a bit but couldn't find anything else so I decided to go about using Ollydbg to do some manual patching. Like I said, probably not the best way - I just did this for fun. If you know a better way to do this, it would be awesome if you could take a few minutes and let me know in the comments section below.


I did not wanna write assembly from the scratch so I compiled the following code.

#include<stdio.h>
void blah() {
int x,y,z;
}
int main() {
blah();
printf("no debugger present\n");
return 0;
printf("debugger present\n");
getchar();
}
Did a binary patch and fill the rest with NOPs ...

and ran it ...

There are loads of posts out there describing ways to circumvent this - so yeah thats about it for this post.


[UPDATE]
Using inline assembly is probably the right way to go about doing this.

Sunday, October 16, 2011

github repository

From now on I've decided to upload all the malware analysis files into github repositories. Find them here.

Thursday, October 13, 2011

analyzing 8008bf0a06a0ba4dca1c881f4955acc8


Recently, I started analyzing pdf-malware. I got myself a pdf to analyze from malwaredomainlist.com; the hash of the pdf is 8008bf0a06a0ba4dca1c881f4955acc8