Issues with fixing a malware dump

[LaBBaLa]

Hi,

first let me say that this is looking like a greate tool!!!

i'm trying to fix a dump of an old malware (so please run it on a isolated VM) the malware is very easy to get to the OEP

and your tool is finding the IAT very currectly but since the application was virtual allocated into a diffrent memory you dump is wrong

and also when i Dump it manually and try to fix, the fix is also done worng..

I have upload the malware to here: http://www.mediafire.com/?uk1xa5xoo4mqolu

password: infected

you will also need to change the file extension to: *.exe instead of *.txt

there is a trick in the application thta cause an Access violation exception in Olly thats because it registered it self in the SEH for the new

allocated code.

so when you press with Olly F9 (run) and get to access violation go to menu: View -> SEH chain: the first address is the code that we are going to execute

set a BP on that address and then press Shift+F9 (your address may be diffrent from what i'm pasting here...)

when breaking you will be in this code that only calculate the base address of the kernel so singel step it untill the JMP:

003D0046   8BC8			 MOV ECX,EAX
003D0048   57			   PUSH EDI
003D0049   8BFA			 MOV EDI,EDX
003D004B   90			   NOP
003D004C   90			   NOP
003D004D   BA 79E54600	  MOV EDX,46E579
003D0052   90			   NOP
003D0053   87FA			 XCHG EDX,EDI
003D0055   90			   NOP
003D0056   59			   POP ECX
003D0057   33CA			 XOR ECX,EDX
003D0059   90			   NOP
003D005A   85C9			 TEST ECX,ECX
003D005C   33C0			 XOR EAX,EAX
003D005E   90			   NOP
003D005F   E9 3D020000	  JMP 003D02A1

now you will be here:

003D02A1   90			   NOP
003D02A2   E8 15010000	  CALL 003D03BC
003D02A7   E8 58140000	  CALL 003D1704

the first call is the IAT builder so you can "Step-over" it and the second call is our OEP: 003D1704

so step-into it and you are now in the OEP.

i gave your tool the OEP: 003D1704 and it successfully found the IAT (i only had to resolve 1 unknown API)

Issues:

1. so like i have mentioned i had to manully dump the file due to the nature of the use of VirtualAlloc and now we have a new page

2. when trying to rebuild PE you application crashs

3. if i use other tools to re-build the PE and then trying to fix dump the IAT still not resolved..

Thanks!

Regards,

LaBBa.

[Aguila]

This is an interesting topic. Right now it is not possible to create a valid pe file with an automated tool. You need to do everything manually.

You can't use Scylla to rebuild the IAT because the RVA of the IAT is wrong. The RVA is wrong because of a wrong imagebase. The pe file has the imagebase 0x400000, but actually you have the imagebase 0x3D0000. ImpRec can't do it either. To fix this you need to set the imagebase manually. Right now there is no tool with such a feature I think.

the rebuild function is crashing because the PE file is invalid. I forgot to add a check for a valid pe file. Thanks for that, fixed it already in my code. So it is not possible to rebuild anything here.

if you still want to do it, this should work:

1.) your dump needs a valid pe header. copy paste a pe header from any exe and then adjust it with CFF Explorer.

2.) get the import table with scylla. export it "save tree". open the xml in notepad++ and fix the wrong iat_rva values.

3.) import it to scylla and fix it

[kao]

It's not as easy as Aguila suggests. Code in this sample is not aligned to page boundaries, IAT is somewhere where usually PE header is, and then there are relocations... It's possible to craft valid PE file from the memory dump, but that's a lot of extra work.

Easiest way to analyze such malware is to use same tools and methods as for shellcode analysis. Load dump as binary file in IDA, set correct entrypoint and be prepared for lots of manual work..

[LaBBaLa]

This is an interesting topic. Right now it is not possible to create a valid pe file with an automated tool. You need to do everything manually.

You can't use Scylla to rebuild the IAT because the RVA of the IAT is wrong. The RVA is wrong because of a wrong imagebase. The pe file has the imagebase 0x400000, but actually you have the imagebase 0x3D0000. ImpRec can't do it either. To fix this you need to set the imagebase manually. Right now there is no tool with such a feature I think.

the rebuild function is crashing because the PE file is invalid. I forgot to add a check for a valid pe file. Thanks for that, fixed it already in my code. So it is not possible to rebuild anything here.

if you still want to do it, this should work:

1.) your dump needs a valid pe header. copy paste a pe header from any exe and then adjust it with CFF Explorer.

2.) get the import table with scylla. export it "save tree". open the xml in notepad++ and fix the wrong iat_rva values.

3.) import it to scylla and fix it

i hope that in the future versions that 2) and 3) will be able to be done automaticly in a case that you can see that

Code is not aligned to page boundaries, and IAT is somewhere where usually PE header is..

this will make our life easier ..

Regards,

LaBBa

[Aguila]

@kao

This is a good point.

I don't know if this really works:

In the DOS header with the e_lfanew member you have some power to move the PE header somewhere with enough space. You only need 1 section with execute/read/write rights. I don't think you need relocations if you set the imagebase to 0x3D0000. I don't know what you want to do with the unpacked file. Usually you don't need a working iat for malware analyzing. Use win xp and the api addresses don't change.

[LaBBaLa]

i'm just saying that in future versions it would be nice if those issues that we are facing we could maybe solve them in 1 tool (like this one) since now it requires more than

one tool to rebuild it and fix it.