Jump to content
Tuts 4 You

need help to locate Anti-Debugging


gundamfj

Recommended Posts

I have a Locky sample downloaded from https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4. I find something weird that I don't understand....

The simplified timeline is:

(1) Locky starts and executes GetVolumeNameForVolumeMountPoint.

(2) Locky starts another process called svchost.exe and that process tries to fetch something from C&C(already offline)

The problem is these code below: If you executes the malware, you would observe some C&C traffic captured in Wireshark. If you monitor it with API monitor(http://www.rohitab.com/apimonitor), you would also observe that it tries to connect to C&C. So in both cases GetVolumeNameForVolumeMountPoint succeeds. But if you run this malware with a debugger like Olly or x32dbg, the API call at addr  00405EC3 would fail, which later causes the malware to terminate itself.(a exception raised at addr 00405EE6) That's really weird. Is there any Anti-Debugging involved here? 

.text:00405EA4                 push    ebp
.text:00405EA5                 mov     ebp, esp
.text:00405EA7                 sub     esp, 10Ch
.text:00405EAD                 push    ebx
.text:00405EAE                 push    edi
.text:00405EAF                 push    104h            ; cchBufferLength
.text:00405EB4                 lea     eax, [ebp+szVolumeName]
.text:00405EBA                 push    eax             ; lpszVolumeName
.text:00405EBB                 push    [ebp+lpszVolumeMountPoint] ; lpszVolumeMountPoint
.text:00405EBE                 xor     ebx, ebx
.text:00405EC0                 mov     [ebp+var_4], ebx
.text:00405EC3                 call    ds:GetVolumeNameForVolumeMountPointA
.text:00405EC9                 test    eax, eax
.text:00405ECB                 jnz     short loc_405EEB
.text:00405ECD                 call    ds:GetLastError
.text:00405ED3                 mov     [ebp+var_4], eax
.text:00405ED6                 push    offset unk_413C64
.text:00405EDB                 lea     eax, [ebp+var_8]
.text:00405EDE                 push    eax
.text:00405EDF                 mov     [ebp+var_8], offset off_412218
.text:00405EE6                 call    __CxxThrowException@8 ; _CxxThrowException(x,x)
.text:00405EEB ; ---------------------------------------------------------------------------
.text:00405EEB
.text:00405EEB loc_405EEB:                             ; CODE XREF: sub_405EA4+27j
.text:00405EEB                 lea     eax, [ebp+szVolumeName]
.text:00405EF1                 mov     dword ptr [esi+14h], 0Fh
.text:00405EF8                 mov     [esi+10h], ebx
.text:00405EFB                 mov     [esi], bl
.text:00405EFD                 lea     ecx, [eax+1]

Link to comment
  • 2 weeks later...

True evlncrn8,

He register an SEH then when it fails, it handles it and call GetVolumeNameForVolumeMountPointA("C:") instead of Windows directory and this seems to succeed.

Noteworthy.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...