Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

how do I find exception handler?

gundamfj
gundamfj
in Malware Reverse Engineering

Featured Replies

Posted

Me again. Question still in regarding with the Locky sample I got. 

Sample downloaded from: https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4

 

While investigating its network behaviour, I notice the malware post request to many random-looking domains like wefnew.it, irewr.eu, etc. It looks like this sample has DGA (domain generation algo) embedded. I search through the code and finally lock down the range to a function(at addr 0x4060de) that raises an exception. After the exception was handled, a new domain is produced. It uses the API RaiseException. It's typical SEH exception handling(in C++). But I couldn't track down to the code that actually produces a new domain. Any help to track down DGA?   I admit I lack of experience.....  I dont know how to debug SEH. It's not a library. It's embedded into the application itself. So I can not press 'Run to user code' and it lands normally at something I want.  If you want to confirm that DGA exists, fire up API-Monitor and hook all Windows Socket functions.

fs:[0] typically points to it gs:[0] in x64, dont forget a vectored continue handler can override it

and then hardware bpx the seh should do the trick

Edited by evlncrn8

  • Author
13 hours ago, evlncrn8 said:

fs:[0] typically points to it gs:[0] in x64, dont forget a vectored continue handler can override it

and then hardware bpx the seh should do the trick

 
 

THX. I can see the whole SEH chain in x32dbg. Where do I place hardware breakpoint? I go through code of the first SEH handler. SEH handler searches the correct exception handler and later it should jump to it. Where to place hardware bp such that the debugger would stop at the very beginning of the exception handler? Could you please explain 'hardware bpx the seh should do the trick'.

Edited by gundamfj

put the hardware bpx at the start of the seh then you can trace it, eb fe'ing it also does the trick

The DGA is produced at 406588. Until now, locky is using the GetSystemTime as a start to generate domains.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.