gundamfj Posted December 9, 2016 Posted December 9, 2016 Me again. Question still in regarding with the Locky sample I got. Sample downloaded from: https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4 While investigating its network behaviour, I notice the malware post request to many random-looking domains like wefnew.it, irewr.eu, etc. It looks like this sample has DGA (domain generation algo) embedded. I search through the code and finally lock down the range to a function(at addr 0x4060de) that raises an exception. After the exception was handled, a new domain is produced. It uses the API RaiseException. It's typical SEH exception handling(in C++). But I couldn't track down to the code that actually produces a new domain. Any help to track down DGA? I admit I lack of experience..... I dont know how to debug SEH. It's not a library. It's embedded into the application itself. So I can not press 'Run to user code' and it lands normally at something I want. If you want to confirm that DGA exists, fire up API-Monitor and hook all Windows Socket functions.
evlncrn8 Posted December 9, 2016 Posted December 9, 2016 (edited) fs:[0] typically points to it gs:[0] in x64, dont forget a vectored continue handler can override it and then hardware bpx the seh should do the trick Edited December 9, 2016 by evlncrn8
gundamfj Posted December 10, 2016 Author Posted December 10, 2016 (edited) 13 hours ago, evlncrn8 said: fs:[0] typically points to it gs:[0] in x64, dont forget a vectored continue handler can override it and then hardware bpx the seh should do the trick THX. I can see the whole SEH chain in x32dbg. Where do I place hardware breakpoint? I go through code of the first SEH handler. SEH handler searches the correct exception handler and later it should jump to it. Where to place hardware bp such that the debugger would stop at the very beginning of the exception handler? Could you please explain 'hardware bpx the seh should do the trick'. Edited December 10, 2016 by gundamfj
evlncrn8 Posted December 10, 2016 Posted December 10, 2016 put the hardware bpx at the start of the seh then you can trace it, eb fe'ing it also does the trick
xoring Posted December 10, 2016 Posted December 10, 2016 The DGA is produced at 406588. Until now, locky is using the GetSystemTime as a start to generate domains.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now