PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-02)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab16-02.exe SHA256: 0c3031f630adc6cdd7b877fa1c2982909cde01dff612db5dd7df58cc778dd919

VirusTotal:

  • Detection Rate: 4/54
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-11-03 04:19:52
  • View report here

Lab 16-2
Analyze the malware found in Lab16-02.exe using a debugger. The goal of this
lab is to figure out the correct password. The malware does not drop a malicious
payload.
Questions
1. What happens when you run Lab16-02.exe from the command line?

Picture worth a thousand words.

cmd
Figure 1. password required

2. What happens when you run Lab16-02.exe and guess the command-line
parameter?

incorrect
Figure 2. Incorrect password

3. What is the command-line password?

To get the command-line password, we can set breakpoint @0040123A to see what the malware is comparing the password against. However, on running the malware, the program simply terminates.

callback
Figure 3. Callbacks

Seems like 0x00408033 subroutine was called before we reach main method. Analyzing it in IDA Pro, this subroutine is checking for OLLYDBG window via FindWindowA and it is also using OutputDebugString to detect for debugger. Just nop the function at let it return to bypass these checks.

pyqr
Figure 4. byqrp@ss

and so we got the password… however this password is invalid when tried on the command line with debugger attached.

Lets look at the subroutine @00401090 which is called by the CreateThread function. This function is responsible for generating the password to check against.

debugger
Figure 5. BeingDebugged Flag

In the subroutine we can see that there is a check against BeingDebugged Flag… maybe this is the cause of it. Let’s fix the structure and see how it goes.

byrr
Figure 6. byrrp@ss

The decoded password is “byrrp@ss”. However the strncmp will only compare the first 4 characters.

correct
Figure 7. Correct Password

4. Load Lab16-02.exe into IDA Pro. Where in the main function is strncmp
found?

@0x40123A

40123a
Figure 8. strncmp

5. What happens when you load this malware into OllyDbg using the
default settings?

The program just terminates. In fact even if I am running it in command line but ollydbg is running in the background, the application will also terminates.

6. What is unique about the PE structure of Lab16-02.exe?

There is a .tls section.

section
Figure 9. .tls section

7. Where is the callback located? (Hint: Use CTRL-E in IDA Pro.)

At address 0x00401060.

controlE
Figure 10. Ctrl-E

8. Which anti-debugging technique is the program using to terminate
immediately in the debugger and how can you avoid this check?

  1. OLLYDBG window via FindWindowA
  2. OutputDebugString to detect for debugger
  3. BeingDebugged Flag via fs:[30h]+2

9. What is the command-line password you see in the debugger after you
disable the anti-debugging technique?

refer to solution for question 3.

10. Does the password found in the debugger work on the command line?

refer to solution for question 3.

11. Which anti-debugging techniques account for the different passwords in
the debugger and on the command line, and how can you protect
against them?

  1. OutputDebugString (nop out the callback function)
  2. BeingDebuggedFlag (change the structure to set debug flag back to 0)
Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s