- IDA Pro
- Lab19-03.pdf SHA256: 216a1b095dbcf7099f3b91633d5b663554bda1363d8a6a31323a28d4328c380e
- Detection Rate: 37/56
- Analyzed on 2016-06-15
Compilation Date:2010:06:11 15:30:10
- View report here
Analyze the file Lab19-03.pdf. If you get stuck and can’t find the shellcode,
just skip that part of the lab and analyze file Lab19-03_sc.bin using
1. What exploit is used in this PDF?
2. How is the shellcode encoded?
Referring to Figure 3, we can easily see that the payload is unicode encoded by the %u symbol. We could convert it using a unicode2raw tool provided in remnux… or you can write your own simple tool to do it.
3. Which functions does the shellcode manually import?
Before jumping straight into analyze the shellcode, we could use sctest to generate a nice little graph of the piece of shellcode we are analyzing.
Notice the GetFileSize at the bottom left, this indicates that the shellcode is attempting to open a file and is using GetFileSize to find the correct file handler. Perhaps more payload is in the file.
using shellcode_launcher.exe provided by the book, we could launch the shellcode in ollydbg with a open file handle to the pdf file.
On running the malware, the program will break automatically. Manually set the new origin to the next instruction to resume program flow as shown below.
If we look at the handles, we would see that the pdf file is in it as well.
Tracing the shellcode we will soon come into the following codes. The code here is trying to find the function address from kernel32.dll by using a computed checksum.
The shellcodes then attempts to Load shell32 library followed by a search for ShellExecuteA as shown in Figure 11 to 13.
The populated functions are:
4. What filesystem residue does the shellcode leave?
Set breakpoint @ WriteFile and let the shellcode run. As shown in figure 11 and 12, 2 files are dropped on the victim’s machine. They are foo.exe and bar.pdf. Both are located in the temp folder as defined in the env variables of the victim’s machine.
5. What does the shellcode do?
The shellcode attempt to import various functions from kernel32.dll and then using its LoadLibraryA function to load shell32 library to import ShellExecuteA function.
The shellcode then attempts to read the pdf file to extract both the executable payload and a pdf file which are both dropped in the temp folder as foo.exe and bar.pdf respectively.
foo.exe is then executed via CreateProcessA as shwon in Figure 16 and 17.
Bar.pdf is then opened via ShellExecuteA. ShellExecuteA uses the victim’s default application to open the pdf file.