Shifting yourself to space

March 6, 2012

First thoughts on Purple Haze

I just finished unpacking PurpleHaze a couple of hours ago
I got the sample from Contagio (thank you, once again)

The packer seems really amazing, as it didn’t use any VirtualAlloc*,SetWindowsHookEx,etc functions, which got me a be insane about it, although I didn’t work much on it.

I will try writing about it soon, TDLn rocks, although the kernel driver is poorly written.
When I finished unpacking it and started skimming it in IDA I was quite suprised to see no antidebug stuff,
however I did see some usage of LoadLibrary + GetProcAddress to some functions which reminded me a bit of Spyeye

BTW, my queue has a few more posts which are not started (read: written in my head but not in wordpress ) which most reside about the old hardworking LD (runtime relocation of functions, loading, unloading, etc) and loading ELF on the fly (as nowadays I started fiddling around w/ generating ELFs from scratch ( btw, libelf sucks ) )

the packer, btw, used a really nice technique for calling functions, a simple

push func addr
pop eax
label: jmp label+1
call eax

so, Olly couldn’t disassemble it correctly, nor IDA btw.

A few more fun fragments where the loop_inc_check_false-call_inc_loop

.text:00415400                 jmp     loc_415410
.text:00415405 ; ---------------------------------------------------------------------------
.text:00415405 loc_415405:                             ; CODE XREF: .text:loc_415460j
.text:00415405                 xor     eax, eax
.text:00415407                 xor     eax, [ebp-2Ch]
.text:0041540B                 inc     eax
.text:0041540C                 mov     [ebp-2Ch], eax
.text:00415410 loc_415410:                             ; CODE XREF: .text:00415400j
.text:00415410                 cmp     dword ptr [ebp-2Ch], 19h
.text:00415418                 jnb     loc_415465
.text:0041541E                 cmp     dword ptr [ebp-2Ch], 8
.text:00415426                 jnz     loc_415449
.text:0041542C                 mov     eax, 645h
.text:00415431                 sub     eax, 292h
.text:00415436                 push    dword ptr [ebp-28h]
.text:00415439                 push    0
.text:0041543B                 push    offset dword_4020B4
.text:00415440                 push    dword ptr [ebp-1Ch]
.text:00415443                 call    ds:WaitForMultipleObjects
.text:00415449 loc_415449:                             ; CODE XREF: .text:00415426j
.text:00415449                 cmp     dword ptr [ebp-2Ch], 7
.text:00415451                 jnz     loc_415460
.text:00415457                 mov     eax, [ebp-2Ch]
.text:0041545B                 inc     eax
.text:0041545C                 mov     [ebp-2Ch], eax
.text:00415460 loc_415460:                             ; CODE XREF: .text:00415451j
.text:00415460                 jmp     loc_415405

The function there will be never be executed, it is only a false positive call

This is a smart move imho, it add more imports not to make the binary suspicious and also makes the debugger more frustrated of why this superficial call is made

I think however that the fun will be when I’ll start messing around the drivers themselves and understanding the packer in a more brief way.
I still want to know(after skimming the unpacked exe though) how the actual unpacking process works in depth other than the decryption part.
Diving in

I ran the malware on vbox, using Olly w/ phant0m, OD and OllyDump, other plugins like ollysync weren’t usable, as the malware has several encrypted portions which are only decrypted later on.

So a quick look on peid shows it’s encrypted/packed/protected, the fist thing I’ve done was to step the code a bit, this is how the packed entry point looked like :

.text:0041514B start:
.text:0041514B                 sub     eax, 50FBh
.text:00415150                 push    ebp
.text:00415151                 mov     ebp, esp
.text:00415153                 sub     esp, 0CCh
.text:00415159                 push    ebx
.text:0041515A                 mov     ebx, 44CE26Ah
.text:0041515F                 mov     [ebp-4], ebx
.text:00415162                 push    offset aKdsiiuduikjdkl ; "KDSIiuduiKJDkljDYUOdOYHD"
.text:00415167                 mov     dword ptr [ebp-8], 44CE269h
.text:0041516E                 call    ds:GetModuleHandleW
.text:00415174                 cmp     esi, ds:sz._cx
.text:0041517A                 sub     ds:dword_4020C4, offset dword_402104
.text:00415184                 xor     ds:dword_4020C4, offset dword_4020EC
.text:0041518E                 sbb     ds:dword_4020C4, offset dword_402110
.text:00415198                 test    eax, eax
.text:0041519A                 jz      loc_41537C
.text:004151A0 loc_4151A0:                             ; CODE XREF: .text:0041538Aj
.text:004151A0                 xor     eax, eax
.text:004151A2                 inc     eax
.text:004151A3                 jmp     loc_4158CA

For a reason which is not known at this, the malware checks for the existence of the “KDSIiuduiKJDkljDYUOdOYHD” module
if it exists, the malware exits

.text:004158CA loc_4158CA:                             ; CODE XREF: .text:004151A3j
.text:004158CA                 pop     ebx
.text:004158CB                 leave
.text:004158CC                 retn    0Ch

The machine I ran it on wasn’t virgin it all, it was an unpatched winxp-sp2, running on virtualbox, along with virtualbox tools etc
I didn’t see any efforts at detecting virtualization but I haven’t tried enough.
Either way, the classical CreateToolhelp32Snapshot would easily defeat my box.

When I started debugging it I made Olly stop every time a new module is being loaded, so in case I’ll lose any stealthy API call
I’ve set a bp on VirtualAlloc and on FS:[0x30] aka PEB.

VirtualAlloc seems to be the main functions which might help unpacking, having any sort of fast phase to try finding how does it know the addresses failed (PEB trick is not used directly, anywho)

I have seen at least 4 allocations which one of them was a PE being written into memory, others were just data which I didn’t manage to parse yet, some of it gets freed so I assume it’s not used in unpacking and probably manipulated with other sections.
One thing I really liked about the dropper is that it doesn’t use any direct manipulations of the segments modifiers, something which was a for me in order to detect different behavior, all segments which need to be written are already RWX’ed, so it makes finding the sweet spots a bit harder.

A small note to the debugger would be to also add a breakpoint on VirtualFree to locate memory regions which were free()’ed
After a few VirtualAlloc’s there will be another PE which is dumped to memory , my lucky address was 0xA30000 , it is a bit important to note that the PE header will be “corrupted” with the filename at the beginning (mine was php.dll, thanks Contagio, again, for the sample), so I just removed the first few bytes until I got the classical 4D5A w/ hex workshop

After a quick look at this PE it looks like a dll, perhaps the dropper is planning to inject it to some processes ? let’s skim the DLL in one byte look

.text:10003D05                 push    ebp
.text:10003D06                 mov     ebp, esp
.text:10003D08                 sub     esp, 124h
.text:10003D0E                 cmp     [ebp+Str1], 1
.text:10003D12                 push    ebx
.text:10003D13                 push    esi
.text:10003D14                 push    edi
.text:10003D15                 jnz     ret_loc_10003E23
.text:10003D1B                 xor     ebx, ebx
.text:10003D1D                 push    ebx             ; dwMaximumSize
.text:10003D1E                 push    ebx             ; dwInitialSize
.text:10003D1F                 push    ebx             ; flOptions
.text:10003D20                 call    ds:HeapCreate
.text:10003D26                 mov     hHeap, eax
.text:10003D2B                 call    ds:GetTickCount
.text:10003D31                 mov     edi, ds:PathFindFileNameA
.text:10003D37                 mov     GetTickCount_dword_10008264, eax
.text:10003D3C                 mov     [ebp+Str1], ebx ; zero
.text:10003D3F                 cmp     [ebp+Source], ebx
.text:10003D42                 jz      short loc_10003D6A
.text:10003D44                 push    [ebp+Source]    ; pszPath
.text:10003D47                 call    edi ; PathFindFileNameA
.text:10003D49                 push    104h            ; Count
.text:10003D4E                 push    [ebp+Source]    ; Source
.text:10003D51                 mov     esi, offset byte_10008268
.text:10003D56                 push    esi             ; Dest
.text:10003D57                 mov     [ebp+Str1], eax
.text:10003D5A                 call    ds:strncpy
.text:10003D60                 add     esp, 0Ch
.text:10003D63                 push    esi             ; pszPath
.text:10003D64                 call    ds:PathRemoveFileSpecA

I don’t know the value of Str1, but it’s likely to not contain1 as if not the DLL would exit/return
We see a small dummy call to HeapCreate w/ zero values and then GetTickCount.
I didn’t analyze the whole DLL at all, just dumped it and gave a quick look but it is quite important to know this address
As timing attacks are the debugger’s worst enemy, and no plugin can detect them so easily.

A few more calls are made but the actual “meat” which really goes is starts from a sequence of several “strcmp” for interesting values
such as – svchost.exe netcvs jp2launcher and java

Another interesting thing is the CreateEvent call which is made here :

xor     eax, eax
mov     [ebp+var_20], 1
lea     edi, [ebp+var_1F]
push    4
lea     eax, [ebp+var_20]
mov     [ebp+EventAttributes.lpSecurityDescriptor], eax
pop     eax
push    offset aPh0     ; "ph0"
push    offset aGlobal  ; "Global"
mov     [ebp+var_1E], ax
lea     eax, [ebp+Name]
push    offset aSS      ; "%s\\%s"
push    eax             ; Dest
mov     [ebp+EventAttributes.nLength], 0Ch
mov     [ebp+EventAttributes.bInheritHandle], ebx
call    ds:sprintf
add     esp, 10h
lea     eax, [ebp+Name]
push    eax             ; lpName
push    ebx             ; bInitialState
push    ebx             ; bManualReset
lea     eax, [ebp+EventAttributes]
push    eax             ; lpEventAttributes
call    ds:CreateEventA
mov     esi, eax
cmp     esi, ebx
jz      short ret_loc_10003E23

If you skim a bit in msdn you’ll obviously understand that this is some sort of way to communicate to the outside world.
There is another call which creates a local event

push    offset aPh0     ; "ph0"
push    offset aLocal   ; "Local"
lea     eax, [ebp+Name]
push    offset aSS      ; "%s\\%s"
push    eax             ; Dest
call    ds:sprintf
add     esp, 10h
lea     eax, [ebp+Name]
push    eax             ; lpName
push    ebx             ; bInitialState
push    ebx             ; bManualReset
push    ebx             ; lpEventAttributes
call    ds:CreateEventA
test    eax, eax
jz      short ret_loc_10003E23

I have seen some Thread interaction and my guess is that this DLL is either a module or gets injected to other processes (as the interaction w/ the many strcmp’s of java/jp2launcher/etc)
Another interesting string I encountered was

<body><a id=link href='%s'></body><script>document.getElementById('link').click()</script>

Hum, a clicker ? Botnet ? hum hum hum who knows.
I got a bit tripped off the unpacking stage, as this DLL got my attention
Finding Kernel32.dll

One thing which got my attention while skimming the packed EXE was the fact that all calls to external (aka DLL) functions were made from something like

call [ebp+8]

An arithmetic manipulation was done in order to keep the actual value on the stack secret until the real call is made, a short XOR,ADD,SBB calls were made in order
to reveal the real value, but , how do they know the actual value of the function they wish to call ?

My journey actually began while I was debugging the VirtualAlloc/VirtualProtect calls, I knew who’s calling them ( all I had to do was to return from the call, as no special
push’s were made before the call ) but I didn’t know how they retrieve the address.
So I set my side on VirtualAlloc to try demonstrate the process I’ve done in order to reveal it

Let’s see:

7C809A7E                                            90                         NOP
7C809A7F                                            90                         NOP
7C809A80                                            90                         NOP
7C809A81 kernel32.VirtualAlloc                      8BFF                       MOV EDI,EDI
7C809A83                                            55                         PUSH EBP
7C809A84                                            8BEC                       MOV EBP,ESP
7C809A86                                            FF75 14                    PUSH DWORD PTR SS:[EBP+14]
7C809A89                                            FF75 10                    PUSH DWORD PTR SS:[EBP+10]
7C809A8C                                            FF75 0C                    PUSH DWORD PTR SS:[EBP+C]
7C809A8F                                            FF75 08                    PUSH DWORD PTR SS:[EBP+8]                                               ; ntdll.7C960738
7C809A92                                            6A FF                      PUSH -1
7C809A94                                            E8 09000000                CALL kernel32.VirtualAllocEx
7C809A99                                            5D                         POP EBP                                                                 ; ntdll.7C960738
7C809A9A                                            C2 1000                    RETN 10
7C809A9D                                            90                         NOP
7C809A9E                                            90                         NOP

This is the classical VirtualAlloc inside kernel32.dll as the EXE had tremendous API it was trivial to find the base of it w/ a simple lea eax, VirtualAlloc and then just looking for MZ and parsing the imports.
However, this is not the case, there are many ways to  get kernel32.dll base in an environment where you don’t have GetProc and LoadLibrary , but none of them were used here, at least from what I’ve seen.
I tried setting breakpoints both at FS:[0x18],FS:[0] (SEH), FS:[0x30] but none worked, I always stopped at different DLL locations, which didn’t really find my interest

The call was made, a memory region was created and the function returned here :

004102FB                                           .^\E0 C3                    LOOPDNE SHORT w_php.004102C0
004102FD                                           >  FF55 08                  CALL DWORD PTR SS:[EBP+8]                                               ;  kernel32.VirtualAlloc
00410300                                           .  837D 10 00               CMP DWORD PTR SS:[EBP+10],0
00410304                                           .  8945 14                  MOV DWORD PTR SS:[EBP+14],EAX
00410307                                           .  0F84 24000000            JE w_php.00410331
0041030D                                           .  837D 0C 00               CMP DWORD PTR SS:[EBP+C],0
00410311                                           .  0F85 1A000000            JNZ w_php.00410331

Remember the call [ebp+8] I mentioned earlier ? exactly.
Be no mistaken about the loopdne here, it’s just a call +ret to make olly think otherwise

So stepping a bit back leads us to

00410189                                           .  55                       PUSH EBP
0041018A                                           .  8BEC                     MOV EBP,ESP
0041018C                                           .  83EC 54                  SUB ESP,54
0041018F                                           .  8D45 10                  LEA EAX,DWORD PTR SS:[EBP+10]
00410192                                           .  C745 F4 04000000         MOV DWORD PTR SS:[EBP-C],4
00410199                                           .  8945 F0                  MOV DWORD PTR SS:[EBP-10],EAX
0041019C                                           .  8B45 F0                  MOV EAX,DWORD PTR SS:[EBP-10]
0041019F                                           .  8138 6AE24C04            CMP DWORD PTR DS:[EAX],44CE26A
004101A5                                           .  53                       PUSH EBX
004101A6                                           .  56                       PUSH ESI
004101A7                                           .  0F84 50010000            JE w_php.004102FD

which is the start of the function,

October 14, 2011

Inside KiSystemService


I wanted to write this post for over a week and couldn’t find a decent way to start writing it well.KiSystemService is one of the interesting functions I ran into while reversing ntoskrnl.exe and I have always wanted to understand it from top to bottom, I took myself a copy of Windows Internals but they did not seem to draw a complete
flow of how things go from userland to kernel land and how the actual function gets executed.I hope this post would fill some blank objects for those who are interested in understanding the actual mechanism.

To start our post I will use winxp sp2 on vbox to test it, among with IDA, calc.exe, ollydbg and windbg to ease up reversing, I’m lazy- yes, I can’t be arsed to start looking for different symbols/struct when I got both windbg’s dt/dds and IDA’s flowgraph,
for userland debugging I’ll use olly, and for kernel I’ll use windbg, IDA is only used for the flowgraph.

For this post I had chosen a random function to follow which is CloseHandle,
I will not dive into the actual code of what it does and how CloseHandle works, I will only explain how things are working in order to get the actual execution.
I will try describing things at my best, however I’m not a Windows guru so be aware of some mistakes I might do, most of the material I will be writing here is pieces of information written in several (many) places, the purpose of this post would probably be to gather most of them into one post.


KiSystemService is a kernel function which provides system services, what does that mean you might ask ? and why would I want to know about it ?

KiSystemService is a function in kernel land which is triggered after a system service request is called. It is actually the last gateway between the actual function in kernel land the usermode process which wants to call (in our case, CloseHandle inside calc.exe).

“Wait a second”, someone might say, “but I got CloseHandle inside a dll in usermode!”

That is correct 🙂 but if we look carefully enough, we will see that the actual function which does the “real thing” is not in userland (e.g not in kernel32.dll or in ntdll.dll).
NTDLL or KERNEL32.dll only deal with error handling and parameter verification so the kernel could deal with the real thing – which is in our case close the specified handle.

Let’s take a quick look about how things are going inside calc.exe
I found where CloseHandle is imported from (kernel32.dll) and looked for any references to it, then I just printed out the function which calls it,
it does not really matter what this function does, let’s see what’s going on there.

/*100436C*/  PUSH ESI
/*100436D*/  PUSH DWORD PTR DS:[1014EFC]
/*1004373*/  MOV ESI,DWORD PTR DS:[<&KERNEL32.SetEvent>]
/*1004379*/  MOV DWORD PTR DS:[1014EF8],1
/*1004383*/  CALL ESI
/*1004385*/  PUSH DWORD PTR DS:[1014F00]
/*100438B*/  CALL ESI
/*100438D*/  PUSH 9C40
/*1004392*/  PUSH DWORD PTR DS:[1014F04]
/*1004398*/  CALL DWORD PTR DS:[<&KERNEL32.WaitForSingleObject>]
/*100439E*/  PUSH DWORD PTR DS:[1014EFC]
/*10043A4*/  MOV ESI,DWORD PTR DS:[<&KERNEL32.CloseHandle>]
/*10043AA*/  CALL ESI
/*10043AC*/  PUSH DWORD PTR DS:[1014F00]
/*10043B2*/  CALL ESI
/*10043B4*/  PUSH DWORD PTR DS:[1014F04]
/*10043BA*/  CALL ESI
/*10043BC*/  POP ESI
/*10043BD*/  RETN

Looks quite simple right ? CloseHandle only gets one argument, according to it’s prototype on msdn

BOOL WINAPI CloseHandle(
  __in  HANDLE hObject

I hope this clears things a bit.
Now let’s dive into Kernel32.CloseHandle

.text:7C809B77                 mov     edi, edi
.text:7C809B79                 push    ebp
.text:7C809B7A                 mov     ebp, esp
.text:7C809B7C                 mov     eax, large fs:18h ; TEB
.text:7C809B82                 mov     ecx, [eax+30h]  ; TEB->PEB
.text:7C809B85                 mov     eax, [ebp+hObject] ; userparam
.text:7C809B88                 cmp     eax, STD_ERROR_HANDLE
.text:7C809B8B                 jz      std_error_handle_res ; PEB->ProcessParameters->StandardError
.text:7C809B91                 cmp     eax, STD_OUTPUT_HANDLE
.text:7C809B94                 jz      std_output_handle ; PEB->ProcessParameters->StandardOutput
.text:7C809B9A                 cmp     eax, STD_INPUT_HANDLE
.text:7C809B9D                 jz      std_input_handle_res ; PEB->ProcessParameters->StandardInput
.text:7C809BA3 do_NtClose:                             ; CODE XREF: CloseHandle+1456Ej
.text:7C809BA3                                         ; CloseHandle+14579j ...
.text:7C809BA3                 mov     ecx, eax        ; hObject
.text:7C809BA5                 and     ecx, 10000003h
.text:7C809BAB                 cmp     ecx, 3
.text:7C809BAE                 push    eax
.text:7C809BAF                 jz      loc_7C81D937
.text:7C809BB5                 call    ds:NtClose
.text:7C809BBB                 test    eax, eax
.text:7C809BBD                 jl      loc_7C81E0D2
.text:7C809BC3                 xor     eax, eax
.text:7C809BC5                 inc     eax

Let’s try to understand what is going on there

.text:7C809B7C                 mov     eax, large fs:18h ; TEB

FS:[18] is the Thread Environment Block,

.text:7C809B82                 mov     ecx, [eax+30h]  ; TEB->PEB

lkd> dt ntdll!_TEB
   +0x000 NtTib            : _NT_TIB
   +0x01c EnvironmentPointer : Ptr32 Void
   +0x020 ClientId         : _CLIENT_ID
   +0x028 ActiveRpcHandle  : Ptr32 Void
   +0x02c ThreadLocalStoragePointer : Ptr32 Void
   +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
   +0x034 LastErrorValue   : Uint4B
   +0x038 CountOfOwnedCriticalSections : Uint4B
   +0x03c CsrClientThread  : Ptr32 Void
   +0x040 Win32ThreadInfo  : Ptr32 Void
   +0x044 User32Reserved   : [26] Uint4B

CloseHandle first checks the values in the parameter passed to see if they are some sort of errors, it prepares for 3 conditions

which both eventually access TEB->PEB->ProcessParameter param, each with their own unique value.
Eventually, or if none of the above conditions did not happen,

.text:7C809BB5                 call    ds:NtClose

NtClose is called.

just a quick note regarding anyone who is following my post and is not
using winxp, the PEB structure has changed across different versions of Windows,
I have tried looking at from kd and it didn’t look the same, so you have two choices
either fetch the right .h file or use a vm and debug it correctly to get the same results I got

NtClose is not part of kernel32.dll but it is part of ntdll.dll which is actually the core dll that all system service function eventually dwell into.

I had a slight problem to find NtClose in ntdll.dll but eventually realized that I should look for ZwClose, in order not to go outside the barriers of this post, there is a really good post on osronline which explains it briefly why Zw and not Nt (or vice versa).

.text:7C95D586 ZwClose         proc near               ; CODE XREF: RtlFormatCurrentUserKeyPath+6Cp
.text:7C95D586                                         ; RtlDosSearchPath_U+23Ap ...
.text:7C95D586                 mov     eax, 19h        ; NtClose
.text:7C95D58B                 mov     edx, 7FFE0300h
.text:7C95D590                 call    dword ptr [edx]
.text:7C95D592                 retn    4
.text:7C95D592 ZwClose         endp

0x7FFE0300 is a pointer to the system call stub, basically it consists of a simple 3 instruction code block, for more information about it (there is a short description of why we can’t disassemble 0x7FFE0300 directly) see here, or look at Nynaeve’spost (ironically, I found his post while writing this post, and he also wrote about NtClose, hehe, although he’s speaking about int 2eh, and we’re dealing with the newer version, the only difference (that I know of), is that the trap frames differs, but nothing more than that, if you lost me here it’s cool, more on this later )

.text:7C95EB8B KiFastSystemCall proc near              ; DATA XREF: .text:off_7C95395Co
.text:7C95EB8B                 mov     edx, esp
.text:7C95EB8D                 sysenter

There are two important things I almost forgot to mention here.
The first is the transfer of 19h to eax in ZwClose,
this is an index number which is quite important for us while we’ll be in kernel land.
The second thing is the mov edx,esp – we move the stack arguments – aka hObject of CloseHandle to kernel so it would know what to close.

Inside sysenter

Phew, wicked, we’ve now got to our first barrier, after we passed from calc.exe to kernel32.dll and into ntdll.dll and into SystemCallStub, we’ve finally managed to get into kernel land, let’s try to summarize it with a short chart (sorry for not owning visio :/ )

Phew 🙂 Finally, we got to the actual sysenter call which transfers to the kernel and does the actual call.
Before we continue again I would like quote from Intel’s Developer’s Manual about the sysenter instruction to see what it actually does and how it know to contact the right function

Executes a fast call to a level 0 system procedure or routine.
SYSENTER is a companion instruction to SYSEXIT.

The instruction is optimized to provide the maximum performance for system calls from user code running at privilege level 3 to operating system or executive procedures running at privilege level 0.

Prior to executing the SYSENTER instruction, software must specify the privilege level 0 code segment and code entry point, and the privilege level 0 stack segment and stack pointer by writing values to the following MSRs:

•IA32_SYSENTER_CS — Contains a 32-bit value, of which the lower 16 bits are the segment selector for the privilege level 0 code segment. This value is also used to compute the segment selector of the privilege level 0 stack segment.
•IA32_SYSENTER_EIP — Contains the 32-bit offset into the privilege level 0 code segment to the first instruction of the selected operating procedure or routine.
•IA32_SYSENTER_ESP — Contains the 32-bit stack pointer for the privilege level 0 stack.These MSRs can be read from and written to using RDMSR/WRMSR. Register addresses are listed in Table 4-17. The addresses are defined to remain fixed for future Intel 64 and IA-32 processors.

Traps taps traps taps

So, sysenter reads it’s information from the MSR registers to know where KiSystemService is, it also gets the stack and makes sure that the segment is executable (Intel specifies that the page must be readable, and executable )
The MSR registers are filled upon boot with the appropriate values, there must be a small note here about different types of Processors, as some processors do not support the sysenter opcode, Windows upon boot time detects the processor type and then chooses which values and which interrupt types to use,
whether it should use int 2eh, syscall, epc (IA-64) or sysenter, nix users will remember the good old int 0x80 or \xcd\x80 from nifty shellcodes (;

Before we continue to dive directly into KiSystemService some theory is required to understand the actual internals of it.
When calling a service function (in our case CloseHandle), the SYSENTER instruction makes transition to the kernel land and once it has finished executing the function it calls SYSEXIT to back to the user.
The user continues it’s work as if nothing happened and it does not have to restore any values or anything like it. This might be quite trivial for most of you, as those who code in usermode know that they never needed any sort of special adjustment to the stack, or to save any sort of values.
The coder (or the program/process/etc), just needs to check for the returned value and then continue it’s execution prior to the result (if there was an error, handle it, if everything worked, continue to the next task etc etc).
In other words – the kernel takes care of everything for the usermode process to continue it’s execution as if the actual function was in ntdll.dll.

How can this be ? some might ask, well we’re here to find out 😛
There is no magic here, the kernel does so by building a “trap frame” to save
all the important things it needs in order to restore execution back to usermode

Short note though – Windows changes it’s trap frame from version to version, and from call to call, sysenter’s trap frame is different from int 2eh’s trap frame ,
however this is the only difference between these two functions,

Short note though, before dive into the trap frame, depending on the call type, the trap frame also changes, what does it mean ?
It means that if your processor does not support the SYSENTER instruction, and uses int 2eh it means that the trap frame generated by int 2eh will be different from the trap frame of SYSENTER’s.
Eventually, however, both will jmp into KiSystemService (no call, but a simple jmp).
That is the only difference that I know of between different call mechanisms (sysenter, syscall, int 2eh, epc, etc , but I’d be fond to know if there is anything else ).

So what is exactly a trap frame ? I’ll try quoting from Windows Internals and I hope it will give a satisfying answers.

When a hardware exception or interrupt is generated, the processor records enough machine state on the kernel stack of the thread that’s interrupt so that is can return that point in the control flow and continue execution as if nothing had happened. If the thread was executing in user mode, Windows switches to the thread’s kernel-mode stack. Windows then creates as trap frame on the kernel stack of the interrupted thread into which it stores the execution state of the thread. The trap is a subset of a thread’s complete context, and you can view its definition by typing dt nt!_ktrap_frame in the kernel debugger.

So, the trap frame keeps information about the current thread context so it could restore it with SYSEXIT instruction, that is (;
This is winxp’s trap frame from windbg :

lkd> dt nt!_KTRAP_FRAME
   +0x000 DbgEbp           : Uint4B
   +0x004 DbgEip           : Uint4B
   +0x008 DbgArgMark       : Uint4B
   +0x00c DbgArgPointer    : Uint4B
   +0x010 TempSegCs        : Uint4B
   +0x014 TempEsp          : Uint4B
   +0x018 Dr0              : Uint4B
   +0x01c Dr1              : Uint4B
   +0x020 Dr2              : Uint4B
   +0x024 Dr3              : Uint4B
   +0x028 Dr6              : Uint4B
   +0x02c Dr7              : Uint4B
   +0x030 SegGs            : Uint4B
   +0x034 SegEs            : Uint4B
   +0x038 SegDs            : Uint4B
   +0x03c Edx              : Uint4B
   +0x040 Ecx              : Uint4B
   +0x044 Eax              : Uint4B
   +0x048 PreviousPreviousMode : Uint4B
   +0x04c ExceptionList    : Ptr32 _EXCEPTION_REGISTRATION_RECORD
   +0x050 SegFs            : Uint4B
   +0x054 Edi              : Uint4B
   +0x058 Esi              : Uint4B
   +0x05c Ebx              : Uint4B
   +0x060 Ebp              : Uint4B
   +0x064 ErrCode          : Uint4B
   +0x068 Eip              : Uint4B
   +0x06c SegCs            : Uint4B
   +0x070 EFlags           : Uint4B
   +0x074 HardwareEsp      : Uint4B
   +0x078 HardwareSegSs    : Uint4B
   +0x07c V86Es            : Uint4B
   +0x080 V86Ds            : Uint4B
   +0x084 V86Fs            : Uint4B
   +0x088 V86Gs            : Uint4B

hum, woot, now let’s dive into the actual KiSystemService function

KiSystemService is quite a simple function, it is divided into several parts
that once you understand all of them it’s quite easy to understand the whole concept.
Eventually, the function does two main things:
1. Setup a trap frame to save all the information required to restore to usermode
without any special treatment from the usermode process which takes control.
2. Locate the system service function in the System Service Descriptor Table and call it.

Setting up the trap frame

.text:00407EA6                 push    0
.text:00407EA8                 push    ebp
.text:00407EA9                 push    ebx
.text:00407EAA                 push    esi
.text:00407EAB                 push    edi
.text:00407EAC                 push    fs
.text:00407EAE                 mov     ebx, 30h        ; KGDT_R0_PCR
.text:00407EB3                 db      66h
.text:00407EB3                 mov     fs, bx          ; push fs actually, IDA fuckup
.text:00407EB3                                         ; save and set FS to PCR
.text:00407EB3                                         ; set PCR segment number
.text:00407EB6                 push    dword ptr ds:0FFDFF000h ; KGDT_R3_TEB | RPL_MASK
.text:00407EBC                 mov     dword ptr ds:0FFDFF000h, 0FFFFFFFFh
.text:00407EC6                 mov     esi, ds:0FFDFF124h ; get current thread address from PCR[PcPrcbData + PbCurrentThread ]
.text:00407EC6                                         ;
.text:00407EC6                                         ; PcPrcbData and PbCurrentThread are constant values
.text:00407ECC                 push    dword ptr [esi+140h] ; save old exception list
.text:00407ED2                 sub     esp, 48h        ; Start a new exception list, calculate the value and put it in PCR[PcExceptionList]
.text:00407ED5                 mov     ebx, [esp+68h+arg_0]
.text:00407ED9                 and     ebx, 1          ; Logical AND
.text:00407EDC                 mov     [esi+140h], bl  ; bl = EXCEPTION_CHAIN_END
.text:00407EE2                 mov     ebp, esp        ; new stack
.text:00407EE4                 mov     ebx, [esi+134h] ; Save the current trap frame addr
.text:00407EEA                 mov     [ebp+3Ch], ebx
.text:00407EED                 mov     [esi+134h], ebp
.text:00407EF3                 cld                     ; Clear Direction Flag
.text:00407EF4                 mov     ebx, [ebp+60h]
.text:00407EF7                 mov     edi, [ebp+68h]
.text:00407EFA                 mov     [ebp+0Ch], edx
.text:00407EFD                 mov     dword ptr [ebp+8], 0BADB0D00h
.text:00407F04                 mov     [ebp+0], ebx
.text:00407F07                 mov     [ebp+4], edi
.text:00407F0A                 test    byte ptr [esi+2Ch], 0FFh ; Logical Compare
.text:00407F0E                 jnz     nt_Dr_kss_a     ; if zero we're currently debugging

The first few lines are only pushing arguments in order to save them, 0 is pushed for padding reasons or error or anything like, please do not hate me, I do not know the frame by my heart.

esi is playing a key point here, it points to the PCR (Processor Control Region)
by looking at the correct offsets (and with some great help from WRK), it is possible to
understand most of the code.
There’s one important thing to note here is that the PreviousMode is saved in order to distinguish between whether we’ve came from usermode or kernelmode,
this is quite important to know, so we’ll know how to get the parameters.

kd> dt ntkrnlpa!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : Ptr32 _KPCR
   +0x020 Prcb             : Ptr32 _KPRCB
   +0x024 Irql             : UChar
   +0x028 IRR              : Uint4B
   +0x02c IrrActive        : Uint4B
   +0x030 IDR              : Uint4B
   +0x034 KdVersionBlock   : Ptr32 Void
   +0x038 IDT              : Ptr32 _KIDTENTRY
   +0x03c GDT              : Ptr32 _KGDTENTRY
   +0x040 TSS              : Ptr32 _KTSS
   +0x044 MajorVersion     : Uint2B
   +0x046 MinorVersion     : Uint2B
   +0x048 SetMember        : Uint4B
   +0x04c StallScaleFactor : Uint4B
   +0x050 DebugActive      : UChar
   +0x051 Number           : UChar
   +0x052 Spare0           : UChar
   +0x053 SecondLevelCacheAssociativity : UChar
   +0x054 VdmAlert         : Uint4B
   +0x058 KernelReserved   : [14] Uint4B
   +0x090 SecondLevelCacheSize : Uint4B
   +0x094 HalReserved      : [16] Uint4B
   +0x0d4 InterruptMode    : Uint4B
   +0x0d8 Spare1           : UChar
   +0x0dc KernelReserved2  : [17] Uint4B
   +0x120 PrcbData         : _KPRCB

 dt ntkrnlpa!_KPRCB
   +0x000 MinorVersion     : Uint2B
   +0x002 MajorVersion     : Uint2B
   +0x004 CurrentThread    : Ptr32 _KTHREAD
   +0x008 NextThread       : Ptr32 _KTHREAD
   +0x00c IdleThread       : Ptr32 _KTHREAD
   +0x010 Number           : Char
   +0x011 Reserved         : Char
   +0x012 BuildType        : Uint2B
   +0x014 SetMember        : Uint4B
   +0x018 CpuType          : Char
   +0x019 CpuID            : Char
   +0x01a CpuStep          : Uint2B
   +0x01c ProcessorState   : _KPROCESSOR_STATE
   +0x33c KernelReserved   : [16] Uint4B
   +0x37c HalReserved      : [16] Uint4B
   +0x3bc PrcbPad0         : [92] UChar
   +0x418 LockQueue        : [16] _KSPIN_LOCK_QUEUE
   +0x498 PrcbPad1         : [8] UChar
   +0x4a0 NpxThread        : Ptr32 _KTHREAD
   +0x4a4 InterruptCount   : Uint4B
   +0x4a8 KernelTime       : Uint4B
   +0x4ac UserTime         : Uint4B
   +0x4b0 DpcTime          : Uint4B
   +0x4b4 DebugDpcTime     : Uint4B
   +0x4b8 InterruptTime    : Uint4B
   +0x4bc AdjustDpcThreshold : Uint4B
   +0x4c0 PageColor        : Uint4B
   +0x4c4 SkipTick         : Uint4B
   +0x4c8 MultiThreadSetBusy : UChar
   +0x4c9 Spare2           : [3] UChar
   +0x4cc ParentNode       : Ptr32 _KNODE
   +0x4d0 MultiThreadProcessorSet : Uint4B
   +0x4d4 MultiThreadSetMaster : Ptr32 _KPRCB
   +0x4d8 ThreadStartCount : [2] Uint4B
   +0x4e0 CcFastReadNoWait : Uint4B
   +0x4e4 CcFastReadWait   : Uint4B
   +0x4e8 CcFastReadNotPossible : Uint4B
   +0x4ec CcCopyReadNoWait : Uint4B
   +0x4f0 CcCopyReadWait   : Uint4B
   +0x4f4 CcCopyReadNoWaitMiss : Uint4B
   +0x4f8 KeAlignmentFixupCount : Uint4B
   +0x4fc KeContextSwitches : Uint4B
   +0x500 KeDcacheFlushCount : Uint4B
   +0x504 KeExceptionDispatchCount : Uint4B
   +0x508 KeFirstLevelTbFills : Uint4B
   +0x50c KeFloatingEmulationCount : Uint4B
   +0x510 KeIcacheFlushCount : Uint4B
   +0x514 KeSecondLevelTbFills : Uint4B
   +0x518 KeSystemCalls    : Uint4B
   +0x51c SpareCounter0    : [1] Uint4B
   +0x520 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x5a0 PPNPagedLookasideList : [32] _PP_LOOKASIDE_LIST
   +0x6a0 PPPagedLookasideList : [32] _PP_LOOKASIDE_LIST
   +0x7a0 PacketBarrier    : Uint4B
   +0x7a4 ReverseStall     : Uint4B
   +0x7a8 IpiFrame         : Ptr32 Void
   +0x7ac PrcbPad2         : [52] UChar
   +0x7e0 CurrentPacket    : [3] Ptr32 Void
   +0x7ec TargetSet        : Uint4B
   +0x7f0 WorkerRoutine    : Ptr32     void 
   +0x7f4 IpiFrozen        : Uint4B
   +0x7f8 PrcbPad3         : [40] UChar
   +0x820 RequestSummary   : Uint4B
   +0x824 SignalDone       : Ptr32 _KPRCB
   +0x828 PrcbPad4         : [56] UChar
   +0x860 DpcListHead      : _LIST_ENTRY
   +0x868 DpcStack         : Ptr32 Void
   +0x86c DpcCount         : Uint4B
   +0x870 DpcQueueDepth    : Uint4B
   +0x874 DpcRoutineActive : Uint4B
   +0x878 DpcInterruptRequested : Uint4B
   +0x87c DpcLastCount     : Uint4B
   +0x880 DpcRequestRate   : Uint4B
   +0x884 MaximumDpcQueueDepth : Uint4B
   +0x888 MinimumDpcRate   : Uint4B
   +0x88c QuantumEnd       : Uint4B
   +0x890 PrcbPad5         : [16] UChar
   +0x8a0 DpcLock          : Uint4B
   +0x8a4 PrcbPad6         : [28] UChar
   +0x8c0 CallDpc          : _KDPC
   +0x8e0 ChainedInterruptList : Ptr32 Void
   +0x8e4 LookasideIrpFloat : Int4B
   +0x8e8 SpareFields0     : [6] Uint4B
   +0x900 VendorString     : [13] UChar
   +0x90d InitialApicId    : UChar
   +0x90e LogicalProcessorsPerPhysicalProcessor : UChar
   +0x910 MHz              : Uint4B
   +0x914 FeatureBits      : Uint4B
   +0x918 UpdateSignature  : _LARGE_INTEGER
   +0x920 NpxSaveArea      : _FX_SAVE_AREA
   +0xb30 PowerState       : _PROCESSOR_POWER_STATE

Now that we’ve finished setting up the frame, we can get to the actual calling mechanism

.text:00408000 nt_KiFastCallEntry_0x8d:                ; CODE XREF: KiSystemService?-13Cj
.text:00408000                                         ; KiSystemService?+6Fj
.text:00408000                 mov     edi, eax        ; jmp from set_ints
.text:00408000                                         ; eax = service number
.text:00408000                                         ; edx = stack caller
.text:00408000                                         ; esi = current thread
.text:00408002                 shr     edi, 8          ; extract the actual value to check
.text:00408002                                         ; which table it should be shadow or regular
.text:00408002                                         ; and also check whether it's in the right range
.text:00408005                 and     edi, 30h        ; Logical AND
.text:00408008                 mov     ecx, edi        ; ecx now has the actual index for the SSDT
.text:0040800A                 add     edi, [esi+0E0h] ; Add
.text:00408010                 mov     ebx, eax
.text:00408012                 and     eax, 0FFFh      ; Logical AND

This is the prologue for all the juicy part, eax holds the service number function (in our case, IIRC, 0x19 ), it gets saved into edi which is unused, as you probably remember
esi points to our current thread using the _KPCR array/struct

.text:0040800A                 add     edi, [esi+0E0h] ; Add

in 0040800A we actually compute the address of the SSDT table, to the specific index we need

.text:00408020                 cmp     ecx, 10h        ; Are we going to access the Shadow table
.text:00408020                                         ; or the "regular "table ?
.text:00408023                 jnz     short nt_KiFastCallEntry_0xcc ; Jump if Not Zero (ZF=0)
.text:00408025                 mov     ecx, ds:0FFDFF018h
.text:0040802B                 xor     ebx, ebx        ; Logical Exclusive OR
.text:0040802D loc_40802D:                             ; DATA XREF: .text:0040B038o
.text:0040802D                 or      ebx, [ecx+0F70h] ; Logical Inclusive OR
.text:00408033                 jz      short nt_KiFastCallEntry_0xcc ; Jump if Zero (ZF=1)

We the continue to check whether we should access the Shadow Table or the “Regular” SSDT table (I do not know how to call it actually, sorry)

CloseHandle isn’t a GDI service function, and therefore it is not part of the Shadow SSDT, therefore we’ll jmp here and continue

.text:0040803F nt_KiFastCallEntry_0xcc:                ; CODE XREF: KiSystemService?+17Dj
.text:0040803F                                         ; KiSystemService?+18Dj
.text:0040803F                 inc     dword ptr ds:0FFDFF638h ; Increment by 1
.text:00408045                 mov     esi, edx        ; esi now points to user arguments
.text:00408047                 mov     ebx, [edi+0Ch]  ; args table address
.text:0040804A                 xor     ecx, ecx        ; Logical Exclusive OR
.text:0040804C                 mov     cl, [eax+ebx]   ; argument size
.text:0040804F                 mov     edi, [edi]
.text:00408051                 mov     ebx, [edi+eax*4] ; ebx points to the actual service routine,
.text:00408051                                         ; in our case CloseHandle
.text:00408051                                         ; finally :P:P
.text:00408054                 sub     esp, ecx        ; Integer Subtraction
.text:00408056                 shr     ecx, 2          ; Shift Logical Right
.text:00408059                 mov     edi, esp
.text:0040805B                 cmp     esi, ds:MmUserProbeAddress ; Do our args are in kernel address
.text:0040805B                                         ; space or user address space ?
.text:00408061                 jnb     loc_408210      ; > kernel
.text:00408061                                         ; < user

at this point the actual service function address is calculated and we’re currently also
checking whether our arguments are already copied to kernel space,
in usual cases, and if I am not mistaken, our args are not yet copied to kernel space
and therefore we will not go through this jmp,
I just gotta give a small note here, upon analysis I got quite confused by this jmp,
I had a few cases when I did make this jmp and some cases when I was left in the dark,
so I might be mistaken here,
eitherway – the jmp leads to check what was our PreviousMode set to – user or kernel,
and sets the current error to ACCESS_VIOLATION no matter what into eax, since some fuckup
has occured, and the arguments should’ve been copied already.

iddqdkssdoit:                           ; CODE XREF: KiSystemService?+36Ej
.text:00408067                                         ; DATA XREF: .text:0040B02Eo
.text:00408067                 rep movsd               ; Move Byte(s) from String to String
.text:00408069                 call    ebx             ; Indirect Call Near Procedure

That’s it.
All the args are copied to the top of the stack, in our case only one argument and ebx
contains the address to the actual service function, if all goes well the
function will return and a restoration process of the frame will occur,
along with a SYSEXIT instruction or IRET instruction, depending whether you’re
debugging it or not.

I hope you have enjoyed or got to learn a few things, I know I have a few inaccurate things but it was hella fun journey.

June 9, 2011

Nanomites – second thoughts

Filed under: Uncategorized — shift32 @ 6:05 pm
Tags: , , , ,

I’ve been fiddling around nanomites for quite a while, since I’ve first read about them
and saw them in action in different packers, I decided to write my own implementation
So far I haven’t done any breakthrough until last night me and another colleague managed to do something neat

Stay tuned for more results.

June 5, 2011

Spyeye: Father `n Son

Filed under: Uncategorized — shift32 @ 1:45 pm
Tags: , , , , ,

I do not work much on SpyEye, I only get a chance to view it on my days off nowadays, hence the slow progress, but here’s my latest progress with SpyEye.

Also, a short tip before I start digging a bit – I found that the collaboration of IDA and OllyDBG together (if you got two screen [ I don’t have two screen though 😦 ] ) is quite great, how is this possible some of you might ask ?
Well, you can use OllySync + IDA-Sync plugins in order to share comments etc
The plugin is a bit outdated and I plan to rewrite it a bit (though Pedram has done great work)
When trying to set function names in OllySync the IDA-Sync server fails to interpret it well, but comments are amazing and IDA’s analysis adds quite alot of information.

It seems that I was mistaken in my previous post , the function which I stepped into was not the decryption stub of anything, it was only an initial check of the system and grabbing some basic info about what’s what and where
basically, the function consisted of fetching the computer’s name, the windows version, and some other details which are not that interesting for us.

It seems that SpyEye’s resource section play an important role in it’s infection process, section C2 and C3 are the sections which SpyEye holds the compressed configuration and sections SC1 and SC2 (I might be mistaken here with the exact names, but they do reside under the “SC” dir in the resources) hold the parasite code

After gathering all the information SpyEye needs from the basic initialization function, SpyEye creates a mutex and constantly checks for the Volume:\algonic\ directory existence, the reason for that is because that’s where SpyEye creates it’s reboot-killer executable named algonic.exe, it also contains the config.bin which has all the juicy information and plugins one wants to obtain once SpyEye reversed.

SpyEye frequently calls RtlAdjustPrivilege in order to get max privileges and infect processes with it’s parasite (inside the resource dir).
Also – a small hint to those who fear the “600 functions spyeye contains” – the reason SpyEye holds so “many” functions is quite simple – SpyEye doesn’t import/export all the functions it uses, if the author would’ve been smarter, he would’ve used only GetProcAddress and used the PEB to get the kernel32.dll base address
SpyEye uses some sort of “special” macro which uses a classical technique to walk through the dll the function resides in and find it, it has a hardcoded value of the hash it’s looking for and whenever someone wants to call any function it just wraps it around some wrapper function
This could be easily evaded by writing some sort of pattern matching function
Since the function which finds the dll and walks through it is the same, and the push order is always the same to find the function – a simple pattern matching procedure could name all those functions by simple instrumentation

Another thing I wanted to discuss is the infection process, which I found a bit nice,
SpyEye calls CreateToolhelp32Snapshot to get a list of all running processes and walks through them using Process32Next, each time it finds a process which isn’t csrss, smss, or System (which are critical system processes :/) it injects itself into, the parasite injection process is as follows:

1. Spyeye Calls OpenProcess(CREATE_THREAD | VM_READ | VM_WRITE | QUERY_INFORMATION,FALSE,1144 /* explorer.exe */);
2. Called NtAllocateVirtualMemory in the remote process at address 0F60000 (RWE)
3. I started debugging explorer.exe and found the page spyeye is going to inject itself into and set a memory on access breakpoint
4. Spyeye Calls NtWriteProcessMemory
5. Called CreateRemoteThread to create a new thread for spyeye malicious parasite
6. Called WaitForSingleObject to figure out that the thread was injected correctly (?)
7. Called GetExitCodeThread to see if it was injected successfully

After that, the parasite SpyEye injected has finished executing or is executing at the moment, the parasite, from what I’ve seen so far does the following things:

1. open Volume:\algonic\
2. write Volume:\algonic\algonic.exe
3. execute Volume:\algonic\algonic.exe
4. delete the original malware executable using DeleteFileA
5. sleep
6. call ExitThread

I might be missing the whole hooking part, as while I’m writing this document seems to be part I’m currently debugging
As I’ve written previously – SpyEye has a loop which walks through all the processes and injects itself into them, somewhere inside it it performs the hooking process

I hope you’ve enjoyed this although it lacked assembly information, I’ll however try to edit the post and add some assembly code too.

May 31, 2011

The case of the spying eyes: blizzard stubs

Filed under: Uncategorized — shift32 @ 11:17 pm
Tags: , , , , ,

So I finally managed to unpack SpyEye this Saturday, and only today (Thursday) had the time to start actually exploring what it does,
I’ve heard and read from friends and the net that SpyEye got some several interesting modules
also it’s module load – use – unload technique seemed interesting. I’ve also heard that it steals money and performs different kind of phising attacks, all of this seemed quite interesting to research.

I’ve hooked up olly and opened the unpacked version of spyeye, opened the names bar and looked for interesting function to set breakpoints on, I’ve also searched for all intermodular calls and found some (even more) interesting functions

As it seems, SpyEye doesn’t import all the function it’s using in it’s IAT, as when inspecting it with PEiD or anything else you see not many functions

To my humble guess it’s using a simple (yet, known), “trick” of dynamic libary loading, I have first seen it in uninformed and the technique is quite nice (originally by lsd-pl folks)

As olly shown in the “show all intermodular calls” window, it seems

However, be mistaken not – the calls repeat themselves, what really caught my eye was the unresolved call here, I’ve set bp on every possible call outside and started my static analysis journey

I started stepping the code, not running it, to see if there are any interesting things and it seems that the start of the code had some nice spots

The first thing which caught my eye was that SpyEye looks for kernel32.dll by first getting it’s address from the PEB, by walking through it’s linked list, this method is quite known as i mentioned earlier by uninformed ,however, spyeye doesn’t use a loop to look for kernel32.dll it
goes through two values and hopes for the best – if someone put kernel32.dll in a different place in the linked list – SpyEye is a bit doomed (;

The other thing which caught my eye was that SpyEye accesses its .rsrsrc section (resource), it gets a handle to them, changes their permissions and continues onward – this is something which might be pretty interesting

the find.resource calls are to find the specified resource with GetModuleFilenameA function
and the rsrsrc.alter.perm are to alternate the permissions the resource has probably to FFFFF, or something like it, it is still unknown what their purpose is, so I don’t know what to look for

One of the resources starts with a string “!EYE” which hints for some propriatery struct for SpyEye (or perhaps something different ? we don’t know yet)

There’re basically three resource section I got my eye on – C1 C2 and C3, but I didn’t find any usage with/of them for now, so we’ll leave them for now.

Also I found several strings which got my eye glitchy

Remember “algonic” from the previous posts ? this is the name of the child process that our malware creates, as for config.bin – well the name answers for everything, it seems to be some sort of configuration SpyEye has, perhaps it contains C&C IPs and passwords to communicate with our big brother

After stepping more code I’ve found some small jackpot, I remember when I was unpacking SpyEye I got really frustrated when I didn’t know which functions SpyEye was using in order to allocate space for itself, and once I’ve found them – everything went alot easier,
So after stepping some code I found that SpyEye calls NtAllocateVirtualMemory to allocate space for something…something big, as of writing now I have a few clues of what it might be, but I still can’t be sure,
however my guesses go from
1. a huge decryption stub to decrypt the configuration and other resource section
2. a huge decompression/compression stub to de/compress something else
3. something else I have no clue yet (always leave room for the unexpected, hehe)

Why am I not thinking about hooking processes ? because as it seems SpyEye is only going through the tasklist at later stages of the code, I’ve seen a few calls to GetCurrentProcessId, and you are right if you said that it doesn’t prove anything, this is only a guess…I’m writing this while still disassembling everything..
However in order to prove more that I’m right I’ve scrolled down with olly a bit more and found this little interesting (yet, exciting) block :

See the comments olly adds on the side ? see smss.exe, csrss.exe, services.exe, etc ? does this look to you like something that would’ve done after we hook things up ? This looks like a prologue to something…something interesting (:

I kept stepping the code until I reached the copy of a resource section, however, the rest seems to be like a topic for another post,
To be continued(:

May 25, 2011

The case of the spying eyes

Filed under: Uncategorized — shift32 @ 10:48 pm
Tags: , , , , , ,

I found this sample of an interesting spyeye malware packed with UPX and ASPack,
and decided to reverse it on my own.
As I’ve never unpacked ASPack I decided to look around and found two interesting anchors,
both are interesting win32-api memory allocation functions which are called VirtualAlloc and ZwAllocateVirtualMemory

But before reversing the malware itself I wanted to see what goes “on the hood”, as Mark Russinovich documents in his blog
In other words – before dwelling into an unpacking nightmare I want to see what sort of files it adds to the system, what registry keys it modifies, what sort of hooks it adds etc

So onward my small journey I’ve hooked up several processes (sysinternals + rku, rootkitRevealer)
I’ve set a snapshot on the vm to return to my initial status after executing and executed the binary

And there I’ve had it, after just executing it everything remained the same, I’ve looked at procmon and regmon to see what sort changes in their process tree and started investigating.

Before running the malware I’ve used shellrunas to first run the malware in a Guest user restricted mode, just to see how it handles things, and I saw that the malware forks itself to a new process called “algonic.exe”,

I’ve set the process in suspended mode and started looking at the log of procmon to see which values it tried modifying

Considering that the malware doesn’t have any zerodays it couldn’t leave Guest user, and execute code in ring0, this helps a bit as I know I’m dealing with any kernelmode malware

Now onto the interesting part, I’ve looked at procmon and saw that the process fork itself and looks for certain specific registry values such as ComputerName,
“HKU\S-1-5-21-1547161642-152049171-839522115-501\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders” ,
“HKU\S-1-5-21-1547161642-152049171-839522115-501\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache” , “HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}” etc,

it tries to lower down the security attributes ie has, open different know dlls (ntdll, wininet, usp01 (??), windows Shell manifest etc),

At this time of writing I do not know the purpose of all those, I can only think it wants to hide itself (with hooks, though), and add different malicious things
I can also ponder that it tries to collect information about the system, if the malware is smart enough it will detect that it’s running inside VirtualBox ( as vbox has two main processes with *vbox* initials inside them, though there are other ways to detect you’re inside a vm like timing-attacks etc )

One interesting thing my eyes caught was that the malware tries to read the

E:\Documents and Settings\Guest\Application Data\Microsoft\SystemCertificates\My\CRLs

This path is quite important as it includes the local system certificates the user has, adding the virus’s certificate to the trusted path will probably break any av or scanner that tries to look for malicious things automagically

Aight, enough for that now –
Let’s move onto the real binary – the algonic.exe which seems to do all the dirty job
[btw, as this time of writing, since no dynamic/static analysis of the binary is done, it is quite unknown what the malware is looking for, I can only assume that I’m missing alot of under the hood stuff, but that’s only an assumption which must be analyzed and faced ]

The algonic.exe is located in the same root drive the malware was originally located, in my own situation it’s located in


The folder is secret and probably well protected if ran with administrator privileges.
The folder contains to files – algonic.exe and config.bin

I’ve hit PEiD on algonic.exe and I wasn’t surprised to see that it is indeed also packed with UPX and
probably also with ASPack,
at this point I’ve unpacked the UPX packing protection by simply putting a bp at 497F3 which is probably the most classical way to unpack most UPX versions

I’ve set also two hardware breakpoints – one for each unique function I was hint’ed, one for VirtualAlloc and one for ZwAllocateVirtualMemory,

Once I’ve hit both bp’s I’ve managed to get the decryption stub, and also the function which calls the EP, I’ve seen the real PE header (at 0x4000000) and currently I’m reversing the last part of the loop before reaching the last popad + ret part.
(I do want to apologize for not writing too much about this phase, but since it’s incomplete I’m still unsure what I am missing and what’s not)
Wish me luck.

To be continued

Create a free website or blog at