View Full Version : Debugging across CreateProcess

December 9th, 2008, 09:13

I'm fiddling around with a piece of malware in Ida Pro. At some point the malware binary is copied to a new location, and started by a CreateProcess call. The original process then sleeps a while before Exiting.
I assume that the new process at some point test to se wheter it is the "original" process or the newly created process, and then forks in another direction than the file duplication business.
I am wondering what the best option is for debugging the newly created file, since i will probably have to search for this forking point, if i just start the new process after closing the debugging session of the first process. (I hope i still make some sense...).
Could i allow the CreateProcess call to run and then catch the new process in some way, or will i have to manually find the point where the desicion to duplicate is taken and divert the flow?


December 9th, 2008, 10:16
1. you should set BPX on CreateProcess & check if some CommandLine passed in parameter
2. malware also checks its location + name, & then tryes copy itself to need location;
so if no commandline is passed, then exit first process & start debug new copyed file;
if commandline also presents, then also pass that command;
see rs32net example in WIGONS.zip

also many other checks can be, like Mutex etc.

December 9th, 2008, 14:06
Yes, i also noticed a mutex being created, but couldn't quite figure out the reason.
But basically there is no simple way to maintain the "state" when starting the new debugging session, i have to keep track of the various mutexes and such, and recreate the state when starting the second debugging session?

December 9th, 2008, 14:50
mm, you maybe can't recreate state, but you can debug! & look conditional jumps.. & force if you want;

btw, if interesting malware looks, you can post it here

December 9th, 2008, 16:33
Thanks for the quick replies.
The malware in question is from the recent malware challenge event. I thougt it would make a good specimen to learn from, since there would be other sources available to compare my results to.