Results 1 to 11 of 11

Thread: Process creates another process and calls ResumeThread - how to debug?

  1. #1
    klaymen
    Guest

    Process creates another process and calls ResumeThread - how to debug?

    Hi all,

    I got a problem with a new version of a malware (wsnpoem) I'm working at currently. This is probably a simple thing, but I'm still a beginner with OllyDbg, so maybe somebody can help me out?

    Here is what the malware is doing under control of OllyDbg:
    - creates another process using CreateProcess (CREATE_SUSPENDED)
    - GetThreadContext of new process
    - reads 4 bytes at offset [ThreadContext+0xa4]+8 out of its memory (obviously PE section start)
    - Allocate memory in new process for code modules (at 0x400000) using VirtualAllocEx (COMMIT+RESERVE, PAGE_EXECUTE_READWRITE)
    - Write code into this area using WriteProcessMemory
    - writing 0x400000 as 4 bytes into above 4 bytes, probably to fix section address
    - SetThreadContext with data previously obtained (probably adjusted)
    - Finally calling ResumeThread on thread id of new process obrained in first step

    And this will start the actual malware. Now I'm as far as stepping forward to the ResumeThread call. If I press F8 now, the malware starts and runs through without any chance to interrupt it - no wonder, it's in another process.

    So I tried starting a second OllyDbg instance that I attach to the newly created, but still suspended process. Unfortunately, I can't see the process ID yet in order to attach to it.

    But I can see the process using Sysinternals ProcessExplorer (dark grey background), and when I look at its properties and check threads, I get an error message but can now attach to it using OllyDbg. Unfortunately the 2nd process doesn't work anymore as it should (not even without OllyDbg's attach) , Sysinternals processExplorer seems having destroyed something in it.

    So the question is: how can I debug this new thread in a new process from beginning on? As the thread is in another process, I can't just set a breakpoint in OllyDbg's first instance - after all the memory space is a completely different one - as far as I understood. And a second OllyDbg can't attach to the new process in time.

    Any ideas would be highly welcome :-)

    klaymen
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I am sure more seasoned malware reversers can give you a more accurate advice.
    This technique is very common in protection mechanisms:
    You can figure out where is the entry point of the new process: You can see its PE header and other details while it is being set up by the initial debugged process monitored under olly.

    Before the ResumeThread call is invoked, change the entrypoint instruction to a EBFE instruction, jump to my self, spinning jump or infinite loop (There is something shockingly akin to masturbation related to this instruction ).

    Let the new process run.

    It will try to run, but go nowhere. Now attach a second Olly to the newly created process spinning at the gate, let it run F9, pause it, then replace the entry point bytes with the original bytes, which you wrote down from previously.
    Now trace the new process from its entry point, at your leisure.

  3. #3
    klaymen
    Guest
    Excellent idea, thanks... I'll give it a try immediately actually I could have had this idea myself...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by klaymen View Post
    actually I could have had this idea myself...
    But you did not!


  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    I hate you naides, now I can't stop thinking about the phrase EBFE OFF

  6. #6
    I will NOT think of EBFE OFF!
    I will NOT think of EBFE OFF!
    I will NOT think of EBFE OFF!
    I will NOT think of EBFE OFF!
    I will NOT think of EBFE OFF!
    I will NOT think of EBFE OFF!


    Regards,
    JMI

  7. #7
    klaymen
    Guest
    Quote Originally Posted by naides View Post
    But you did not!

    well, no... but at least I had the idea trying out OllyAdvanced's process patcher that automates this process. It even notices I'd like to patch the child process... neat, problem solved thanks again

    My next problem now is to dump the child process after unpacking stuff was done, as all section information is lacking in OllyDump. Well... I'll play around with that part tomorrow.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    [philosophical shit]
    Well, EBFE is the simplest expression of the failure (curse) of Von Newmann's concept of computing.
    Unless an automaton is supervised, and its process can be monitored/intervened from outside the process itself , it will eventually drift to the familiar picture of an "adolescent taking a shower" situation. . .
    [/philosophical shit]

  9. #9
    Honest mommy, I was only trying to wash it! Really!

    Regards,
    JMI

  10. #10
    Olly has tons of irritating bugs, among which not saving all shit if modified in different sections, refreshing when allocation memory from a different 3rd part application (until you Alt+M, you can't go to allocated memory) and this one here - the annoying child display in the processes list. Every other program sees the child being running suspended, only Olly doesn't T_T..
    EXECryptor Add!ct

  11. #11
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Yeah indeed Olly has tons of boring craps, but in this case is Normal
    that Olly is unable to break on a SUSPENDED Thread, this cause the
    particular nature involved into Thread Creation.

    CreateProcess/CreateThread functions, are based
    upon a KernelMode -> UserMode Callback LdrInitializeThunk,
    these Thread Creation APIs make you think that the thread is Started
    (at the API invokation moment) but this is not completely true.

    Various layers needs to be passed, and thread really starts when is
    reached LdrInitializeThunk that "balances" the New Thread CONTEXT
    and next calls LdrpInitialize.

    So became "impossible" to break on a Suspended Thread, cause it has
    no called LdrInitializeThunk, and in rude words could be considered as
    not existant

    There are new technology debuggers that supports Process Creation,
    such as ntsd, you have to set (by typing -xe cpr) the Event
    CPR that stands for Create PRocess

    Regards,
    Evilcry

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

Similar Threads

  1. How to use Olly to debug a Windows process
    By jkally in forum The Newbie Forum
    Replies: 4
    Last Post: March 29th, 2010, 15:29
  2. Malware creates new thread, how do I follow it?
    By Resource in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: July 18th, 2009, 23:11
  3. How to debug child process
    By Quasar in forum OllyDbg Support Forums
    Replies: 5
    Last Post: May 24th, 2005, 10:20
  4. set a BP on ResumeThread?
    By HEAT84 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: May 4th, 2005, 07:23
  5. Replies: 1
    Last Post: February 9th, 2003, 09:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •