Results 1 to 2 of 2

Thread: How to dump and fix section headers of attached processes?

  1. #1
    klaymen
    Guest

    How to dump and fix section headers of attached processes?

    Hi all,

    This is probably a simple one, but I didn't find any solution for this yet. A malware I'm analysing is creating a new process in suspended mode, injects code into it, and the resumes the new process. I managed to patch the EP of the new process inside OllyDbug (using OllyAdvanced) in order to force an endless loop at the EP, then attaching to the new process, and changing the 2 bytes so I can observe what's going on in the new process, all very nice (thanks to this forum btw :-).

    I'd very much like to dump the process to disk though so I can also check it out inside IdaPro. In former versions of this malware, that did not yet create a new process but worked "in itself", I usually just run the process until it created its IAT, then dumped it from inside OllyDbg (without IAT reconstruction), then attached ImportRec to the process, and finally used UIF (universal import fixer) to reconstruct the IAT.

    The problem I'm having now is that after attaching to the new process, I lost all section information - it's just one big blob at 400000, type "Priv 00021004, RW". I can dump it without setting any section info, and even managed to apply ImportRec and UIF onto that - but for further analysis, the section information must somehow also be fixed. Is there any "easy" way to do this, or do I have to somehow try to guess and fix it manually?

    I do have of course the info from the WriteProcessMemory calls used before creating the process, something like this:

    Full data block VirtualAllocEx, 0x22000 bytes at 0x400000:
    Code:
    0012FE08     00000044 
    0012FE0C     00400000 
    0012FE10     00022000 
    0012FE14     00003000
    0012FE18     00000004
    Followed by these WriteProcessMemory calls:
    Code:
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     00400000  |Address = 400000        
    0012FE10     0086002C  |Buffer = 0086002C
    0012FE14     00000400  |BytesToWrite = 400 (1024.)
    0012FE18     0012FF70  \pBytesWritten = 0012FF70
    
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     00401000  |Address = 401000
    0012FE10     0086042C  |Buffer = 0086042C
    0012FE14     00008E00  |BytesToWrite = 8E00 (36352.)
    0012FE18     0012FF70  \pBytesWritten = 0012FF70
    
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     0040F000  |Address = 40F000
    0012FE10     0086922C  |Buffer = 0086922C
    0012FE14     00000A00  |BytesToWrite = A00 (2560.)
    0012FE18     0012FF70  \pBytesWritten = 0012FF70
    
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     00411000  |Address = 411000
    0012FE10     00869C2C  |Buffer = 00869C2C
    0012FE14     00001200  |BytesToWrite = 1200 (4608.)
    0012FE18     0012FF70  \pBytesWritten = 0012FF70
    Note: I skipped a read and write call that are seemingly used to read/set the base of code (400000) at 7FFDE008

    Finally followed by setting the right protections again (VirtualProtextEx's):
    Code:
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     00401000  |Address = 401000
    0012FE10     0000DD02  |Size = DD02 (56578.)
    0012FE14     00000002  |NewProtect = PAGE_READONLY
    0012FE18     0012FF6C  \pOldProtect = 0012FF6C
    
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     0040F000  |Address = 0040F000
    0012FE10     0000133C  |Size = 133C (4924.)
    0012FE14     00000040  |NewProtect = PAGE_EXECUTE_READWRITE
    0012FE18     0012FF6C  \pOldProtect = 0012FF6C
    
    0012FE08     00000044  |hProcess = 00000044 (window)
    0012FE0C     00411000  |Address = 00411000
    0012FE10     00011000  |Size = 11000 (69632.)
    0012FE14     00000002  |NewProtect = PAGE_READONLY
    0012FE18     0012FF6C  \pOldProtect = 0012FF6C
    So I could of course use that info to set guessed section infos... I'm just wondering if there's a standard way to deal with that situation?

    Thanks, klaymen
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The standard situation I guess is to keep it as simple as possible, which normally means to just keep it all as one big section, with all necessary attributes set (usually execute, read and write).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. Help unpacking old malware - Malware attached
    By JimmerRobber in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: February 19th, 2013, 20:53
  2. Can't resume attached process
    By TheBlasphemer in forum OllyDbg Support Forums
    Replies: 1
    Last Post: April 25th, 2004, 13:09
  3. How to create one section EXE from a multi section exe
    By new_age in forum The Newbie Forum
    Replies: 4
    Last Post: January 27th, 2003, 20:27
  4. Fixing PE headers to run under XP?
    By Dr Apocalypse in forum Malware Analysis and Unpacking Forum
    Replies: 15
    Last Post: November 27th, 2001, 12:52
  5. Replies: 0
    Last Post: June 4th, 2001, 11:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •