Results 1 to 7 of 7

Thread: Unable to open !?

  1. #1

    Unable to open !?

    I'm working on some malware that attaches to explorer and other programs via dlls.
    I was able to work with them in the past via OllyDbg, but now I can't and I'm
    not sure what changed.... has anyone ever run into this ??

    YES, the files are there and permissions look good and the malware is running.


    Log data
    Address Message
    OllyDbg v2.00 (intermediate version - under development!)

    Attached to 'C:\WINDOWS\system32\notepad.exe'
    New process (ID 00000EDC) created
    Main thread (ID 00000EE0) created
    7C94FFE3 New thread 2. (ID 00000FC8) created
    01000000 Module C:\WINDOWS\system32\notepad.exe
    3A220000 Module C:\WINDOWS\system32\ntobdis.dll << MALWARE
    Unable to open executable file
    5AD70000 Module C:\WINDOWS\system32\UxTheme.dll
    5CB70000 Module C:\WINDOWS\system32\ShimEng.dll
    6F880000 Module C:\WINDOWS\AppPatch\AcGenral.DLL
    71AA0000 Module C:\WINDOWS\system32\WS2HELP.dll
    ....etc


    Attached to 'C:\WINDOWS\Explorer.EXE'
    New process (ID 00000638) created
    Main thread (ID 0000063C) created
    7C8106E9 New thread 2. (ID 00000648) created
    7C8106E9 New thread 3. (ID 00000650) created
    7C8106E9 New thread 4. (ID 00000658) created
    7C8106E9 New thread 5. (ID 00000660) created
    7C8106E9 New thread 6. (ID 00000730) created
    7C8106E9 New thread 7. (ID 000007DC) created
    7C8106E9 New thread 8. (ID 000007F8) created
    7C8106E9 New thread 9. (ID 000000A8) created
    7C8106E9 New thread 10. (ID 000000AC) created
    7C8106E9 New thread 11. (ID 000000B0) created
    7C8106E9 New thread 12. (ID 000000C4) created
    7C8106E9 New thread 13. (ID 000000C8) created
    7C8106E9 New thread 14. (ID 000000B8) created
    7C8106E9 New thread 15. (ID 000000A4) created
    7C8106E9 New thread 16. (ID 000000CC) created
    7C8106E9 New thread 17. (ID 000000D0) created
    7C8106E9 New thread 18. (ID 000000D8) created
    7C8106E9 New thread 19. (ID 000000E0) created
    7C8106E9 New thread 20. (ID 000000E4) created
    7C8106E9 New thread 21. (ID 000000E8) created
    7C8106E9 New thread 22. (ID 00000118) created
    7C8106E9 New thread 23. (ID 00000128) created
    7C8106E9 New thread 24. (ID 00000078) created
    7C8106E9 New thread 25. (ID 00000440) created
    7C8106E9 New thread 26. (ID 00000CEC) created
    7C8106E9 New thread 27. (ID 00000ACC) created
    7C94FFE3 New thread 28. (ID 00000B60) created
    01000000 Module C:\WINDOWS\Explorer.EXE
    00400000 Module C:\WINDOWS\system32\Normaliz.dll
    01480000 Module C:\WINDOWS\system32\xpsp2res.dll
    018A0000 Module C:\WINDOWS\system32\vmhgfs1.dll
    02C20000 Module C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
    10000000 Module C:\WINDOWS\system32\urlamnic\codihcat\rtfagdat.dll << MALWARE
    Unable to open executable file
    3A220000 Module C:\WINDOWS\system32\ntobdis.dll << MALWARE
    Unable to open executable file
    3E000000 Module C:\WINDOWS\system32\crtoxnet.dll << MALWARE
    Unable to open executable file
    42E40000 Module C:\WINDOWS\system32\webcheck.dll
    42EF0000 Module C:\WINDOWS\system32\ieframe.dll
    478C0000 Module C:\WINDOWS\system32\dot3api.dll
    4D4F0000 Module C:\WINDOWS\system32\winhttp.dll
    ...etc
    Last edited by Maze; May 1st, 2009 at 11:22.

  2. #2
    if you're running on vista, you might need to run olly as admin, because those locations would have restricted access

  3. #3
    Quote Originally Posted by evlncrn8 View Post
    if you're running on vista, you might need to run olly as admin, because those locations would have restricted access
    Nop, not vista.. XP SP3

    I'm going to do a fresh VM and try again.

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I guess the malware could either have locked its own files with exclusive access, or even used "rootkit methods" to lock/hide them?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5
    Quote Originally Posted by dELTA View Post
    I guess the malware could either have locked its own files with exclusive access, or even used "rootkit methods" to lock/hide them?
    I just tried with a fresh vm with no luck.

    At one point in the past I was able to start ollydbg, attach to explorer.exe, View Modules, double click on the malware dll and view the code, names..etc. I forgot, but I might have done this on a real machine and not in a vm, I'll have give that a try.

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    One thing you could try:

    1. Search for open handles to the malware files, using Process Explorer, and not what process is having them (probably Explorer.exe).
    2. Kill all these handles.
    3. Copy the files to a separate location.
    4. Disassemble them (unpack first if necessary).
    Then you'll at least have their code for analysis, and also have strings you can search for in memory to locate this code inside e.g. Explorer.exe.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    I have no problem finding the files and looking at them manually,
    but I wanted to use OllyDbg on them while the malware is running.

    Using Process Explorer is a good idea, thanks !

    The malware connects to its server via https and receives commands.
    I'm able to catch the info using an API monitor, but the unencrypted
    data is still scrambled somehow. I want to work on the malware while its
    running... which is hard because its attached to explorer.exe.

Similar Threads

  1. Unable to create signature file in IDA Pro
    By akovid in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 28th, 2014, 01:31
  2. Unable to copy to Executable File.
    By GiblratersHand in forum The Newbie Forum
    Replies: 0
    Last Post: December 20th, 2012, 02:37
  3. Unable To Run Altered Target
    By GNIREENIGNE in forum The Newbie Forum
    Replies: 4
    Last Post: October 10th, 2009, 13:41
  4. Unable to Write to....
    By Heste in forum Bugs
    Replies: 2
    Last Post: June 22nd, 2005, 14:41
  5. Unable to Attach to Process
    By Anonymous in forum OllyDbg Support Forums
    Replies: 11
    Last Post: October 1st, 2003, 19:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •