Results 1 to 5 of 5

Thread: Break on ResumeThread

  1. #1

    Break on ResumeThread

    Hi,

    I am analyzing a malware which follows the below sequence:

    1. calls CreateProcessW and starts another instance of itself (CREATE_SUSPENDED state)
    2. calls zwUnmapViewofSection on the new process memory (at image base address so that virtual memory is not reserved).
    3. calls VirtualAllocEx and allocates 0x27000 bytes and protection set to PAGE_EXECUTE_READWRITE
    4. uses WriteProcessMemory to write 400 bytes from a malicious executable embedded in this process to the destination process.

    after calling WriteProcessMemory multiple times, it finally calls GetThreadContext, SetThreadContext and ResumeThread to start the execution of thread in remote process.

    I want to debug the new thread in the remote process.

    So, I thought of patching the data written to remote process.

    When it calls WriteProcessMemory to write 400 bytes (starting from MZ header), I can patch the OEP.

    I locate the OEP (PE Header + 0x28) and it shows up as:

    Code:
    01610120  95 6D 01 00 00 10 00 00 00 20 02 00 00 00 40 00  m..... ...@.
    The AddressOfEntryPoint is: 0x00016d95

    The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

    My question is, do I just edit this OEP to ebfe?

    I need to patch the bytes at the memory address, 0x00016d95 to ebfe but 0x00016d95 is not a valid address.

    so where do I patch?

    Note: My question is very similar to this thread:

    http://www.woodmann.com/forum/archive/index.php/t-11437.html

    The solution says, "Before the ResumeThread call is invoked, change the entrypoint instruction to a EBFE instruction".

    Can someone elaborate this?

    where do I need to patch?

    thanks.

  2. #2
    VA = RVA + Base

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    The AddressOfEntryPoint is: 0x00016d95

    The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

    My question is, do I just edit this OEP to ebfe?
    do you mean that you edit the header to ebfe

    no that isnt going to work

    the addr of entrypoint 0x16XXX means the address of entry point will be at

    base of image (viz 0x400000 in default cases or anywhere in special cases ) + 0x16XXXX

    so you need to know where Base of image is
    most probably it would be what was returned by an earlier virtualalloc case

    say it to be 0x60500000 for example then you need to patch the bytes at 0x60500000 + 0x16XXX == 60516XXX

    also be aware SetThreadContext has a Full Context that includes EIP that would be executed on resume

  4. #4
    HI

    Suspended Processes wont let debuggers attach , cause when process is hallowed PEB is not initialized
    The best solution would be ,

    1 : Set a Breakpoint at ZwResumeThread
    2: inject a Dummy Sleep Thread using CreateRemoteThread, to Initialize the PEB of Foreign process
    3: Attach to debugger and resume from OEP

    Cheers!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    side tools.

Similar Threads

  1. ResumeThread & WaitForSingleObject in combination leads to a problem...
    By OHPen in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: August 17th, 2008, 10:46
  2. Where to set the Break point?
    By Greyhound2004 in forum The Newbie Forum
    Replies: 5
    Last Post: July 21st, 2008, 09:14
  3. Replies: 10
    Last Post: April 8th, 2008, 00:54
  4. Conditional Break?
    By RITZ in forum OllyDbg Support Forums
    Replies: 5
    Last Post: June 30th, 2006, 11:17
  5. set a BP on ResumeThread?
    By HEAT84 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: May 4th, 2005, 07:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •