Hi,

I am analyzing a malware which follows the below sequence:

1. calls CreateProcessW and starts another instance of itself (CREATE_SUSPENDED state)
2. calls zwUnmapViewofSection on the new process memory (at image base address so that virtual memory is not reserved).
3. calls VirtualAllocEx and allocates 0x27000 bytes and protection set to PAGE_EXECUTE_READWRITE
4. uses WriteProcessMemory to write 400 bytes from a malicious executable embedded in this process to the destination process.

after calling WriteProcessMemory multiple times, it finally calls GetThreadContext, SetThreadContext and ResumeThread to start the execution of thread in remote process.

I want to debug the new thread in the remote process.

So, I thought of patching the data written to remote process.

When it calls WriteProcessMemory to write 400 bytes (starting from MZ header), I can patch the OEP.

I locate the OEP (PE Header + 0x28) and it shows up as:

Code:
01610120  95 6D 01 00 00 10 00 00 00 20 02 00 00 00 40 00  m..... ...@.
The AddressOfEntryPoint is: 0x00016d95

The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

My question is, do I just edit this OEP to ebfe?

I need to patch the bytes at the memory address, 0x00016d95 to ebfe but 0x00016d95 is not a valid address.

so where do I patch?

Note: My question is very similar to this thread:

http://www.woodmann.com/forum/archive/index.php/t-11437.html

The solution says, "Before the ResumeThread call is invoked, change the entrypoint instruction to a EBFE instruction".

Can someone elaborate this?

where do I need to patch?

thanks.