Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Break on ResumeThread

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
NeonFlash
Junior Member
Posts: 12
Joined: Mon Mar 05, 2012 5:53 am

Break on ResumeThread

Post by NeonFlash »

Hi,

I am analyzing a malware which follows the below sequence:

1. calls CreateProcessW and starts another instance of itself (CREATE_SUSPENDED state)
2. calls zwUnmapViewofSection on the new process memory (at image base address so that virtual memory is not reserved).
3. calls VirtualAllocEx and allocates 0x27000 bytes and protection set to PAGE_EXECUTE_READWRITE
4. uses WriteProcessMemory to write 400 bytes from a malicious executable embedded in this process to the destination process.

after calling WriteProcessMemory multiple times, it finally calls GetThreadContext, SetThreadContext and ResumeThread to start the execution of thread in remote process.

I want to debug the new thread in the remote process.

So, I thought of patching the data written to remote process.

When it calls WriteProcessMemory to write 400 bytes (starting from MZ header), I can patch the OEP.

I locate the OEP (PE Header + 0x28) and it shows up as:

Code: Select all

01610120  95 6D 01 00 00 10 00 00 00 20 02 00 00 00 40 00  •m..... [email protected]
The AddressOfEntryPoint is: 0x00016d95

The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

My question is, do I just edit this OEP to ebfe?

I need to patch the bytes at the memory address, 0x00016d95 to ebfe but 0x00016d95 is not a valid address.

so where do I patch?

Note: My question is very similar to this thread:

http://www.woodmann.com/forum/archive/i ... 11437.html

The solution says, "Before the ResumeThread call is invoked, change the entrypoint instruction to a EBFE instruction".

Can someone elaborate this?

where do I need to patch?

thanks.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

VA = RVA + Base
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

The AddressOfEntryPoint is: 0x00016d95

The entire MZ and PE Header will be written to the new process, so, if I patch the OEP here the same will reflect in the new process as well.

My question is, do I just edit this OEP to ebfe?
do you mean that you edit the header to ebfe

no that isnt going to work

the addr of entrypoint 0x16XXX means the address of entry point will be at

base of image (viz 0x400000 in default cases or anywhere in special cases ) + 0x16XXXX

so you need to know where Base of image is
most probably it would be what was returned by an earlier virtualalloc case

say it to be 0x60500000 for example then you need to patch the bytes at 0x60500000 + 0x16XXX == 60516XXX

also be aware SetThreadContext has a Full Context that includes EIP that would be executed on resume
yekhni
Junior Member
Posts: 2
Joined: Thu Sep 19, 2013 7:00 am

Post by yekhni »

HI

Suspended Processes wont let debuggers attach , cause when process is hallowed PEB is not initialized
The best solution would be ,

1 : Set a Breakpoint at ZwResumeThread
2: inject a Dummy Sleep Thread using CreateRemoteThread, to Initialize the PEB of Foreign process
3: Attach to debugger and resume from OEP

Cheers!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

side tools.
Locked