Reference: https://www.virustotal.com/en/file/1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d/analysis/

Objective:

• Analyze the ZeroAccess trojan custom local privilege exploit (LPE) related to CVE-2015-1701.

​CVE-2015-1701:

• Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Source: fumalwareanalysis.blogspot.com

Learning Goals: 

1. Understand the general interrupt handling  mechanism on X86 platform.
2. Understand the byte scission anti-debugging technique.
3. Know how to use a binary debugger to patch an executable program.

The general anti-debugging techniques are as follows:

(1) to detect the existence of a debugger, and behave differently when a debugger is attached to the current process; and,
(2) to disrupt or crash a debugger.

 The instruction we are trying to analyze is the "INT 2D" instruction located at 0x00413BD5 (as shown in Figure 1). By single-stepping the malware, you might notice that the program's entry point is 0x00413BC8. After the execution of the first 8 instructions, right before the "INT 2D" instruction, the value of EAX is 0x1. This is an important fact you should remember in the later analysis.