Source: fumalwareanalysis OllyDBG Cheat Sheet:
Change the EIP instruction in Immunity Debugger: From a Python Shell >>> imm = immlib.Debugger() >>> imm.setReg('EIP',int("hex value",16)) F9 (continue) is often used to continue from a breakpoint. Notice that the debugger automatically handles a lot of exceptions for you. If you want to intercept all exceptions, you should use SHIFT+F9 Goal: The objective today is to analyze the code snippet from 0x413BC8 to 0x413BD8. Answer the following questions. We will post the solution to these questions in the comments area. Q1. What is the value of EAX at 0x413BD5 (right before int 2d is executed)? The value of EAX is 00000001 at the memory location. Q2. Is the instruction "RET" at 0x413BD7 ever executed? No, EAX is an interrupt instruction; it skips the RET function. Q3. If you change the value of EAX to 0 (at 0x413BD5), does it make any difference for Q2? Yes. It makes its way to the RET function. Q4. Can you change the value of EIP at 0x413BD5 so that the int 2d instruction is skipped? Yes. Done in Immunity Debugger via ImmLib Python script. Q5. Modify the int 2d instruction at (0x413BD7) to "NOP" (no operations) and save the file as "max2[.]exe". Execute max2[.]exe. Do you observe any difference of the malware behavior? The sample does not run without the INT 2D function. ===============================================
Tools: SysAnalyzer, OllyDBG Hash: D8F6566C5F9CAA795204A40B3AAAAFA2 Here is the port information: Port PID Type Path -------------------------------------------------- 3162 3336 TCP C:\Documents and Settings\Administrator\Desktop\Max++ downloader install_2010.ex_ Queried the following DNS: intensedive[.]com Here are the relevant Kernel32 Api log calls: ------------------------------------------------- 76d657ff CreateFileA(\\.\Ip) 1b977e RegOpenKeyExA (HKLM\software\komodia) 5ad7a0e2 IsDebuggerPresent() 71aa17d6 GlobalAlloc() 18238d connect( 85.17.239.212:80 ) 7c812a54 CreateRemoteThread(h=ffffffff, start=7c927ebb) -------------------------------------------------- Modified the following file: C:\WINDOWS\system32\config\system.LOG
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |