After setting the attributes for the newly created file as described in my previous post, our current process is opened with OpenProcess(SYNCHRONIZE, TRUE, PID).
The return value (an handle to our process) is returned, and the value is used to create a string with the following format:
'FULL_PATH_OF_THE_NEW_FILE HANDLE "FULL_PATH_OF_THE_ORIGINAL_FILE"'
a note however, HANDLE is not in hexadecimal, but in decimal format.
The next in operation is a call to CreateProcess according to the following code snippet:
CreateProcess( 'C:\WINDOWS\System32\vycqfmq.exe', 'C:\WINDOWS\System32\vycqfmq.exe 324 "path_to\…\malware.exe", NULL, NULL, TRUE, 0x28, //between all the bits set by 0x28 and all the pre-defined values for creation flags the only common bit is the fourth bit, by the flag DETACHED_PROCESS, so I'm guessing that 0x28 will be equivalent to 0x8 (DETACHED_PROCESS) NULL, "C:\WINDOWS\System32", startupInfoStruct_ptr, proccessInformationStruct_ptr )
These are the values in the STARTUP_INFO structure pointed to by startupInfoStruct_ptr:
cb 44h
lpReserved 0
lpDesktop 0
lpTitle offset word_444962
dwX 0
dwY 0
dwXSize 0
dwYSize 0
dwXCountChars 0
dwYCountChars 0
dwFillAttribute 0
dwFlags 1
wShowWindow 0
cbReserved2 0
lpReserved2 0
hStdInput 0
hStdOutput 0
hStdError 0
word_444962 holds 0 as well, so the only value set to something different from 0 are the dwFlags (set with STARTF_USESHOWWINDOW, which indicates that the wShowWindow member is valid).
So, we have a new process that
1) will be named as indicated by the first argument of CreateProcess
2) has command line set according to the second argument of CreateProcess
3) will inherit the handles of the father
4) will not be suspended upon its creation
After the call to CreateProcess, if it was successfull, our program terminates:
seg028:00402A07 call CreateProcessA seg028:00402A0D test eax, eax seg028:00402A0F jz short loc_402A39 seg028:00402A11 push 0C8h seg028:00402A16 call Sleep seg028:00402A1C push [ebp+processInformation] seg028:00402A1F mov esi, CloseHandle seg028:00402A25 call esi ; kernel32_CloseHandle seg028:00402A27 push [ebp+var_18] seg028:00402A2A call esi ; kernel32_CloseHandle seg028:00402A2C call dynamicWSACleanup seg028:00402A32 push ebx seg028:00402A33 seg028:00402A33 loc_402A33: seg028:00402A33 call ExitProcess
So, how to debug the newly created process? We cannot change the entry point bytes to 0xEBFE, since as we've seen previously, the entry point to the program will be the beginning of the header, and the values there must be 0x4D5A, I will try setting the next two bytes to 0xEBFE and see where I can go from there.
No comments:
Post a Comment