Hello again,

the patch seems to work fine:

C:\Python27\Scripts>python vol.py apihooks -f "D:\X-Ways-Images\Malware\silentbanker.vmem"

Volatile Systems Volatility Framework 2.0

Name                             Type     Target                                   Value

IEXPLORE.EXE[1884]               inline   ws2_32.dll!connect[0x71ab406aL]          0x71ab406a JMP 0xe90000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   ws2_32.dll!send[0x71ab428aL]             0x71ab428a JMP 0xe70000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   user32.dll!DispatchMessageA[0x77d4bcbdL] 0x77d4bcbd JMP 0x10e0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   user32.dll!DispatchMessageW[0x77d489d9L] 0x77d489d9 JMP 0x1100000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   user32.dll!GetClipboardData[0x77d6fcb2L] 0x77d6fcb2 JMP 0x10c0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!CommitUrlCacheEntryA[0x771b5319L] 0x771b5319 JMP 0x1080000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!CommitUrlCacheEntryW[0x7721f23bL] 0x7721f23b JMP 0x10a0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!HttpAddRequestHeadersA[0x771c54caL] 0x771c54ca JMP 0xf90000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!HttpAddRequestHeadersW[0x771d5e41L] 0x771d5e41 JMP 0xfb0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!HttpOpenRequestA[0x771c4ac5L] 0x771c4ac5 JMP 0xf10000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!HttpOpenRequestW[0x771d6345L] 0x771d6345 JMP 0xf30000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!HttpSendRequestA[0x771c76b8L] 0x771c76b8 JMP 0xf50000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!HttpSendRequestW[0x77211808L] 0x77211808 JMP 0xf70000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetErrorDlg[0x7722bc5dL] 0x7722bc5d JMP 0x1060000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetQueryDataAvailable[0x771d325fL] 0x771d325f JMP 0x1030000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetReadFile[0x771c9555L] 0x771c9555 JMP 0x1010000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetReadFileExA[0x771f7e9aL] 0x771f7e9a JMP 0xfd0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetReadFileExW[0x771f88d6L] 0x771f88d6 JMP 0xff0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetWriteFileExA[0x771f88d6L] 0x771f88d6 JMP 0xff0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   wininet.dll!InternetWriteFileExW[0x771f88d6L] 0x771f88d6 JMP 0xff0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   advapi32.dll!CryptDeriveKey[0x77dea685L] 0x77dea685 JMP 0xeb0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   advapi32.dll!CryptGenKey[0x77e114b1L]    0x77e114b1 JMP 0xef0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   advapi32.dll!CryptImportKey[0x77dea879L] 0x77dea879 JMP 0xed0000 (UNKNOWN)

IEXPLORE.EXE[1884]               inline   kernel32.dll!ExitProcess[0x7c81caa2L]    0x7c81caa2 JMP 0xe50000 (UNKNOWN)

Finished after 113.810000181 seconds

This is what I expected to see. Thank you very much!

Regards

Michael

Von: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Gesendet: Montag, 15. August 2011 15:41
An: Michael Felber
Cc: vol-users@volatilityfoundation.org
Betreff: Re: [Vol-users] Finding API-Hooks

Hmm, strange. This seems to be an issue with distorm3 decoding instructions differently on different platforms. On OSX the hooks in both silentbanker and zeus are fine, but as you noticed - neither show up on Windows. For example:

On OSX:

$ python
Python 2.6.1 (r261:67515, Jun 24 2010, 21:47:49)
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
>>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f", distorm3.Decode32Bits):
...     print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at 0x1004e3c50>], 'flowControl': 'FC_UNC_BRANCH', 'instructionClass': 'ISC_INTEGER', 'flags': [], 'rawFlags': 1280, 'opcode': 83, 'address': 0L, 'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1, 'valid': True, 'size': 5}
>>> print distorm3.__revision__
$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

On Windows:

C:\volatility20>python
Python 2.6.5 (r265:79096, Mar 19 2010, 21:48:26) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
>>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f", distorm3.Decode32Bits):
...     print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at 0x01850530>], 'flowControl': 'FC_UNC_BRANCH', 'instructionClass': 'ISC_INTEGER', 'flags': [], 'rawFlags': 1280, 'opcode': 462, 'address': 0L, 'unusedPrefixesMask': 0, 'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1, 'segment': 255, 'valid': True, 'isSegmentDefault': False, 'size': 5}
>>> print distorm3.__revision__
$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

Given the same 5 bytes of input, running on OSX it computes opcode 83 and on Windows it computes opcode 462. I have opened an issue with distorm3 which you can track here:

http://code.google.com/p/distorm/issues/detail?id=25

In the meantime, if you want to fix this for yourself, change the following line of malware.py:

http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py#1885

From:

-  elif op.flowControl == 'FC_UNC_BRANCH' and op.opcode == 83 and op.size > 2:
+ elif op.flowControl == 'FC_UNC_BRANCH' and (op.opcode == 83 or op.opcode == 462) and op.size > 2:

After hearing back from the distorm3 developer(s), I'll decide how to proceed, but at least you can use that quick patch in the meantime if you're running apihooks on Windows.

MHL