10:56 a.m.
Excellent, glad it works.
Based on the distorm3 dev's suggestion (see their updated ticket), I used
the mnemonic opcode (i.e. "CALL") instead of opcode values.
http://code.google.com/p/malwarecookbook/source/detail?r=98
Thanks,
MHL
On Mon, Aug 15, 2011 at 10:07 AM, Michael Felber <MichaelFelber(a)gmx.net>wrote:
Hello again,****
** **
the patch seems to work fine:****
** **
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\silentbanker.vmem"****
Volatile Systems Volatility Framework 2.0****
Name Type
Target Value****
IEXPLORE.EXE[1884] inline
ws2_32.dll!connect[0x71ab406aL] 0x71ab406a JMP 0xe90000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
ws2_32.dll!send[0x71ab428aL] 0x71ab428a JMP 0xe70000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
user32.dll!DispatchMessageA[0x77d4bcbdL] 0x77d4bcbd JMP 0x10e0000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
user32.dll!DispatchMessageW[0x77d489d9L] 0x77d489d9 JMP 0x1100000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
user32.dll!GetClipboardData[0x77d6fcb2L] 0x77d6fcb2 JMP 0x10c0000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!CommitUrlCacheEntryA[0x771b5319L] 0x771b5319 JMP 0x1080000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!CommitUrlCacheEntryW[0x7721f23bL] 0x7721f23b JMP 0x10a0000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!HttpAddRequestHeadersA[0x771c54caL] 0x771c54ca JMP 0xf90000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!HttpAddRequestHeadersW[0x771d5e41L] 0x771d5e41 JMP 0xfb0000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!HttpOpenRequestA[0x771c4ac5L] 0x771c4ac5 JMP 0xf10000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!HttpOpenRequestW[0x771d6345L] 0x771d6345 JMP 0xf30000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!HttpSendRequestA[0x771c76b8L] 0x771c76b8 JMP 0xf50000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!HttpSendRequestW[0x77211808L] 0x77211808 JMP 0xf70000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetErrorDlg[0x7722bc5dL] 0x7722bc5d JMP 0x1060000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetQueryDataAvailable[0x771d325fL] 0x771d325f JMP 0x1030000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetReadFile[0x771c9555L] 0x771c9555 JMP 0x1010000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetReadFileExA[0x771f7e9aL] 0x771f7e9a JMP 0xfd0000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetReadFileExW[0x771f88d6L] 0x771f88d6 JMP 0xff0000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetWriteFileExA[0x771f88d6L] 0x771f88d6 JMP 0xff0000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
wininet.dll!InternetWriteFileExW[0x771f88d6L] 0x771f88d6 JMP 0xff0000
(UNKNOWN)****
IEXPLORE.EXE[1884] inline
advapi32.dll!CryptDeriveKey[0x77dea685L] 0x77dea685 JMP 0xeb0000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
advapi32.dll!CryptGenKey[0x77e114b1L] 0x77e114b1 JMP 0xef0000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
advapi32.dll!CryptImportKey[0x77dea879L] 0x77dea879 JMP 0xed0000 (UNKNOWN)
****
IEXPLORE.EXE[1884] inline
kernel32.dll!ExitProcess[0x7c81caa2L] 0x7c81caa2 JMP 0xe50000 (UNKNOWN)
****
Finished after 113.810000181 seconds****
** **
This is what I expected to see. Thank you very much!****
** **
Regards****
Michael****
** **
*Von:* Michael Hale Ligh [mailto:michael.hale@gmail.com]
*Gesendet:* Montag, 15. August 2011 15:41
*An:* Michael Felber
*Cc:* vol-users(a)volatilityfoundation.org
*Betreff:* Re: [Vol-users] Finding API-Hooks****
** **
Hmm, strange. This seems to be an issue with distorm3 decoding instructions
differently on different platforms. On OSX the hooks in both silentbanker
and zeus are fine, but as you noticed - neither show up on Windows. For
example:
On OSX:
$ python
Python 2.6.1 (r261:67515, Jun 24 2010, 21:47:49)
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license"
for more information.
>> import distorm3
>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f",
distorm3.Decode32Bits):
... print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at
0x1004e3c50>],
'flowControl': 'FC_UNC_BRANCH', 'instructionClass':
'ISC_INTEGER', 'flags':
[], 'rawFlags': 1280, 'opcode': 83, 'address': 0L,
'instructionBytes':
'\xe9\x91\xbf=\x8f', 'dt': 1, 'valid': True, 'size': 5}
>> print distorm3.__revision__
$Id:
distorm.py 186 2010-05-01 14:20:41Z gdabah $
On Windows:
C:\volatility20>python
Python 2.6.5 (r265:79096, Mar 19 2010, 21:48:26) [MSC v.1500 32 bit
(Intel)] on win32
Type "help", "copyright", "credits" or "license"
for more information.
>> import distorm3
>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f",
distorm3.Decode32Bits):
... print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at
0x01850530>],
'flowControl': 'FC_UNC_BRANCH', 'instructionClass':
'ISC_INTEGER', 'flags':
[], 'rawFlags': 1280, 'opcode': 462, 'address': 0L,
'unusedPrefixesMask': 0,
'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1,
'segment': 255, 'valid':
True, 'isSegmentDefault': False, 'size': 5}
>> print distorm3.__revision__
$Id:
distorm.py 186 2010-05-01 14:20:41Z gdabah $
Given the same 5 bytes of input, running on OSX it computes opcode 83 and
on Windows it computes opcode 462. I have opened an issue with distorm3
which you can track here:
http://code.google.com/p/distorm/issues/detail?id=25
In the meantime, if you want to fix this for yourself, change the following
line of malware.py:
http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py#1885
From:
- elif op.flowControl == 'FC_UNC_BRANCH' and op.opcode == 83 and op.size >
2:
+ elif op.flowControl == 'FC_UNC_BRANCH' and (op.opcode == 83 or op.opcode
== 462) and op.size > 2:
After hearing back from the distorm3 developer(s), I'll decide how to
proceed, but at least you can use that quick patch in the meantime if you're
running apihooks on Windows.
MHL****
On Mon, Aug 15, 2011 at 6:53 AM, Michael Felber <MichaelFelber(a)gmx.net>
wrote:****
PS: The silent banker also stays invisible:****
****
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\silentbanker.vmem"****
Volatile Systems Volatility Framework 2.0****
Name Type
Target Value****
Finished after 115.231999874 seconds****
****
Regards****
Michael****
****
*Von:* vol-users-bounces(a)volatilityfoundation.org [mailto:
vol-users-bounces(a)volatilityfoundation.org] *Im Auftrag von *Michael Felber
*Gesendet:* Montag, 15. August 2011 12:48
*An:* 'Michael Hale Ligh'
*Cc:* vol-users(a)volatilityfoundation.org
*Betreff:* [Vol-users] Finding API-Hooks****
****
Hey Michael,****
****
trying to list the hooked API-calls in the zeus.vmem-image according page
666 of your “Cookbook” with Volatility 2.0 and maware.py r97 I get the
following result only:****
****
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\zeus.vmem"****
Volatile Systems Volatility Framework 2.0****
Name Type
Target Value****
wuauclt.exe[468](a)wuaueng.dll iat
sfc.dll!*invalid* 0x0 0x76c69828 (sfc_os.dll)****
Finished after 383.752000093 seconds****
****
Did I miss something or should I use an older version of Volatility and the
malware-Plugin?****
****
Kindest regards****
****
Michael ****
****
** **