Re: [Vol-users] Finding API-Hooks
15 Aug
2011
15 Aug
'11
9:41 a.m.
Hmm, strange. This seems to be an issue with distorm3 decoding instructions
differently on different platforms. On OSX the hooks in both silentbanker
and zeus are fine, but as you noticed - neither show up on Windows. For
example:
On OSX:
$ python
Python 2.6.1 (r261:67515, Jun 24 2010, 21:47:49)
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license"
for more information.
>> import distorm3
>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f",
distorm3.Decode32Bits):
... print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at
0x1004e3c50>],
'flowControl': 'FC_UNC_BRANCH', 'instructionClass':
'ISC_INTEGER', 'flags':
[], 'rawFlags': 1280, 'opcode': 83, 'address': 0L,
'instructionBytes':
'\xe9\x91\xbf=\x8f', 'dt': 1, 'valid': True, 'size': 5}
>> print distorm3.__revision__
$Id:
distorm.py 186 2010-05-01 14:20:41Z gdabah $
On Windows:
C:\volatility20>python
Python 2.6.5 (r265:79096, Mar 19 2010, 21:48:26) [MSC v.1500 32 bit (Intel)]
on win32
Type "help", "copyright", "credits" or "license"
for more information.
>> import distorm3
>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f",
distorm3.Decode32Bits):
... print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at
0x01850530>],
'flowControl': 'FC_UNC_BRANCH', 'instructionClass':
'ISC_INTEGER', 'flags':
[], 'rawFlags': 1280, 'opcode': 462, 'address': 0L,
'unusedPrefixesMask': 0,
'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1,
'segment': 255, 'valid':
True, 'isSegmentDefault': False, 'size': 5}
>> print distorm3.__revision__
$Id:
distorm.py 186 2010-05-01 14:20:41Z gdabah $
Given the same 5 bytes of input, running on OSX it computes opcode 83 and on
Windows it computes opcode 462. I have opened an issue with distorm3 which
you can track here:
http://code.google.com/p/distorm/issues/detail?id=25
In the meantime, if you want to fix this for yourself, change the following
line of malware.py:
http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py#1885
From:
- elif op.flowControl == 'FC_UNC_BRANCH' and op.opcode == 83 and op.size >
2:
+ elif op.flowControl == 'FC_UNC_BRANCH' and (op.opcode == 83 or op.opcode
== 462) and op.size > 2:
After hearing back from the distorm3 developer(s), I'll decide how to
proceed, but at least you can use that quick patch in the meantime if you're
running apihooks on Windows.
MHL
On Mon, Aug 15, 2011 at 6:53 AM, Michael Felber <MichaelFelber(a)gmx.net>wrote:
PS: The silent banker also stays invisible:****
** **
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\silentbanker.vmem"****
Volatile Systems Volatility Framework 2.0****
Name Type
Target Value****
Finished after 115.231999874 seconds****
** **
Regards****
Michael****
** **
*Von:* vol-users-bounces(a)volatilityfoundation.org [mailto:
vol-users-bounces(a)volatilityfoundation.org] *Im Auftrag von *Michael Felber
*Gesendet:* Montag, 15. August 2011 12:48
*An:* 'Michael Hale Ligh'
*Cc:* vol-users(a)volatilityfoundation.org
*Betreff:* [Vol-users] Finding API-Hooks****
** **
Hey Michael,****
** **
trying to list the hooked API-calls in the zeus.vmem-image according page
666 of your “Cookbook” with Volatility 2.0 and maware.py r97 I get the
following result only:****
** **
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\zeus.vmem"****
Volatile Systems Volatility Framework 2.0****
Name Type
Target Value****
wuauclt.exe[468](a)wuaueng.dll iat
sfc.dll!*invalid* 0x0 0x76c69828 (sfc_os.dll)****
Finished after 383.752000093 seconds****
** **
Did I miss something or should I use an older version of Volatility and the
malware-Plugin?****
** **
Kindest regards****
** **
Michael ****
** **
Attachments:
- attachment.html (text/html — 8.3 KB)