Hmm, strange. This seems to be an issue with distorm3 decoding instructions differently on different platforms. On OSX the hooks in both silentbanker and zeus are fine, but as you noticed - neither show up on Windows. For example:

On OSX:

$ python
Python 2.6.1 (r261:67515, Jun 24 2010, 21:47:49)
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
>>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f", distorm3.Decode32Bits):
...     print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at 0x1004e3c50>], 'flowControl': 'FC_UNC_BRANCH', 'instructionClass': 'ISC_INTEGER', 'flags': [], 'rawFlags': 1280, 'opcode': 83, 'address': 0L, 'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1, 'valid': True, 'size': 5}
>>> print distorm3.__revision__
$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

On Windows:

C:\volatility20>python
Python 2.6.5 (r265:79096, Mar 19 2010, 21:48:26) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
>>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f", distorm3.Decode32Bits):
...     print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at 0x01850530>], 'flowControl': 'FC_UNC_BRANCH', 'instructionClass': 'ISC_INTEGER', 'flags': [], 'rawFlags': 1280, 'opcode': 462, 'address': 0L, 'unusedPrefixesMask': 0, 'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1, 'segment': 255, 'valid': True, 'isSegmentDefault': False, 'size': 5}
>>> print distorm3.__revision__
$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

Given the same 5 bytes of input, running on OSX it computes opcode 83 and on Windows it computes opcode 462. I have opened an issue with distorm3 which you can track here:

http://code.google.com/p/distorm/issues/detail?id=25

In the meantime, if you want to fix this for yourself, change the following line of malware.py:

http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py#1885

From:

-  elif op.flowControl == 'FC_UNC_BRANCH' and op.opcode == 83 and op.size > 2:
+ elif op.flowControl == 'FC_UNC_BRANCH' and (op.opcode == 83 or op.opcode == 462) and op.size > 2:

After hearing back from the distorm3 developer(s), I'll decide how to proceed, but at least you can use that quick patch in the meantime if you're running apihooks on Windows.

MHL

On Mon, Aug 15, 2011 at 6:53 AM, Michael Felber <MichaelFelber@gmx.net> wrote:

PS: The silent banker also stays invisible:

 

C:\Python27\Scripts>python vol.py apihooks -f "D:\X-Ways-Images\Malware\silentbanker.vmem"

Volatile Systems Volatility Framework 2.0

Name                             Type     Target                                   Value

Finished after 115.231999874 seconds

 

Regards

Michael

 

Von: vol-users-bounces@volatilityfoundation.org [mailto:vol-users-bounces@volatilityfoundation.org] Im Auftrag von Michael Felber
Gesendet: Montag, 15. August 2011 12:48
An: 'Michael Hale Ligh'
Cc: vol-users@volatilityfoundation.org
Betreff: [Vol-users] Finding API-Hooks

 

Hey Michael,

 

trying to list the hooked API-calls in the zeus.vmem-image according page 666 of your “Cookbook”  with Volatility 2.0 and maware.py r97  I get the following result only:

 

C:\Python27\Scripts>python vol.py apihooks -f "D:\X-Ways-Images\Malware\zeus.vmem"

Volatile Systems Volatility Framework 2.0

Name                             Type     Target                                   Value

wuauclt.exe[468]@wuaueng.dll     iat      sfc.dll!*invalid*                        0x0 0x76c69828 (sfc_os.dll)

Finished after 383.752000093 seconds

 

Did I miss something or should I use an older version of Volatility and the malware-Plugin?

 

Kindest regards

 

Michael