![]() On the picture below, we can see all of the names that start with NtOpen, and the NtOpenFile function is among the listed functions. Let’s dump all the entries from the C:exports.txt file whose names start with NtOpen. ![]() If we open the URL address (v=vs.85).aspx we can stumble upon the NtOpenFile function that is part of the ntdll.dll library, but isn’t exported by it. The problem with this is that only some of the functions are actually exported, but some are hidden and cannot be called directly by the program. Next are the ordinals, names and their relative value addresses where the functions can be accessed. Notice that the dumping first presents the DLL file that we’re dumping the function names from, and also lists the number of functions, which is 1316 in our case. We can see some of the contents of the file presented on the picture below: if you use IDA’s built-in VOLUME_DISK_EXTENTS structure, you need to fix it as it doesn’t take into account an 8-byte alignment of data – structure members are placed at incorrect offsets (this is not obvious and original MS headers also don’t mention it explicite, so it can be a bit misleading).Now we can open the C:exports.txt file and observe what was inputted in the file. In this particular case xuetr worked, and dumping the driver directly from memory is a piece of cake – after fixing the section alignments we can finally load it into IDA.ītw. Using windbg has many advantages as we can dump physical memory anytime we wish or poke around the code and map findings to IDA as we go along, we can also see decryption in action and prevent any actions driver may take to wipe out the content of memory or detect debuggers. Since this may not work all the time, sometimes it’s better to control the execution flow through windbg right from the DriverEntry via a well-known IopLoadDriver xxx trick. xuetr and dump the malicious kernel driver from memory after it is loaded and decrypted. One way to bypass it is to use some good anti-rootkit tool e.g. It can’t be directly loaded into IDA for analysis, because it contains a layer of protection. ![]() One of pieces used by Purple Haze malware is its driver (c:\WINDOWS\Temp\2.tmp) loaded by NtLoadDriver API. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |