![]() By analyzing the input parameter of swprintf (as shown in Figure 1, 2nd highlighted area), we know that the second string "\systemroot\system32\drivers\rasppoe" is located at 0xFAFB7A78, as shown in following. Let's take the second string as an example. The the challenge to us is that if we look in the notes window, we are not able to infer where these two strings are used! We have to use WinDbg data breakpoints to figure out where these file/service names are used. Similarly you can infer the second string generated by the swpringf at 0x100037DB (in Figure 1) is " \systemroot\system32\drivers\rasppoe" (this is the name of the randomly picked driver). Doing a data analysis in WinDbg yields the following. As shown in Figure 1, the first section of the code is to massage a collection of names.Īt 0x100037BF, it is copying string "\?\C2CAD.\snifer67" to the area pointed by EDI. Figure 1 shows the first couple of instructions. We now continue the analysis after Tutorial 21. (3) Set a breakpoint " bu _ 37af" in WinDbg to intercept the driver entry function.ģ. (2) The second " Win_DEBUG" image has to be run in the DEBUG mode and there should be a WinDbg hooked from the host system using COM part - so here, we are doing kernel debugging. ![]() Jump to 0x100037AF to start the analysis. ![]() See Section 2 of Tutorial 20 for details. To do this, you have to modify the control flow of IMM so that it does not crash on. You don't really need to run the malware on this instance, but just to record all your observations using the. ![]() (1) You need a separate image named " Win_Notes" to record and comment the code. In the following we just remind you of several important steps in the configuration: In general we will use the instructions of Section 2 of Tutorial 20. We will also study how to use hardware data breakpoint to trace the use of data and kernel data structures. We reveal how Max performs another round of driver infection, and how it sets up and hides an infected driver. This tutorial continues the analysis presented in Tutorial 20.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |