cod's home page

UPS expedition!

Friday, 15. August 2008, 08:20:41

I found in my spam a message of UPS expedition, an executable with the icon of WORD document!

But I think that developer of malware wrote the program with a little bug..

On Windows XP SP2 the malware crash.. why?

This is the entry point:

.004010A7    and     edx, ecx
.004010A9    mov     ecx, 0AFFC5C82h
.004010AE    ror     ecx, 3
.004010B1    rol     esi, 13h
.004010B4    mov     edx, 7FFFFFC8h
.004010B9    rol     edx, 1
.004010BC    not     eax
.004010BE    mov     esi, esp       
.004010C0    mov     eax, 0E000001Fh
.004010C5    rol     eax, 3
.004010C8    add     di, 2Ah
.004010CC    and     esi, eax
.004010CE    mov     eax, 4BFCh
.004010D3    rol     eax, 6
.004010D6    add     eax, esi
.004010D8    xor     ecx, 41AEE935h
.004010DE    mov     edi, [eax]

The initial values of registers on my machine are:
EAX = 00000000 ECX = 0013FFB0 EDX = 7C90EB94 EBX = 7FFD6000
ESP = 0013FFC4 EBP = 0013FFF0 ESI = FFFFFFFF EDI = 7C910738

EDX it's a pointer to latest instruction of ntdll.KiFastSystemCallRet and EDI point to

.7C910735    align 4
.7C910738    dd 0FFFFFFFFh           ; < EDI
.7C91073C    dd offset loc_7C94E05D
.7C910740    dd offset loc_7C94E066

What's the problem?

.004010A7 and edx, ecx
EDX = 0010EB90
.004010A9 mov ecx, 0AFFC5C82h
ECX = AFFC5C82
.004010AE ror ecx, 3
ECX = 55FF8B90
.004010B1 rol esi, 13h
ESI = FFFFFFFF
.004010B4 mov edx, 7FFFFFC8h
EDX = 7FFFFFC8
.004010B9 rol edx, 1
EDX = FFFFFF90
.004010BC not eax
EAX = FFFFFFFF
.004010BE mov esi, esp
ESI = 0013FFC4
.004010C0 mov eax, 0E000001Fh
EAX = E000001F
.004010C5 rol eax, 3
EAX = 000000FF
.004010C8 add di, 2Ah
EDI = 7C910762
.004010CC and esi, eax
ESI = 000000C4
.004010CE mov eax, 4BFCh
EAX = 00004BFC
.004010D3 rol eax, 6
EAX = 0012FF00
.004010D6 add eax, esi
ESI = 0012FFC4
.004010D8 xor ecx, 41AEE935h
ECX = 145162A5
.004010DE mov edi, [eax]
Crash! without exception handler...

The reason was that stack it's only 2000h on this executable .. and the value 4BFC ROL 6 will be 12FF00h and not 13FF00h

Now.. why 12FF00 ?? What's the o.s. to run the malware? Because, if we change EAX to ESP value.. the program begin to look in kernel memory the EDX pattern... and the pattern will be found at kernel32.BaseCheckAppcompatCache

... the code continue calling ntdll.ZwSetLdtEntries, finding GlobalAlloc, LoadLibrary, VirtualProtect..

I continue to debug this malware..

0 Comments

Stack Fault

Saturday, 9. August 2008, 18:17:21

vmware

0 Comments

fbi_facebook

Friday, 1. August 2008, 05:00:09

Tuesday, on offensivecomputing, er234567 submitted a post with a description of a malware.. FBI_FACEBOOK.EXE

The originality (for me!) it's that the EXE have two entry into export tables, invoked from entry point, to unpack/drop in memory a second executable (without drop it into an hard disk! directly into ram) that was a generic dropper for a rootkit ...

This code is on entry point ...

.0040559C                 push    offset ProcName ; "plr"
.004055A1                 push    ds:hModule      ; hModule
.004055A7                 call    ds:GetProcAddress
.004055AD                 mov     [ebp+var_4], eax

.004055BC                 push    offset aWsx     ; "wsx"
.004055C1                 push    ds:hModule      ; hModule
.004055C7                 call    ds:GetProcAddress
.004055CD                 mov     ecx, eax

.004055D3                 push    [ebp+var_4]
.004055D6                 call    ecx

WSX is the "decipher" of plr block .. and latest instruction of wsx is

.00405407                 jmp     loc_407078

 ; START OF FUNCTION CHUNK FOR wsx
.00407078
.00407078 loc_407078:                             ;
.00407078                 push    edx
.00407079                 imul    [ebp+arg_1B526758]
.0040707F                 or      [ebp+var_5B79AAFE], 0FFFFFF89h
.00407086                 adc     edx, [ebx+ebp*8-4178D897h]
.0040708D                 jb      short loc_4070AA
.0040708F                 imul    dword ptr [edi-3C046721h]
.00407095                 and     [esi-3382F8EBh], ebp
.0040709B                 dec     ecx
.0040709C                 sub     ah, [edx-76727E9Bh]
.004070A2                 jmp     far ptr 0F79Ch:0EF84A266h
.004070A2 ; END OF FUNCTION CHUNK FOR wsx

The chunk of code on disk is obfuscated, but on ram will

.00407078 sub_407078      proc near               
.00407078
.00407078 var_14          = byte ptr -14h
.00407078
.00407078                 push    ebp
.00407079                 mov     ebp, esp
.0040707B                 mov     eax, large fs:18h
.00407081                 mov     eax, [eax+30h]
.00407084                 mov     eax, [eax+10h]
.00407087                 sub     esp, 14h
.0040708A                 cmp     word ptr [eax+38h], 0
.0040708F                 jz      short loc_4070B3
.00407091                 push    esi
.00407092                 lea     ecx, [ebp+var_14]
.00407095                 call    sub_407347
.0040709A                 lea     ecx, [ebp+var_14]
.0040709D                 call    sub_407320
.004070A2                 call    eax
.004070A4                 lea     ecx, [ebp+var_14]
.004070A7                 mov     esi, eax
.004070A9                 call    nullsub_1
.004070AE                 mov     eax, esi
.004070B0                 pop     esi
.004070B1                 leave
.004070B2                 retn

I think that it's time to write an emulator for my private malware analysis....

1 Comment

256 byte games

Friday, 25. July 2008, 05:02:14

Who remember the Assembly Demo Party ? The demoscene and gaming event in Finland?

My favourite demo Second Reality of Future Crew, released to public in October 1993... Maybe these demos attract me to assembly world ... but also the bible of MS-DOS...

Another interest is for the smallest, and in computer programming this mean smallest code ...

I found an useful link on web link on web dated 2/13/97 ... a collection of dos-games ... into 256 bytes!

2 Comments

HMODULE win32

Saturday, 19. July 2008, 12:13:08

This week, I have worked on a project.. and I had to test routine that I wrote in assembly ...

For a test, I used LoadLibraryEx to load in memory a DLL asking to windows to load dll into memory without applying relocations, import tables and without run DllEntryPoint code...

LoadLibraryEx can be invoked using the parameter LOAD_LIBRARY_AS_DATAFILE how flag ..

HMODULE LoadLibraryEx(
  LPCTSTR lpFileName,
  HANDLE hFile,
  DWORD dwFlags
);

and the library is loaded in memory how a block of data, but with differences..

The o.s. doesn't create the sections available into PE header.. and the HMODULE (in WIN32 normally it match with the base address of object) has set latest bit.. (and if used how pointer.. the first byte is Z of 'MZ' signature)... .... it will used internally from MS to understand how get an image in memory?

0 Comments

IMAGEHLP.ImageRvaToVa

Monday, 14. July 2008, 05:02:15

PVOID WINAPI ImageRvaToVa(__in PIMAGE_NT_HEADERS NtHeaders, __in PVOID Base, __in ULONG Rva, __in_opt  PIMAGE_SECTION_HEADER *LastRvaSection );

ImageRvaToVa

The API ImageRvaToVa, exported by IMAGEHLP and also DBGHELP (available in Windows 9x/NT/XP/2K3 and VISTA) convert a relative virtual address (Rva parameter) into a virtual address/offset using the NT header of SYS/DLL/EXE file ...

In the documentation, the function can return the virtual address (offset + BASE addr. in memory) or a NULL pointer..

.text:76C9xxxx     push    edi             ; Rva
.text:76C9xxxx     push    [ebp+Base]      ; Base
.text:76C9xxxx     push    [ebp+NtHeaders] ; NtHeaders
.text:76C9xxxx     call    ImageRvaToSection
.text:76C9xxxx     mov     ecx, eax

The API using internally the ImageRvaToSection to find the right section of RVA, with a scan of section table available at addr. NtHeaders+18h+optional header length.

The ImageRvaSection return in eax the address of right section... but this is not always true!

This is the the IDA output on my windows xp sp2 (v 5.1.2600) but it's same code also in SP3 ... (and in dbghelp.dll!)

.text:76C97511 ; PIMAGE_SECTION_HEADER __stdcall ImageRvaToSection(PIMAGE_NT_HEADERS NtHeaders, PVOID Base, ULONG Rva)
.76C97511                 public ImageRvaToSection
.76C97511 ImageRvaToSection proc near            
.76C97511
.76C97511 NtHeaders       = dword ptr  8
.76C97511 Base            = dword ptr  0Ch
.76C97511 Rva             = dword ptr  10h
.76C97511
.76C97511          mov     edi, edi
.76C97513          push    ebp
.76C97514          mov     ebp, esp
.76C97516          mov     ecx, [ebp+NtHeaders]    ; PE header.
.76C97519          movzx   eax, word ptr [ecx+14h] ; Opt. header size
.76C9751D          lea     eax, [eax+ecx+18h]      ; First section descriptor
.76C97521          movzx   ecx, word ptr [ecx+6]   ; Number of Section in PE
.76C97525          push    esi
.76C97526          xor     esi, esi
.76C97528          test    ecx, ecx
.76C9752A          push    edi
.76C9752B          jbe     short loc_76C97547
.76C9752D
.76C9752D loc_76C9752D:                           
.76C9752D          mov     edx, [eax+0Ch]         ; Size of RAW data in EAX+0C
.76C97530          cmp     [ebp+Rva], edx         ; compare to RVA
.76C97533          jb      short loc_76C9753F     ; It's below? go next sect.
.76C97535          mov     edi, [eax+10h]         ; Ptr. to raw data
.76C97538          add     edi, edx               ;
.76C9753A          cmp     [ebp+Rva], edi         ; RVA < EDI?
.76C9753D          jb      short loc_76C97549     ; Yes. EAX = SECTION!
.76C9753F
.76C9753F loc_76C9753F:                           ; 
.76C9753F          add     eax, 28h               ; 28h = sizeof(IMAGE_SECTION_HEADERS)
.76C97542          inc     esi
.76C97543          cmp     esi, ecx
.76C97545          jb      short loc_76C9752D
.76C97547
.76C97547 loc_76C97547:                           ; Invalid address!
.76C97547          xor     eax, eax
.76C97549
.76C97549 loc_76C97549:                           ; CODE XREF: ImageRvaToSection+2Cj
.76C97549          pop     edi
.76C9754A          pop     esi
.76C9754B          pop     ebp
.76C9754C          retn    0Ch
.76C9754C ImageRvaToSection endp

This mean that if an RVA have an abnormal value into Size of Raw Data the function return an incorrect SECTION...

The value of EAX are moved into ECX value into ImageRvaToVa API.

.text:76C9xxxx loc_76C97593:                       
.text:76C9xxxx     mov     eax, [ecx+14h]     ; EAX = Pointer to raw data
.text:76C9xxxx     sub     eax, [ecx+0Ch]     ; EAX = EAX - VirtualAddress
.text:76C9xxxx     add     eax, [ebp+Base]    ; EAX = EAX + Base addr. in mem
.text:76C9xxxx     add     eax, edi           ; EAX = EAX + Rva
.text:76C9xxxx     jmp     short loc_76C975A2

The API with an exe file mapped in memory, and with a a "compromised" Size Of Raw Data into 1 section , the return value can raise an exception in reading/writing, blocking the execution of code..

1 Comment

Help crack GPcode

Monday, 9. June 2008, 19:11:51

From Kaspersky VirusList blog/forum ...

Analyst's Diary

Help crack Gpcode

Aleks June 06, 2008 | 16:50 GMT

comment
If you read Vitaly's blogpost yesterday, you'll know that on the 4th June 2008 we detected a new variant of Gpcode, a dangerous file encryptor. Details of the encryption algorithms used by the virus are all in Vitaly's post and the description of Gpcode.ak.

Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.

Of course, we don't have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem.

So we're calling on you: crytographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations.

Here are the public keys used by the authors of Gpcode.

The first is used for encryption in Windows XP and higher.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900a
ee78b4729668fc920ee15fe0b587d1b61894d1ee15f5793c18e2d2c8cc64b053
9e01d088e41e0eafd85055b6f55d232749ef48cfe6fe905011c197e4ac6498c0
e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85d

The second is used for encryption in versions of Windows prior to XP.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe73560724
7cc9a5e0f936ed75c75ac7ce5c6ef32fff996e94c01ed301289479d8d7d708b2
c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced482939fc571514b8d7280a
b5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afb

The RSA exponent for both keys is 0x10001 (65537).

The information above is sufficient to start factoring the key. A specially created utility could be of great help in factoring.

We're happy to provide additional information to anyone involved in stopping Gpcode. To keep everyone up to date, we've set up a dedicated forum.

8 Comments

BHT 6500 - Inventory Proc.

Friday, 30. May 2008, 04:09:07

This is an old procedure written in BASIC (Power Basic!) for a customer in 2002 ... I found it today in my old backup looking the procedure for adjustment cost of RMS Store Op.

It's written in italian .. and in basic!

0 Comments

Store Operation - FIFO COST

Wednesday, 28. May 2008, 20:11:37

This post will be a description of a procedure developed in the year 2004 ...

Store Operation actually is a POS software of Microsoft Corporation, after the acquisition of package "Quicksell Commerce"...

Store Op. after a transaction post in TransactionEntry.Cost field by default the current value of Item.Cost, without a count of purchase order. This valorisation of stock is not realistic, because we purchase items at different costs..

The "FIFO COST" triggers put into a table all committed Purchase Order Entry rows in a custom table, and a trigger inside "TransactionEntry" overwriting the field Cost with the cost in first cost in store table with positive quantity..

This allow to have a realistic valorisation of profit..

In the file tables and triggers developed..

0 Comments

Japan cracks down on virus with copyright law

Friday, 23. May 2008, 04:28:05

TOKYO (AP) — A student who allegedly spread a computer virus was convicted Friday of copyright infringement in a case that has highlighted the lack of laws in Japan to police cyberspace.

Masato Nakatsuji, 24, a graduate student at Osaka Electro-Communication University, was charged with maliciously spreading a virus by embedding it in an image from a Japanese animation film he illegally copied and distributed.

The virus he allegedly used, the "Harada virus," is one of Japan's top viruses, and Nakatsuji's arrest in January was the first in Japan involving the making or spreading of viruses.

Downloading the Harada virus and the image destroyed data on victims' computers and moved information stored on their computers onto the Internet, according to police.

Nakatsuji was found guilty in Kyoto District Court Friday and received a suspended sentence of three years.

Police considered other charges, including damage to property and obstructing business, before deciding that copyright violation charges would hold up best in court.

Nakatsuji did not contest the charge, police say. His lawyers argued for a fine instead of jail time, saying it was unfair to penalize Nakatsuji more heavily because a virus was involved in the copyright violation, Japanese daily newspaper Mainichi reported.