3.9.1 Example – Determining Files Accessed by Malware

In the previous chapter, while discussing IDAPython, we wrote an IDAPython script to determine all of the cross-references to the CreateFileA function (the address where CreateFileA was called). In this section, let's enhance that script to perform debugging tasks and determine the name of the file created (or opened) by the malware.

The following script sets a breakpoint on all of the addresses where CreateFileA is called within the program, and runs the malware. Before running the following script, the appropriate debugger is selected (Debugger | Select debugger | Local Windows debugger). When this script is executed, it pauses at each breakpoint (in other words, before calls to CreateFileA), and it prints the first parameter (lpFileName), the second parameter (dwDesiredAccess)and    the fifth parameter (dwCreationDisposition). These parameters will give us the name of the file, a constant value that represents the operation performed on the file (such as read/write), and another constant value, indicating the action that will be performed (such as create or open). When the breakpoint is triggered, the first parameter can be accessed at [esp]the second parameter at [esp+0x4]and the fifth parameter at [esp+0x10]. In addition to printing some of the parameters, the script also determines the handle to the file (return value) by retrieving the value of the EAX register after stepping over the CreateFile function:

import idc
import idautils
import idaapi

ea = idc.get_name_ea_simple("CreateFileA")
if ea == idaapi.BADADDR:
   print "Unable to locate CreateFileA"
else:
   for ref in idautils.CodeRefsTo(ea, 1):
       idc.add_bpt(ref)
idc.start_process('', '', '')
while True:
    event_code = idc.wait_for_next_event(idc.WFNE_SUSP, -1)
    if event_code < 1 or event_code == idc.PROCESS_EXITED:
         break
    evt_ea = idc.get_event_ea()
    print "0x%x %s" % (evt_ea, idc.generate_disasm_line(evt_ea,0))
    esp_value = idc.get_reg_value("ESP")
    dword = idc.read_dbg_dword(esp_value) 
    print "	Filename:", idc.get_strlit_contents(dword)
    print "	DesiredAccess: 0x%x" % idc.read_dbg_dword(esp_value + 4)
    print "	CreationDisposition:", hex(idc.read_dbg_dword(esp_value+0x10))
    idc.step_over()
    evt_code = idc.wait_for_next_event(idc.WFNE_SUSP, -1)
    if evt_code == idc.BREAKPOINT:
        print "	Handle(return value): 0x%x" % idc.get_reg_value("EAX")
    idc.resume_process()

The following is the result of executing the preceding script. The DesiredAccess values, 0x40000000 and 0x80000000represent the GENERIC_WRITE and GENERIC_READ operations, respectively. The createDisposition values, 0x2 and 0x3, signify CREATE_ALWAYS (create a new file always) and OPEN_EXISTING (open a file, only if it exists), respectively. As you can see, by using debugger scripting, it was possible to quickly determine the filenames created/accessed by malware:

0x4013fb call     ds:CreateFileA
     Filename: ka4a8213.log
     DesiredAccess: 0x40000000
     CreationDisposition: 0x2
     Handle(return value): 0x50
0x401161 call     ds:CreateFileA
     Filename: ka4a8213.log
     DesiredAccess: 0x80000000
     CreationDisposition: 0x3
     Handle(return value): 0x50
0x4011aa call     ds:CreateFileA
     Filename: C:Users	estAppDataRoamingMicrosoftwinlogdate.exe
     DesiredAccess: 0x40000000
     CreationDisposition: 0x2
     Handle(return value): 0x54
----------------[Removed]------------------------
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.129.100