Unpacking Malware with dnSpy

Lần đầu làm chuyện ấy…

À ý tôi là làm video thuyết minh tiếng Việt, nên rất là run và có chút bẽn lẽn. Trước đây tôi làm tiếng Anh thì quen hơn nhiều, chứ còn tiếng Việt thì rất hay nói lỗi bởi vì có mấy thuật ngữ tôi không bao giờ dịch sang tiếng Việt, cũng không biết giải thích theo nghĩa tiếng Việt như thế nào nữa, cho nên rất là bối rối, mong các bạn bỏ quá cho.  Xin hay ủng hộ tôi, chỉ cần một comment “hjhj d0 ng0’k” hoặc “bố em hút rất nhiều thuốc” thôi là đã thấy yêu thương vô hạn lắm rồi. Cảm ơn

Ở trong video này chúng ta sẽ cùng sử dụng dnSpy để unpack 1 dạng unknown packer được sử dụng bởi 1 mẫu malware giả mạo Steam Client, mà một người bạn gửi cho tôi. Đây (có lẽ) là phần 1, nếu có thời gian tôi sẽ tiếp tục phân tích tiếp, và tất nhiên sẽ cố gắng làm full hd không che như thế này.

Note: Dạo gần đây tôi phát hiện khá nhiều mẫu, sử dụng .NET để làm wrapper để vượt mặt các Antivirus, vì việc detect mấy kiểu file .NET tôi có cảm giác như các hãng AV đang làm khá mơ hồ, đơn cử như trong mẫu này, file unpack ra mới chỉ có 8 AV phát hiện ra dưới dạng tên chung chung kiểu MSIL/Injector, hay Trojan.Gen,… Link scan trên virustotal có tại đây.

Thực sự rất đáng báo động, vì bây giờ đa pần các thế hệ windows mới (7,8/8.1,10) có sắn .NET đi kèm, vậy nên cái risk khá là cao. Khi mà phần lớn các AV đều chưa nhận diện tốt các loại malware thế này. .NET Wrapper có thể làm nhiệm vụ anti-AV hoặc detect xem có đang bị analysis hay không, sau đó mới drop các “em bé” thứ thiệt xuống (điển hình là trong vụ malware skype vừa qua, tôi có những mẫu đầu tiên và đã phân tích hoàn chỉnh chúng hồi đầu tháng 5, là những mẫu wrapper sử dụng Confuser/ConfuserEx). Thực sự rất là quan ngại sâu sắc lắm

Các yêu cầu về mẫu malware, xin vui lòng liên hệ qua email.

Enjoy and stay safe,

Levis

Debugging .NET Application with DnSpy

This small video is small video to test the debugging feature of dnSpy (which is created by 0xd4d as a modification + improvement of free open-source .NET Decompiler ILSpy). More information of dnSpy can be found here:
https://github.com/0xd4d/dnSpy

The debugger is source-level debugger, means that you can directly debug decompiled code, not assembly-level, and it’s really cool feature

Only a small video, nothing special, feel free to watch it:

 

Personally i think it’s the best .NET Decompiler at the moment. So come and discover it power.

 

Regards,

Levis

Customizing and sharing Windbg’s Theme: How to? Here’s a quick note

these days i spent some hours to play around with windbg to see how it works, and getting bored because i’m missing Ollydbg’s style. So I made a new look for windbg to make it become more friendly to me. You can take a look in the picture below:

Pretty nice, eh? Yeah, just a little bit modification. And everything is now okay. But before sharing this theme, let me talk a bit about the way to create a theme in windbg.

Windbg has a great and modern, highly configurable interface with docking, tabbed and floating-windows, so you can work in very comportable and flexible enviroment, as you wish to. For me, it’s very interesting, and i liked it a lot.

By default, the default workspace of windbg is really “empty” -> this means that the first time you ran the windbg, you will see a blank windows with no child-windows inside (for e,g disassembler, register, memory dump, stack, etc…). So, you should bring them out by clicking on the “View” menu. Then you can change display color and font style by going to menu “View” -> “Option”.

After get the thing done, you MUST save the setting by going to “File” menu and choose “Save workspace”. But, the point is, how to export the theme and share to others?

Here’s how i did it. Just follow these steps:

1. Fire up Windbg, then make changes to its interface as i said before

2. After step 1, click the “File” Menu and then choose the “Save Workspace to file”. A SaveFileDialog comes out, set the name for you file and click “Save” button. Remember the location where you saved the file

3. Locate the file which you just created in step 2, this is your saved settings (includes windows positions, color schemes and font style…) with extension “.wew”.

Everytime windbg executed, it will reads the information about workspace setting in a registry key value. The value is stored at HKCU\Software\Microsoft\Windbg\Workspace with name “Default” (means default workspace), so we should modify the value stored in this registry key, to load our theme. But why we need the *.wew file? I opened that file (.wew) in a hex editor to see the content inside, then i compared it with the value stored in “Default” registry key, and found that they all have the same format. So, to apply the theme, simply copy all the data in .wew file then paste in to “Default” registry key. I wrote a small python snippet to convert .wew file to a .reg file. Then we just apply the .reg file to overwrite data in “Default” registry key automatically. And if we want to share the theme to other, just send them the reg file and they will apply it.

4. Copy these code, save and run it with argument:

import binascii
import sys
fileName = sys.argv[1]
f = open(fileName,'rb')
content = f.read()
data = binascii.hexlify(content)
fileOut = open(fileName+'.reg','w')
fileOut.write('Windows Registry Editor Version 5.00\n\n')
fileOut.write('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windbg]\n\n')
fileOut.write('[HKEY_CURRENT_USER\\Software\\Microsoft\\Windbg\\Workspaces]\n\n')
fileOut.write('\"Default\"=hex:'+data[0]+data[1])
x=2
while x < len(data):
  fileOut.write(','+data[x]+data[x+1])
  x+=2
f.close()
fileOut.close()

for example, my saved workspace file has the name “Cool_theme.wew”, and i saved the code above to a file named wtl.py (windbg_theme_loader), so the command is :

python wtl.py Cool_theme.wew

a new file named Cool_theme.wew.reg will be created. Now the time for you to start applying and sharing your creations.

And here is the reg file of my theme, jsut save and activate:

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windbg]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windbg\Workspaces]
 
"Default"=hex:57,44,57,53,01,00,00,00,30,00,00,00,38,00,2e,00,43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,4c,00,65,00,76,00,69,00,73,00,5c,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00,67,00,33,00,00,00,68,00,5c,00,f0,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,03,02,01,31,43,00,6f,00,6e,00,73,00,6f,00,6c,00,61,00,73,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,6e,00,65,00,00,00,02,00,10,00,04,00,00,00,00,00,50,00,52,00,01,00,02,00,10,00,04,00,ff,ff,ff,00,00,00,00,6a,0a,00,00,00,10,00,04,00,20,00,00,00,00,6a,00,00,3d,00,00,00,10,00,04,00,00,00,00,00,00,03,00,00,0c,00,00,00,10,00,04,00,01,00,00,00,00,04,00,2e,3c,00,00,00,10,00,04,00,01,00,00,00,01,08,00,00,3f,00,00,00,10,00,04,00,01,00,00,00,00,03,00,00,12,00,00,00,10,00,04,00,01,00,00,00,00,08,00,30,24,00,00,00,50,00,42,00,44,00,3a,00,5c,00,43,00,72,00,61,00,63,00,6b,00,65,00,72,00,20,00,50,00,61,00,63,00,6b,00,61,00,67,00,65,00,5c,00,77,00,69,00,6e,00,64,00,62,00,67,00,5c,00,73,00,6f,00,75,00,72,00,63,00,65,00,00,00,00,03,00,01,04,2a,23,00,00,00,50,00,42,00,44,00,3a,00,5c,00,43,00,72,00,61,00,63,00,6b,00,65,00,72,00,20,00,50,00,61,00,63,00,6b,00,61,00,67,00,65,00,5c,00,77,00,69,00,6e,00,64,00,62,00,67,00,5c,00,69,00,6d,00,61,00,67,00,65,00,73,00,00,00,00,1e,0b,41,00,03,22,00,00,00,b0,00,a6,00,53,00,52,00,56,00,2a,00,44,00,3a,00,5c,00,43,00,72,00,61,00,63,00,6b,00,65,00,72,00,20,00,50,00,61,00,63,00,6b,00,61,00,67,00,65,00,5c,00,77,00,69,00,6e,00,64,00,62,00,67,00,5c,00,73,00,79,00,6d,00,62,00,6f,00,6c,00,73,00,72,00,2a,00,68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,6d,00,73,00,64,00,6c,00,2e,00,6d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,64,00,6f,00,77,00,6e,00,6c,00,6f,00,61,00,64,00,2f,00,73,00,79,00,6d,00,62,00,6f,00,6c,00,73,00,20,00,00,00,00,00,41,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,40,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,00,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,01,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,02,ff,02,00,10,00,04,00,ff,80,00,00,20,00,20,00,03,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,04,ff,02,00,10,00,04,00,ff,ff,00,00,20,00,20,00,05,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,06,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,07,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,08,ff,02,00,10,00,04,00,80,ff,00,00,20,00,20,00,09,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,0a,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,0b,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,0c,ff,02,00,10,00,04,00,ff,ff,80,00,20,00,20,00,0d,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,0e,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,0f,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,10,ff,02,00,10,00,04,00,00,ff,00,00,20,00,20,00,11,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,12,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,13,ff,02,00,10,00,04,00,00,00,00,00,20,00,20,00,38,ff,02,00,10,00,04,00,ff,ff,ff,00,20,00,20,00,39,ff,02,00,10,00,04,00,00,00,00,00,4e,00,4f,00,3a,ff,02,00,10,00,04,00,ff,ff,ff,00,43,00,48,00,3b,ff,02,00,10,00,04,00,00,00,00,00,00,00,48,00,3c,ff,02,00,10,00,04,00,ff,ff,ff,00,56,00,45,00,3d,ff,02,00,10,00,04,00,00,00,00,00,4d,00,45,00,3e,ff,02,00,10,00,04,00,ff,ff,ff,00,55,00,73,00,3f,ff,02,00,10,00,04,00,00,00,00,00,76,00,69,00,04,00,03,00,10,00,04,00,00,00,00,00,76,00,69,00,04,00,01,00,70,02,68,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,00,00,00,ff,ff,ff,0f,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,01,00,00,00,20,00,00,00,4b,00,00,00,dc,02,00,00,db,01,00,00,03,00,00,00,00,00,00,00,05,00,00,00,00,00,00,00,05,00,00,00,01,00,00,00,01,00,00,00,fb,ff,ff,ff,eb,00,00,00,b7,02,00,00,7b,02,00,00,01,00,00,00,00,00,00,80,00,00,00,00,00,00,00,00,06,00,00,00,01,00,00,00,01,00,00,00,cb,01,00,00,44,00,00,00,9a,03,00,00,e1,01,00,00,05,00,00,00,00,00,00,00,05,00,00,00,00,00,00,00,07,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,08,00,00,00,01,00,00,00,01,00,00,00,30,00,00,00,5b,00,00,00,ec,02,00,00,eb,01,00,00,01,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,0a,00,00,00,01,00,00,00,01,00,00,00,10,00,00,00,3b,00,00,00,cc,02,00,00,cb,01,00,00,04,00,00,00,00,00,00,00,05,00,00,00,00,00,00,00,0b,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,0c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,0d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,0f,00,00,00,00,00,00,00,00,00,00,03,00,10,00,08,00,05,00,00,00,70,04,00,00,01,00,01,00,38,00,2c,00,2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,88,00,00,00,7a,00,00,00,cc,04,00,00,c8,02,00,00,56,00,45,00,03,00,03,00,78,00,6c,00,04,00,00,00,02,00,00,00,64,00,00,00,14,00,00,00,00,00,00,80,02,00,00,40,07,00,00,00,95,03,00,00,00,00,00,00,4e,05,00,00,93,01,00,00,04,00,00,00,01,00,00,00,01,00,00,00,20,00,00,00,4b,00,00,00,dc,02,00,00,db,01,00,00,03,00,00,00,00,00,00,00,05,00,00,00,00,00,00,00,00,00,00,80,01,00,00,40,04,00,00,40,02,00,00,00,01,00,00,00,44,00,00,00,03,00,03,00,80,00,74,00,0a,00,00,00,01,00,00,00,64,00,00,00,14,00,00,00,00,00,00,80,03,00,00,40,07,00,00,00,c7,02,00,00,93,01,00,00,4e,05,00,00,7c,02,00,00,0a,00,00,00,01,00,00,00,01,00,00,00,10,00,00,00,3b,00,00,00,cc,02,00,00,cb,01,00,00,04,00,00,00,00,00,00,00,05,00,00,00,00,00,00,00,00,00,00,80,ff,ff,ff,0f,02,00,00,40,03,00,00,40,02,00,00,00,00,00,00,00,14,00,00,00,10,00,04,00,03,00,03,00,98,00,90,00,08,00,00,00,03,00,00,00,64,00,00,00,14,00,00,00,00,00,00,80,03,00,00,40,07,00,00,00,00,00,00,00,93,01,00,00,c7,02,00,00,7c,02,00,00,08,00,00,00,01,00,00,00,01,00,00,00,30,00,00,00,5b,00,00,00,ec,02,00,00,eb,01,00,00,01,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,00,00,00,80,01,00,00,40,03,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,03,00,00,00,01,00,00,00,10,00,00,00,40,00,24,00,73,00,63,00,6f,00,70,00,65,00,69,00,70,00,00,00,03,00,03,00,80,00,78,00,05,00,00,00,00,00,00,00,64,00,00,00,14,00,00,00,00,00,00,80,04,00,00,40,07,00,00,00,00,00,00,00,00,00,00,00,95,03,00,00,93,01,00,00,05,00,00,00,01,00,00,00,01,00,00,00,fb,ff,ff,ff,eb,00,00,00,b7,02,00,00,7b,02,00,00,01,00,00,00,00,00,00,80,00,00,00,00,00,00,00,00,ff,ff,ff,0f,ff,ff,ff,0f,ff,ff,ff,0f,ff,ff,ff,0f,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,03,00,03,00,80,00,74,00,06,00,00,00,04,00,00,00,64,00,00,00,14,00,00,00,00,00,00,80,04,00,00,40,06,00,00,00,00,00,00,00,00,00,00,00,95,03,00,00,93,01,00,00,06,00,00,00,01,00,00,00,01,00,00,00,cb,01,00,00,44,00,00,00,9a,03,00,00,e1,01,00,00,05,00,00,00,00,00,00,00,05,00,00,00,00,00,00,00,00,00,00,80,02,00,00,40,04,00,00,00,00,00,00,00,05,00,00,00,e2,ff,ff,ff,00,00,00,00,55,00,73,00,01,00,03,00,10,00,04,00,05,00,00,00,76,00,69,00

 

Edited by Levis, Yesterday, 09:33 PM.

BugDbg Pre-Alpha 3 has been out!

Updated today with some enhancements:

Pre-alpha 3 released

• added File – “Attach to process” option
• added Debug – “Detach debuggee” option
• added possibility to modify Register value from context menu
• added new commands “inject”, “detach”
• improvments, bug fixes

Update version 0.7.1 (Jan 14 2013)
Changelog:

version 0.7.1• added assemble command “a”
• added File – “Save patched executable as…” option
• added Configuration – Options – Misc page
• improvments, bug fixes

Link download:

DIRECT DOWNLOAD LINK
Thanks to cyberbob for his hard works

Enjoy and best Regards,
Levis/REPT

[Update] BugDbg Pre-Alpha 2 Released

Fully quote from cyberbob

small update, Pre-alpha 2 released.
added Debug – “Step out” command
added new commands bpinstr, u
added different line highlight when jump is taken
improvments, bug fixes

He’s working very hard and effective.

And the link download is:
http://www.pespin.com/bugdbg.rar (DIRECT LINK)
Don’t forget to visit his site : PESPIN to find more interesting stuffs.

Enjoys and best regards,
Levis/REPT

BugDbg – 64bit Debugger

I found this excellent tool of cyberbob ([url]http://www.pespin.com[/url]) named “BugDbg”, a tool which can help you debug 64bit exe file, with many good features( trace into, trace over, breakpoint, Register viewer, memory dump viewer, commandline, start/stop/restart debugging, etc…).
He’s working on it, and this’s the first version released.
Tested on Win7 64bit, works like a charm :Lovestruck:

Screenshot:

It’s under construction, and still lost some features to make it as strong as Olly. I think it will become the best 64bit-debugger in future :Big Grin:

Discussion topic at Tuts4you:
GO TO THREAD AT TUTS4YOU
and the link download:
DOWNLOAD DIRECT LINK
It need more works to become perfect, many features needed to add into. But now, It’s really sweet tool.
All credits go to the author – CyberBob.

Regards,
Levis

My OllyDbg Package

Here is a package of Olly Debugger which I’m using.
Full Configured, and contains some plugins, with color scheme based on my favorite scheme.
I also attached WIN32.HLP to help you get closer with Windows API when you reversing with Olly, or any other Disassembler
A Demo picture here:

Feel free to download it via this link:
Download Link (UPPIT)

You can use 7-zip to extract this archive.
Thanks for visiting me

Enjoy and best regards.