binary's Aeonity Blog [entries | home | friends | archive]
avatar
[ entries | binary entries ]
[ userinfo | binary profile ]
[ rss feed | binary rss feed ]

Reversing Malicious PDF Demo Oct 22nd, 2009 7:57:01 pm - Subscribe
Mood |

I've made a quick video that very quickly gives an intro on how to reverse a malicious PDF. Tools used,

1. PDF-PARSER - Dider Stevens
2. Malzilla - Bobby

http://www.4shared.com/file/142916464/b9714767/reversing_pdf.html

Happy Reversing

0 Comments | Post Comment

Malicious PDF analysis Oct 14th, 2009 3:15:22 am - Subscribe
Mood |

Was getting my hands around malicious PDF and can't wait to do more analysis on that part. Most of the malicious PDF always carry some sought of JAVASCRIPT in them to have the host machine infected by downloading additional malware or by exploiting some vulnerability using the embedded shell code in the file.This doesn't mean that all JAVASCRIPT inside the PDF files are malicious!

Continuing my journey on that part I found some useful tools that you can use to reverse engineer a PDF file. Tools like PDFPARSER, PDFID from Didier Stevens and PDFTK saves the day. Didier has some very good tutorials that you could go through to understand the structure of the PDF file and also some very good videos in analyzing some malicious PDF files. Not to forget about MALZILLA that helps you a lot in decoding the obfuscated JAVASCRIPT. With all those tools in your KIT you are ready to reverse the malicious PDF file.

Happy Reversing

0 Comments | Post Comment

Another way to JMP Sep 23rd, 2009 2:36:26 am - Subscribe
Mood |

There are quite a few ways to JUMP without using CALL or JMP. Snippet below jumps to another section without using JMP or CALL directives....


.code
start:

INVOKE MessageBox, NULL, CTEXT("Jumps to another section"), CTEXT("No CALL or JMP"), MB_OK

push AREA_JUMP
ret

::::::::::::::::::::::
::::::::::::::::::::::
::::::::::::::::::::::

AREA_JUMP:
:::::::::::::::::::::
Your code in the section
:::::::::::::::::::::

invoke ExitProcess, NULL

end start

Happy Coding cool.gif

0 Comments | Post Comment

New variant yahlover Sep 11th, 2009 3:01:39 am - Subscribe
Mood | important

Early today when at home I discovered that my machine was probing other machines... Starting from the subnet which I belong to and gradually reaching other machines on other network.

This basically behaves like the nachi worm. This particular worm scans the network and when find a machine alive it hooks on to the machine via shared drives, that is open (everyone permission angry.gif )...

The worm also has the capabilities to hook itself to removable devices, when hooking on to removable devices it creates a autorun.inf file (like most of the other malwares do) onto it so it can run when plugged into the machine. When executed it drops itself as csrcs.exe to the %systemdirectory% and creates files autorun.in and autorun.i.

It also creates registry keys to start with the machine under the RUN key. Before dropping itself to the %systemdirectory% it verifies whether there are any files named csrcs.exe in the folder. If it is available it verifies the version of the file. If the file version in the %systemdirectory% is lower than that of it, it terminates the process csrcs.exe and drops the latest version to the folder.

------OpenProcess
------TerminateProcess

There is also other files that the worms drops to shared folders/drives which I believe is a way to identify whether the drive? (Needs more investigation on that part). It also creates various other keys under "amty" (don't have the complete registry path handy wink.gif ) which I believe is to make note of the drives (fixed, removable, shared, again this also needs more investigation happy.gif coz these information are what I was able to gather in 15 mins lol )

If the file is executed from elsewhere other than %systemdirectory% and removable medium it deletes itself my dropping a batch file "s.cmd" to the temp directory. This time around they have patched the loop which was buggy in the last release of the worm

loop: was replaced with :loop (smart)

The older version had ping to delay the removal process but this time around no ping was used to delay, rather it was just a simple loop to remove the worm

:loop
del "C:/csrcs.exe"
if exist "C:\cscrcs.exe" goto loop
del C:\DOCUME~1\Admin\LOCALS~1\Temp\s.cmd

and when the loop terminates the batch file self deletes itself. Currently there weren't many AV vendors who were picking up this worm.

You can write a simple batch script to remove the worm from your machine (but there are still some remnants of it left in your machine, registry keys, inf files)

taskkill /IM csrcs.exe
cd %systemdirectory%
del /F /ASHR csrcs.exe

Till next time, ADIEUS

0 Comments | Post Comment

Printscreen Sep 8th, 2009 10:32:08 pm - Subscribe
Mood | glorious

Thanks to Donkey for the procedure to build BITMAP image... but had to fix couple of errors (easy one's though lol)

Okies time for another snippet.... This time around to print the screen of desktop and save it to a file. The file size is quite huge coz it's saved under bitmap extension angry.gif Will try and find a way to have it converted to gif or jpg or png happy.gif

I had trouble is fetching the data from the Clipboard using GetClipboardData... At times it works perfectly and times it doesn't, not sure why it is not sad.gif So I had to invoke the EXE from another process via ShellExecute. I printscrreen'd in the same process that call's the EXE that saves the data to a bitmap file.. Am just sharing the code that saves the bitmap image, feel free to call them from another process... Or if somebody finds a way around fixing the bug please leave a comment grin.gif

.code
start:

AA:
invoke OpenClipboard,0
.IF eax != NULL

invoke GetClipboardData, CF_BITMAP
.IF eax == NULL
invoke CloseClipboard
JMP AA

.ENDIF


.ELSE
invoke CloseClipboard
JMP AA

.ENDIF


mov hClipboard,eax
invoke CreateFile, ADDR lpFileName, GENERIC_WRITE or GENERIC_READ, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov hFile, eax

invoke GetObject, hClipboard, 4096, ADDR bmp

mov eax, bmp.bmWidth
mov imgX, eax
mov eax, bmp.bmHeight
mov imgY, eax
mov ax, bmp.bmBitsPixel
mov cClrBits, ax

mov cx,cClrBits
mov eax,1
shl eax,cl
mov dwNumColors,eax
mov edx,SIZEOF RGBQUAD
imul edx
mov RGBQuadSize,eax

mov eax,imgX
imul cClrBits
add eax,31
and eax,-31
shr eax,3
imul imgY
mov DataSize,eax

; Create a memory buffer
mov eax,RGBQuadSize
.IF cClrBits == 24 ; There is no RGBQUAD array for 24 bit
mov dwNumColors,0
mov RGBQuadSize,0
mov eax,0
.ENDIF

add eax,SIZEOF BITMAPINFOHEADER
add eax,SIZEOF BITMAPFILEHEADER
add eax,DataSize
invoke GlobalAlloc,GMEM_FIXED,eax
mov pBFH,eax
add eax,SIZEOF BITMAPFILEHEADER
mov pBMI,eax
add eax,SIZEOF BITMAPINFOHEADER
mov pRGBQuad,eax
add eax,RGBQuadSize
mov pData,eax

invoke GetDC,hDlg
mov hDC,eax
invoke CreateCompatibleDC,hDC
mov hDC_DIB,eax
invoke CreateCompatibleDC,hDC
mov hDC_DDB,eax
invoke CreateCompatibleBitmap,hDC,imgX,imgY
mov hNewBmp,eax
invoke ReleaseDC,hDlg,hDC

invoke SelectObject,hDC_DDB,hNewBmp
mov OldObj,eax
invoke SelectObject,hDC_DIB,hClipboard
invoke BitBlt,hDC_DDB,0,0,imgX,imgY,hDC_DIB,0,0,SRCCOPY
invoke SelectObject,hDC_DDB,OldObj
invoke SelectObject,hDC_DIB,OldObj
invoke DeleteDC,hDC_DIB

invoke GetObject,hNewBmp,SIZEOF BITMAP,ADDR bmp

mov edi,pBMI
mov [edi].BITMAPINFO.bmiHeader.biXPelsPerMeter,0
mov [edi].BITMAPINFO.bmiHeader.biYPelsPerMeter,0
mov eax,dwNumColors
mov [edi].BITMAPINFO.bmiHeader.biClrUsed,eax
mov [edi].BITMAPINFO.bmiHeader.biClrImportant,0

mov [edi].BITMAPINFO.bmiHeader.biSize,SIZEOF BITMAPINFOHEADER
mov eax,bmp.bmWidth
mov [edi].BITMAPINFO.bmiHeader.biWidth,eax
mov eax,bmp.bmHeight
mov [edi].BITMAPINFO.bmiHeader.biHeight,eax
mov [edi].BITMAPINFO.bmiHeader.biPlanes,1
mov [edi].BITMAPINFO.bmiHeader.biCompression,BI_RGB
mov ax,cClrBits
mov [edi].BITMAPINFO.bmiHeader.biBitCount,ax
mov eax,DataSize
mov [edi].BITMAPINFO.bmiHeader.biSizeImage,eax

invoke GetDIBits, hDC_DDB, hNewBmp, 0, imgY, pData, pBMI, DIB_RGB_COLORS

mov esi,pBFH
mov [esi].BITMAPFILEHEADER.bfType,"MB"
mov eax,RGBQuadSize
add eax,DataSize
add eax,SIZEOF BITMAPINFOHEADER + SIZEOF BITMAPFILEHEADER
mov [esi].BITMAPFILEHEADER.bfSize,eax
mov [esi].BITMAPFILEHEADER.bfReserved1,0
mov [esi].BITMAPFILEHEADER.bfReserved2,0
mov eax,RGBQuadSize
add eax,sizeof BITMAPFILEHEADER
add eax,sizeof BITMAPINFOHEADER
mov [esi].BITMAPFILEHEADER.bfOffBits,eax

mov ecx,SIZEOF BITMAPFILEHEADER
add ecx,sizeof BITMAPINFOHEADER
add ecx,DataSize
add ecx,RGBQuadSize

invoke WriteFile,hFile,pBFH,ecx,ADDR cbWrite,NULL

invoke DeleteDC,hDC_DDB
invoke GlobalFree,pBFH
invoke DeleteObject,hClipboard
invoke DeleteObject,hNewBmp

invoke CloseHandle, hFile
invoke EmptyClipboard
invoke CloseClipboard

invoke ExitProcess, NULL
end start

Happy Coding cool.gif

Am not sure if there are any security issues involved in this code... Will keep posted

0 Comments | Post Comment

Cerulean Template
Create your own Free Aeonity Blog Today
Content Copyrighted binary at Aeonity Blog

navigation
next page