All ok

Low blog activity cause work and real life proofs, soon I’ll be free and I’ll release something new..

Reversing in Pills – Fast Notes around Infostealer.Banker.C

Notes about Reverse Engineering of Malware Banker Infostealer.Banker.C with OllyDbg 2

Fast Notes About Infostealer.Banker.C

Regards,

Giuseppe ‘Evilcry’ Bonfa’

Pills of Reversing – F-Chunks Fast ways to reach Malware Core

Hosted by my second blog

http://evilcodecave.blogspot.com/2009/06/pills-of-reversing-f-chunks-how-to-fast.html

Detecting Packers in Network Streams with nPEiD

Hi,

The ability to detect Suspicious or Malicious Binaries on a network stream is one of the fundamental Risk Mitigation technique, only by knowing what flows in a traffic stream can allow the best efficient countermeasure.

Here nPEiD (Network PEiD) which allows you to detect binary packers into a network stream.

http://www.malforge.com/npeid/npeid.zip

Determina PDB plugin

Hi,

This is a replacement for the IDA PDB plugin which significantly improves the analysis of Microsoft binaries with public debugging symbols. The algorithm used by the PDB plugin is described in the Reverse Engineering Microsoft Binaries presentation at Recon 2006.

Download plugin here:  detpdb-1.0.zip

Regards,

Giuseppe ‘Evilcry’ Bonfa’

PDF Reader 2009 – Fraud-Scam

Hi,

Scam over software mantains high its trend, this time the software used is PDF Reader 2009, the message is the following:

+———————————————————————————–

PDF Reader 2009 – New Version for Windows
The latest PDF Reader: Open, Edit & Create PDF Files

Activation Code: 9462
http://bulletinqrelease.com/re.php?lnk=1203489724

Included in this package:

OpenOffice Suite – Get things done more quickly and improve your work efficiency.

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

Activation Code: 9462
http://bulletinqrelease.com/re.php?lnk=1203489724

Download the complete Office solution today and also receive free updates and 24/7 customer support.

“Since the 90’s, PDF has become the standard file format for document exchange.” – Adobe

Activation Code: 9462
http://bulletinqrelease.com/re.php?lnk=1203489724

Thank you for choosing us, the worldwide leader in PDF Reader Solutions.

Best Regards,

Michael Daniels
PDF Reader 2009
You will not get anymore of our emails if you go here
http://bulletinqrelease.com/

or write to:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama
+———————————————————————————–

The true PDF Reader 2009 can be free downloaded, in this case user is asked for an activation code and next prompted to a Special Offers page, where victim can chose some benefits at payment, money transaction is accoplished with Credit Card.

As usual in these frauds, money is stolen and no service is given.

Here some inspections about the domain:

ICANN Registrar:	ENOM, INC.
Created:	2009-05-20
Expires:	2010-05-20
Updated:	2009-05-20 Server Data IP Address: 67.209.131.18 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute IP Location – Nevada – Las Vegas – Acampana Response Code: 200 Domain name: bulletinqrelease.com Registrant Contact: WhoisGuard WhoisGuard Protected ()

Banca Popolare di Milano Fraud

Hi,

here a recent attempt of fraud, this morning I’ve received the following mail:

—————

Subject: Ottimizzazione Piattaforma Tecnica Populare di Milano Gentile Cliente, Desiderosi di evitare il possibili tentativi di frode on-line, Banca Populare di Milano, e in corso per ottimizzare la piattaforma tecnica di servizio Banca Populare Online tra il 5 maggio 2009 al 10 maggio 2009. Per evitare eventuali perdite di dati si prega di compilare il modulo ” Forma di aggiornamento dati di contatto in relazione alla Banca ” che si trova sul nostro sito web o in allegato alla presente e-mail. Ci scusiamo per gli eventuali disagi causati. http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home Grazie per la comprensione, Populare di Milano Sanpaolo Online _____________________________________________________________________________________ Frodi online ANNUALE FARE MIGLIAIA DI VITTIME – Non essere uno di loro! Banca Popolare di Milano Societа Cooperativa a r.l. – P.IVA 00715120150 – Gruppo Bipiemme

————-

First of all the email presents a recurrent error, the term ‘populare’ that seems inspired by spanish/brazilian tongue.

The second suspicious thing is the URL: http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home

servizibmp.com sounds strange, so let’s inspect this domain..

Registry Data
ICANN Registrar:     MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created:     2009-05-07
Expires:     2010-05-07
Updated:     2009-05-07
Registrar Status:     clientTransferProhibited
Name Server:     YNS1.YAHOO.COM (has 2,399,082 domains)
Name Server:     YNS2.YAHOO.COM (has 2,399,082 domains)
Whois Server:     whois.melbourneit.comServer Data
IP Address:     216.39.62.190 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location     United States – California – Sunnyvale – Altavista Company
Response Code:     200
Domain Status:     Registered And Active Website

As you can understand an Italian Banking Service that is located in California – Sunnyvale and powered by Altavista Company it’s REALLY strange

the final demostration that this is a fraud comes out the inspection of real server of bpm,www.bpmbanking.it that is placed in Italy.

By browsing http://servizibmp.com we are suddenly prompted into a directory list that contains the following entries:

pub/

tmp/

in pub we have:

/pub/xol/

complete.php

go.php

homePriv.do.php

inserti.php

These are fake php pages used to catch victims informations.

See you to the next post

EventPairs Reversing – EventPairHandle as Anti-Dbg Trick

Hi,

I’ve published

EventPairs Reversing – EventPairHandle as Anti-Dbg Trick

The paper is here:

http://evilcry.netsons.org/tuts/EventPairsHandle.pdf

Have a nice read

Giuseppe ‘Evilcry’ Bonfa’

RtlQueryProcessHeapInformation As Anti-Dbg Trick

Hi,

Directly derived from the previous trick, RtlQueryProcessHeapInformation could be used as Anti-Dbg Trick.

Starting by RtlQueryProcessDebugInformation.

NTSTATUS
NTAPI
RtlQueryProcessDebugInformation(
IN ULONG  ProcessId,
IN ULONG  DebugInfoClassMask,
IN OUT PDEBUG_BUFFER  DebugBuffer);

This function loads all heap blocks of the process into DebugBuffer according to the informations that we want and that could be specified throughout DebugInfoClassMask. If we implement RtlQueryProcessDebugInformation in this way

void QueryDbgBufferMethod(void)
{
PDEBUG_BUFFER buffer;
NTSTATUS ntStatus;

buffer = RtlCreateQueryDebugBuffer(0,FALSE);

ntStatus = RtlQueryProcessDebugInformation(GetCurrentProcessId(),
PDI_HEAPS|PDI_HEAP_BLOCKS,
buffer);

The function according to the chosen mask will internally execute an call for heap functions, let’s see what happens inside this function.

__stdcall RtlQueryProcessDebugInformation(x, x, x)
7C9638EB                 mov     edi, edi
7C9638ED                 push    ebp
7C9638EE                 mov     ebp, esp
7C9638F0                 sub     esp, 44h
7C9638F3                 mov     eax, [ebp+14] ;EAX = DebugMassk
7C9638F6                 push    ebx
7C9638F7                 push    esi
7C9638F8                 mov     esi, [ebp+arg_8] ;ESI = DEBUG_BUFFER
7C9638FB                 xor     ebx, ebx
7C9638FD                 mov     [esi+20h], eax
7C963900                 mov     eax, [esi+24h]
7C963903                 cmp     eax, ebx
7C963905                 push    edi
7C963906                 mov     [ebp+var_4], ebx
7C963909                 mov     [ebp+var_8], ebx
7C96390C                 jz      short loc_7C963924
..
7C963924                 mov     dword ptr [esi+24h], 60h
7C96392B                 mov     eax, large fs:18h
7C963931                 mov     edi, [ebp+arg_0]
7C963934                 cmp     [eax+20h], edi
7C963937                 jz      short loc_7C963987
7C963939                 test    byte ptr [ebp+arg_4+3], 80h
7C96393D                 jz      short loc_7C963987
7C96393F                 test    byte ptr [ebp+0Ch], 41h
7C963943                 jz      short loc_7C963987
..
7C963987                 mov     eax, large fs:18h
7C96398D                 cmp     [eax+20h], edi
7C963990                 jz      loc_7C963A8E
7C963996                 cmp     [ebp+var_8], ebx

..

Here DebugMask Switch Cases:

7C963AA7                 test    byte ptr [ebp+arg_4], 2
7C963AAB                 jz      short loc_7C963ABA
7C963AAD                 push    esi
7C963AAE                 call    _RtlQueryProcessBackTraceInformation
7C963AB3                 cmp     eax, ebx
7C963AB5                 mov     [ebp+var_4], eax
7C963AB8                 jnz     short loc_7C963ADC
7C963ABA                 test    byte ptr [ebp+arg_4], 20h
7C963ABE                 jz      short loc_7C963ACD
7C963AC0                 push    esi

7C963AC1                 call    _RtlQueryProcessLockInformation
7C963AC6                 cmp     eax, ebx
7C963AC8                 mov     [ebp+var_4], eax
7C963ACB                 jnz     short loc_7C963ADC
7C963ACD                 test    byte ptr [ebp+arg_4], 1Ch ; DebugMask = PDI_HEAPS|PDI_HEAP_BLOCKS (Our Case)
7C963AD1                 jz      short loc_7C963ADC
7C963AD3                 push    esi   ;DEBUG_BUFFER
7C963AD4                 call    _RtlQueryProcessHeapInformation
7C963AD9                 mov     [ebp+var_4], eax

As you can see when we use DebugMask = PDI_HEAPS|PDI_HEAP_BLOCKS, is only called
RtlQueryProcessHeapInformation, function that takes only DEBUG_BUFFER as parameter, this means that this function is only applicable for the Current Process since does not take PID.

; __stdcall RtlQueryProcessHeapInformation(x)
7C963249                 push    58h
7C96324B                 push    offset stru_7C963708
7C963250                 call    __SEH_prolog
7C963255                 push    4
7C963257                 mov     ebx, [ebp+arg_0]
7C96325A                 push    ebx     ;DEBUG_BUFFER
7C96325B                 call    _RtlpCommitQueryDebugInfo
7C963260                 mov     edi, eax
7C963262                 mov     [ebp+var_48], edi
7C963265                 test    edi, edi
7C963267                 jnz     short loc_7C963270
7C963269                 mov     eax, C0000017h ;EAX = STATUS_NO_MEMORY
7C96326E                 jmp     short loc_7C9632CD
7C963270                 mov     [ebx+38h], edi
7C963273                 call    _RtlpAcquireHeapListLock
7C963278                 and     [ebp+ms_exc.disabled], 0
7C96327C                 push    ebx

7C96327D                 push    offset _RtlpQueryProcessEnumHeapsRoutine 7C963282                 call    _RtlEnumProcessHeaps
7C963287                 mov     [ebp+var_20], eax
7C96328A                 test    eax, eax
7C96328C                 jl      loc_7C963422
7C963292                 test    byte ptr [ebx+20h], 8
7C963296                 jz      loc_7C963426
7C96329C                 mov     esi, _RtlpGlobalTagHeap
7C9632A2                 mov     [ebp+var_28], esi
7C9632A5                 cmp     dword ptr [esi+3Ch], 0
7C9632A9                 jz      short loc_7C9632E5
7C9632AB                 push    40h
7C9632AD                 push    ebx
7C9632AE                 call    _RtlpCommitQueryDebugInfo
7C9632B3                 mov     [ebp+var_4C], eax
7C9632B6                 test    eax, eax
7C9632B8                 jnz     short loc_7C9632D5
7C9632BA                 mov     [ebp+var_20], 0C0000017h
7C9632C1                 or      [ebp+ms_exc.disabled], 0FFFFFFFFh
7C9632C5                 call    sub_7C9636FE ; RtlpReleaseHeapListLoc
7C9632CA                 mov     eax, [ebp+var_20]
7C9632CD                 call    __SEH_epilog
7C9632D2                 retn    4

RtlQueryProcessHeapInformation essentially fills DEBUG_BUFFER by taking informations from heap blocks. RtlpCommitQueryDebugInfo prepairs buffer by calling NtAllocateVirtualMemory, if RtlpCommitQueryDebugInfo fails the error
(0xC0000017 – STATUS_NO_MEMORY with consequent corrupted DEBUG_BUFFER) propagates throughout  RtlQueryProcessHeapInformation and finally (if used) RtlQueryProcessDebugInformation. So if you use these functions it’s a best practice to implement a check for this error, especially if you are working in applications that walks heap. Finally here the check anti-dbg.

void QueryProcessHeapMethod(void)
{
PDEBUG_BUFFER buffer;

buffer = RtlCreateQueryDebugBuffer(0,FALSE);

RtlQueryProcessHeapInformation(buffer);

if (buffer->RemoteSectionBase == (PVOID) 0×50000062)
MessageBoxA(NULL,”Debugged”,”Warning”,MB_OK);
else
MessageBoxA(NULL,”Not Debugged”,”Warning”,MB_OK);
}

defs.h

extern “C”
__declspec(dllimport)
NTSTATUS
__stdcall
RtlQueryProcessHeapInformation(
IN PDEBUG_BUFFER  DebugBuffer
);

The presence of RemoteXxx members is given to the fact that we need to avoid ther risk of a DeadLock that could happen when RtlQueryProcessDebugInformation request a remote information and consequently the debugger receives the thread start routine.

See you to the next post..

Something about RtlQueryProcessDebugInformation

Hi,

Just a precisation, as you can see in the code I used psapi.lib, this is obviously not necessary for the code that I reported here, but can be used to enumerate all processes and by passing their PID to RtlQueryProcessDebugInformation we can inspect if there are debugged running processes It’s important to implement a check for the return value of RtlQueryProcessDebugInformation cause, for some PIDs it fails and we have a non sense DEBUG_BUFFER and a consequent non sense DEBUG_HEAP_INFORMATION. Implement a check for 0xC0000008 and 0xC0000017

See you to the next post..