Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/NTkrnl

From aldeid
Jump to navigation Jump to search
You are here
NTkrnl

Description

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Manual unpacking

Identify IAT

CFF Explorer identifies that the 2 following functions are imported from kernel32.dll:

  • GetProcAddress
  • LoadLibraryA

Ntkrnl-iat.png

We will use this information to identify the address where these libraries are imported in the code. We should be close to the Original Entry Point (OEP).

Debugging options

First of all, let's get rid of some anti-debugging protections with the debugging options (check all options) and the HideOD plugin (check all options):

Ollydbg-debugging-options.png

Ollydbg-hideod-options.png

Corrupted PE header

When we load the malware into OllyDbg, we notice that the PE header is incorrect. The value of the NumberOfRvaAndSizes field to an inconsistent value so that OllyDbg will display the following message:

OllyDbg-inconsistent-NumberOfRvaAndSizes.png

You can fix the value of NumberOfRvaAndSizes with xPELister ("NT Header Data" tab) and updating the value to "0x00000010":

Fixing-NumberOfRvaAndSizes.png

Then save the modifications (File > Save).

Fake breakpoint

Now, load the updated malware into OllyDbg and run it (F9). We notice that the program stops tough we haven't defined any breakpoint.

Fake-memory-breakpoint.png

To bypass this, patch the RETN into INT3:

Patch-fake-memory-breakpoint.png

Identify address of LoadLibraryA

Now, we can locate where LoadLibraryA is called and set a breakpoint. Press Ctrl+G and enter "LoadLibraryA":

Ollydbg-search-expression-LoadLibraryA.png

Bypass timing defenses

Info.png
Note
You can bypass the timing defenses by checking the "Anti-RDTSC" option in the OllyAdvanced plugin.

At this stage, there is a timing defense: RDTSC at address 0x41B64C:

Debug-trace-RDTSC-instructions-002.png

Press Ctrl+G and go to B4164C, then set a harware on execution breakpoint so that we will have a chance to patch the code before the timing defense is reached:

Ntkrnl-timing-defense-rdtsc-patch-001.png

Then run (F9) and patch the jump as follows when you reach it:

Ntkrnl-timing-defense-rdtsc-patch.png

Reaching LoadLibrary

Once you have bypassed all timing defenses, you should arrive at the LoadLibrary breakpoint previously defined. Remove it and run till user code (Alt+F9).

To determine who is using LoadLibraryA, we need to set a breakpoint on the next RETN instruction within the function, so we can see which code block is getting the result. Set a breakpoint to the RETN instruction and press F9.

Ntkrnl-unpacking-017.png

EAX calls

Once you reach it, remove the breakpoint (F2) and step into (F7). Scroll down to find the instruction that calls EAX:

Ntkrnl-unpacking-018.png

Set a breakpoint on it (F2), run (F9) and step into (F7). This does not correspond to the OEP:

Ntkrnl-unpacking-019.png

Finding the OEP with POPAD / JMP EAX

Let's use another method to find our OEP. Right click in the disassembly region and select "Search for > Sequence of commands" (Ctrl+S). Enter following strings:

Ntkrnl-unpacking-020.png

The first occurence is not the good one.

Ntkrnl-unpacking-021.png

Press Ctrl+L to find the next one and set a breakpoint on the JMP EAX instruction. OllyDbg will ask you if you are sure to set this breakpoint, since it is outside the code section. It is safe to click "Yes".

Ntkrnl-unpacking-022.png

Run (F9) and step into (F7):

Ntkrnl-unpacking-023.png

This time, we are done. You just have to dump the process with the OllyDump plugin

Automatic unpacking

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

This category currently contains no pages or media.

Retrieved from "https://www.aldeid.com/w/index.php?title=Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/NTkrnl&oldid=33862"