help inside the PEB cave

#16157 by hanan
Fri Oct 19, 2012 1:23 pm

Hi,

I am currently analyzing a worm called YUNSIP, I am currently stuck at a function that i am trying to understand, so i need your help.
As you can see in the following picture the worm is accessing the PEB then to the LDR_DATA structure, but inside there i am currently stuck, since i am can't understand what is pointing at by 0x1C inside the LDR_DATA.

My another side question is how do i add the PEB structure to IDA, AFAICS (can see) there isn't such structure defined in the standard structures, is that mean that i am should build that manually ?

Thanks.

Username

hanan

Posts

44

Joined

Wed Jul 11, 2012 5:26 pm

Re: help inside the PEB cave

#16159 by EP_X0FF
Fri Oct 19, 2012 1:36 pm

Code: Select all

lkd> dt nt!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr32 Void
   +0x00c InLoadOrderModuleList : _LIST_ENTRY
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY
   +0x024 EntryInProgress  : Ptr32 Void

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: help inside the PEB cave

#16188 by acoustics
Sun Oct 21, 2012 10:39 am

hanan wrote: blah, blah....

My another side question is how do i add the PEB structure to IDA, AFAICS (can see) there isn't such structure defined in the standard structures, is that mean that i am should build that manually ?

Thanks.

yes, you can build your structure and add to IDA.
1. Create your own .h file, such as:

Code: Select all

// pebStruct.h
typedef struct _PEB_LDR_DATA {
   ULONG        Length;
   BOOLEAN      Initialized;
   HANDLE       SsHandle;
   LIST_ENTRY   InLoadOrderModuleList;
   LIST_ENTRY   InMemoryOrderModuleList;
   LIST_ENTRY   InInitializationOrderModuleList;
   PVOID        EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

2. Go to file menu >> Load file >> Parse C header file... (Ctrl + F9) and open your .h file
3. Open subview : Structures(Shift+ F9) or Emumerations (Shift+ F10)
4. Edit >> Add struct type... (or press Insert)
5. Type _PEB_LDR_DATA and OK

Username

acoustics

Posts

5

Joined

Mon Sep 17, 2012 1:32 am

Re: help inside the PEB cave

#16229 by hanan
Tue Oct 23, 2012 2:02 pm

i figured out that the above function (in the picture) actually returns (in eax) the base address of Kernel32.dll (in winXP at least). Please correct me if i am wrong.

I found a nice article that explains the flink blink at the PEB_LDR_DATA , you can get it here: http://sandsprite.com/CodeStuff/Underst ... _List.html

Username

hanan

Posts

44

Joined

Wed Jul 11, 2012 5:26 pm

Re: help inside the PEB cave

#16288 by SomeUnusedName
Fri Oct 26, 2012 9:10 am

hanan wrote:i figured out that the above function (in the picture) actually returns (in eax) the base address of Kernel32.dll (in winXP at least). Please correct me if i am wrong.

Most probably right, very common for shellcode and malware. Afterwards they usually search for GetModuleHandle/LoadLibrary/GetProcAddress to resolve the remaining imports from other modules. Or they manually walk the export directories, hash the names and compare them against a list of wanted imports.

Username

SomeUnusedName

Posts

46

Joined

Fri Oct 07, 2011 1:17 pm