A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #28230  by frz
 Wed Apr 06, 2016 7:03 pm
I have been trying to reproduce the results of the article by rinn "Turla container parsing and decryption » Thu Mar 13, 2014 10:17 am."
All of the code seems to work correctly (it compiles) including the memcpy and memset fixups as shown in the post however I have not been successful in getting the executable to run and consequently decrypt the container data. I am compiling it in Visual Studio (I have tried 2008 and 2013 Express Editions) and stepping through it in IDA Pro.

The code flow does eventually jump into the "root.dmp" decryption routine and as I mentioned, both the memset and memcpy calls are resolved however it eventually errors out. Has anyone been able to/or tried to reproduce these results?

I think this is a valuable tool and I am hoping to eventually be able to get it to run properly. Hopefully someone will be able to share their tricks in being able to get this code to run and decrypt the container.

~frz
 #28235  by EP_X0FF
 Thu Apr 07, 2016 3:43 am
Post your decrypter project, including project files (vcproj/sln) and container you want to decrypt.
 #28253  by EP_X0FF
 Sat Apr 09, 2016 3:13 pm
Change your project to x64 and try again. Root.dmp is x64 driver.
 #28259  by frz
 Sun Apr 10, 2016 11:06 am
EP_X0FF - recompiled for 64 bit - pointers to memcpy and memset now are wrong. any suggestions?
please see attached -
pwd is "infected"
thanks
frz
Attachments
(1.42 MiB) Downloaded 33 times
 #28260  by EP_X0FF
 Sun Apr 10, 2016 11:57 am
Everything work as expected except in your code you killed actual dump of decrypted data.
Code: Select all
     f = CreateFile(textbuf, GENERIC_WRITE | SYNCHRONIZE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, NULL);
variable textbuf is not initialized.
 #28262  by frz
 Sun Apr 10, 2016 1:05 pm
EP_X0FF - fixed textbuf - CreateFile is successful - still not properly resolving pointers to memcpy and memset on my machine. Included .png to show.

thanks for the help,

frz
Attachments
"infected"
(1.45 MiB) Downloaded 35 times
 #28263  by EP_X0FF
 Sun Apr 10, 2016 5:17 pm
Your code seems identical to that posted in thread, as well as container you wanted to decrypt and rootkit driver. Check your project settings. Also why don't you use built in MSVS debugger?
 #28288  by frz
 Tue Apr 12, 2016 1:26 pm
EP_X0FF - yes, code is straight from original post. I have tried multiple setting changes in Visual Studio. Program is still not setting pointer to memcpy and memset correctly for some reason. Have you or anyone else reading this post got any suggestions? It would be great to get this to work :D . This process is a good tool to have in your bag for RE.
Thanks,
frz
 #28290  by EP_X0FF
 Tue Apr 12, 2016 3:45 pm
Correct offsets yourself then. Whats the problem?