Hey,
I'm doing some study on Zeus 2.x, trying to wrap my head around how it works. By using the code at https://github.com/Visgean/Zeus I've built my own builder to work on my test environment (Virtualbox Windows 7 SP1 x64).
Right know I want to do a very specific thing, which is extracting from memory the webinjects configuration. The first experiments I did was to attach to iexplorer and monitor calls to functions I know Zeus hooks, like HttpSendRequest*. I was expecting that at some point while stepping through those executions I'd see the injections configuration loaded into memory. I've tried to automate the proccess setting a breakpoint upon call of this function and using OllyDbg's Memory Watch plugin, which dumps every string it encounters.
So now I want to pinpoint and understand exactly where should I look to see this decrypted configuration in memory.
My assumptions so far:
- I'm unable to see anything strange because the HttpSendRequestX function I'm setting a breakpoint is actually the original, unchanged from Wininet;
- Dumping memory of the machine and analysing it offline is not enough, since the structure which holds the webinjects (BinStorage) is loaded in memory when it's needed and then discarded (free'd)
At this point I was thinking to monitor calls to VirtualAlloc and place a breakpoint on memory write on those newly allocated areas (at some point Zeus is bound to place there the encrypted configuration and then decrypt it).
But this is still a longshot. Any ideas? Also I'm doing most of this work by attaching on iexplore.exe, should I do it on explorer.exe instead?
Any tips are appreciated :)
p.s I'm aware of how great volatility's plugin ZeusScan.py is and it's extremely useful for retrieving the RC4 keys. However I'm doing a different exercise
I'm doing some study on Zeus 2.x, trying to wrap my head around how it works. By using the code at https://github.com/Visgean/Zeus I've built my own builder to work on my test environment (Virtualbox Windows 7 SP1 x64).
Right know I want to do a very specific thing, which is extracting from memory the webinjects configuration. The first experiments I did was to attach to iexplorer and monitor calls to functions I know Zeus hooks, like HttpSendRequest*. I was expecting that at some point while stepping through those executions I'd see the injections configuration loaded into memory. I've tried to automate the proccess setting a breakpoint upon call of this function and using OllyDbg's Memory Watch plugin, which dumps every string it encounters.
So now I want to pinpoint and understand exactly where should I look to see this decrypted configuration in memory.
My assumptions so far:
- I'm unable to see anything strange because the HttpSendRequestX function I'm setting a breakpoint is actually the original, unchanged from Wininet;
- Dumping memory of the machine and analysing it offline is not enough, since the structure which holds the webinjects (BinStorage) is loaded in memory when it's needed and then discarded (free'd)
At this point I was thinking to monitor calls to VirtualAlloc and place a breakpoint on memory write on those newly allocated areas (at some point Zeus is bound to place there the encrypted configuration and then decrypt it).
But this is still a longshot. Any ideas? Also I'm doing most of this work by attaching on iexplore.exe, should I do it on explorer.exe instead?
Any tips are appreciated :)
p.s I'm aware of how great volatility's plugin ZeusScan.py is and it's extremely useful for retrieving the RC4 keys. However I'm doing a different exercise
