pwnslinger wrote:me & @antelox analyzed it again and we got call fs[0xc0] related to wow64 (32 bit code running on x64) so this malware can be under controlled on win 7 x64EP_X0FF wrote:Thanks EP. ;)pwnslinger wrote:Hi,As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz
sample also attached below:
https://www.virustotal.com/en/file/e4e0 ... 448537374/
"Unpacked" Kronos in attach. Posts moved.
after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
but in windows xp x86 debugger can't take back control after stepping this function. this is not an anti-debug trick also.
also ssdt index for ntSetValueKey change in windows 7 and you can got it using windbg
you can see differences in this two picture.
Attachments
win7x64.png (40.57 KiB) Viewed 1160 times
winxpx86.png (102.93 KiB) Viewed 1160 times