A forum for reverse engineering, OS internals and malware analysis 

Turla Container Decryption

Discussion on reverse-engineering and debugging.

Turla Container Decryption

 #28230  by frz
 Wed Apr 06, 2016 7:03 pm
I have been trying to reproduce the results of the article by rinn "Turla container parsing and decryption » Thu Mar 13, 2014 10:17 am."
All of the code seems to work correctly (it compiles) including the memcpy and memset fixups as shown in the post however I have not been successful in getting the executable to run and consequently decrypt the container data. I am compiling it in Visual Studio (I have tried 2008 and 2013 Express Editions) and stepping through it in IDA Pro.

The code flow does eventually jump into the "root.dmp" decryption routine and as I mentioned, both the memset and memcpy calls are resolved however it eventually errors out. Has anyone been able to/or tried to reproduce these results?

I think this is a valuable tool and I am hoping to eventually be able to get it to run properly. Hopefully someone will be able to share their tricks in being able to get this code to run and decrypt the container.

~frz

Re: Turla Container Decryption

 #28235  by EP_X0FF
 Thu Apr 07, 2016 3:43 am
Post your decrypter project, including project files (vcproj/sln) and container you want to decrypt.

Re: Turla Container Decryption

 #28253  by EP_X0FF
 Sat Apr 09, 2016 3:13 pm
Change your project to x64 and try again. Root.dmp is x64 driver.

Re: Turla Container Decryption

 #28259  by frz
 Sun Apr 10, 2016 11:06 am
EP_X0FF - recompiled for 64 bit - pointers to memcpy and memset now are wrong. any suggestions?
please see attached -
pwd is "infected"
thanks
frz
Attachments
(1.42 MiB) Downloaded 32 times

Re: Turla Container Decryption

 #28260  by EP_X0FF
 Sun Apr 10, 2016 11:57 am
Everything work as expected except in your code you killed actual dump of decrypted data.
Code: Select all
     f = CreateFile(textbuf, GENERIC_WRITE | SYNCHRONIZE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, NULL);
variable textbuf is not initialized.

Re: Turla Container Decryption

 #28262  by frz
 Sun Apr 10, 2016 1:05 pm
EP_X0FF - fixed textbuf - CreateFile is successful - still not properly resolving pointers to memcpy and memset on my machine. Included .png to show.

thanks for the help,

frz
Attachments
"infected"
(1.45 MiB) Downloaded 35 times

Re: Turla Container Decryption

 #28263  by EP_X0FF
 Sun Apr 10, 2016 5:17 pm
Your code seems identical to that posted in thread, as well as container you wanted to decrypt and rootkit driver. Check your project settings. Also why don't you use built in MSVS debugger?

Re: Turla Container Decryption

 #28288  by frz
 Tue Apr 12, 2016 1:26 pm
EP_X0FF - yes, code is straight from original post. I have tried multiple setting changes in Visual Studio. Program is still not setting pointer to memcpy and memset correctly for some reason. Have you or anyone else reading this post got any suggestions? It would be great to get this to work :D . This process is a good tool to have in your bag for RE.
Thanks,
frz

Re: Turla Container Decryption

 #28290  by EP_X0FF
 Tue Apr 12, 2016 3:45 pm
Correct offsets yourself then. Whats the problem?
 Return to “Reverse Engineering and Debugging”