Tuesday, October 16, 2012

Reverse Engineering Poison Ivy's Injected Code Fragments

This is an addendum to GrrCon Network Forensics Challenge with Volatility. In the initial post we covered the basics - the what, the when, and the how. We found strings in memory, such as the mutex name, the registry Run key, and the svchosts.exe file name; then we backed up the findings by tracking the mutex to its owning process, verifying the Run key was created by looking in the cached registry hive, and checking the svchosts.exe file existed by scanning for MFT records in memory. This is all pretty solid, but from a malware analysis perspective - code or it didn't happen! In this post we'll dig even deeper and find the exact instructions that reference the strings. Only then will we have complete closure and reassurance. To do this, we'll write a custom Volatility plugin to reassemble Poison Ivy's fragmented code injection model, bypass the anti-disasm tricks, and label imported functions even in the absence of a PE header and Import Address Table (IAT).

Fragmented Code Injection

In the original post we briefly mentioned that malfind identified 20+ different memory segments in explorer.exe (pid 1096) that contained injected code. Why so many, you may ask? Malware like Zeus, Carberp, Cridex, Shylock and many others allocate a single segment large enough to hold everything (the code, strings, function call tables, etc). Its easy to locate, extract, and analyze.

The fact that Poison Ivy spreads itself across more than two dozen small memory segments definitely does not make it more stealthy (now there are 20+ suspicious memory regions instead of just one), but it does make reversing/analysis more challenging. Instead of dumping one memory segment, you have to dump all 20+ of them and then figure out how they fit together - like a big jigsaw puzzle. The image below shows a comparison of how a typical injection resides in process memory compared to that of Poison Ivy.
Here's the full output from malfind on this memory sample. As you can see from the disassemblies, most of the segments start with instructions like PUSH EBX or PUSH EBP - these are individual functions that Poison Ivy disperses throughout explorer.exe's memory.

$ python vol.py -f memory.img -p 1096 malfind

Volatile Systems Volatility Framework 2.3_alpha
Process: explorer.exe Pid: 1096 Address: 0x1c70000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01c70000  53 56 8b c8 8b 99 b4 08 00 00 8b 73 34 8b ca 33   SV.........s4..3
0x01c70010  db 89 19 33 db 89 59 04 33 db 89 59 08 33 db 89   ...3..Y.3..Y.3..
0x01c70020  59 0c 33 c9 ff 96 d4 01 00 00 5e 5b c3 00 00 00   Y.3.......^[....
0x01c70030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x1c70000 53               PUSH EBX
0x1c70001 56               PUSH ESI
0x1c70002 8bc8             MOV ECX, EAX
0x1c70004 8b99b4080000     MOV EBX, [ECX+0x8b4]
0x1c7000a 8b7334           MOV ESI, [EBX+0x34]
0x1c7000d 8bca             MOV ECX, EDX
0x1c7000f 33db             XOR EBX, EBX
0x1c70011 8919             MOV [ECX], EBX
0x1c70013 33db             XOR EBX, EBX
0x1c70015 895904           MOV [ECX+0x4], EBX
0x1c70018 33db             XOR EBX, EBX
0x1c7001a 895908           MOV [ECX+0x8], EBX
0x1c7001d 33db             XOR EBX, EBX
0x1c7001f 89590c           MOV [ECX+0xc], EBX
0x1c70022 33c9             XOR ECX, ECX
0x1c70024 ff96d4010000     CALL DWORD [ESI+0x1d4]
0x1c7002a 5e               POP ESI
0x1c7002b 5b               POP EBX
0x1c7002c c3               RET
0x1c7002d 0000             ADD [EAX], AL
0x1c7002f 0000             ADD [EAX], AL
0x1c70031 0000             ADD [EAX], AL
0x1c70033 0000             ADD [EAX], AL
0x1c70035 0000             ADD [EAX], AL
0x1c70037 0000             ADD [EAX], AL
0x1c70039 0000             ADD [EAX], AL
0x1c7003b 0000             ADD [EAX], AL
0x1c7003d 0000             ADD [EAX], AL
0x1c7003f 00               DB 0x0

Process: explorer.exe Pid: 1096 Address: 0x1bc0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01bc0000  55 8b ec 50 b8 10 00 00 00 81 c4 04 f0 ff ff 50   U..P...........P
0x01bc0010  48 75 f6 8b 45 fc 81 c4 48 fe ff ff 53 56 57 8b   Hu..E...H...SVW.
0x01bc0020  45 08 89 45 bc 8b 45 bc 8b 80 b4 08 00 00 8b f8   E..E..E.........
0x01bc0030  8b 40 34 89 45 b8 8b 45 b8 8b 80 24 03 00 00 89   .@4.E..E...$....

0x1bc0000 55               PUSH EBP
0x1bc0001 8bec             MOV EBP, ESP
0x1bc0003 50               PUSH EAX
0x1bc0004 b810000000       MOV EAX, 0x10
0x1bc0009 81c404f0ffff     ADD ESP, 0xfffff004
0x1bc000f 50               PUSH EAX
0x1bc0010 48               DEC EAX
0x1bc0011 75f6             JNZ 0x1bc0009
0x1bc0013 8b45fc           MOV EAX, [EBP+0xfffffffc]
0x1bc0016 81c448feffff     ADD ESP, 0xfffffe48
0x1bc001c 53               PUSH EBX
0x1bc001d 56               PUSH ESI
0x1bc001e 57               PUSH EDI
0x1bc001f 8b4508           MOV EAX, [EBP+0x8]
0x1bc0022 8945bc           MOV [EBP+0xffffffbc], EAX
0x1bc0025 8b45bc           MOV EAX, [EBP+0xffffffbc]
0x1bc0028 8b80b4080000     MOV EAX, [EAX+0x8b4]
0x1bc002e 8bf8             MOV EDI, EAX
0x1bc0030 8b4034           MOV EAX, [EAX+0x34]
0x1bc0033 8945b8           MOV [EBP+0xffffffb8], EAX
0x1bc0036 8b45b8           MOV EAX, [EBP+0xffffffb8]
0x1bc0039 8b8024030000     MOV EAX, [EAX+0x324]
0x1bc003f 89               DB 0x89

Process: explorer.exe Pid: 1096 Address: 0x19a0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x019a0000  55 8b ec 81 c4 d4 fe ff ff 56 8b 75 08 6a 00 6a   U........V.u.j.j
0x019a0010  02 ff 96 b9 00 00 00 89 85 d4 fe ff ff c7 85 d8   ................
0x019a0020  fe ff ff 28 01 00 00 8d 8d d8 fe ff ff 51 ff b5   ...(.........Q..
0x019a0030  d4 fe ff ff ff 96 bd 00 00 00 eb 47 ff 75 0c 8d   ...........G.u..

0x19a0000 55               PUSH EBP
0x19a0001 8bec             MOV EBP, ESP
0x19a0003 81c4d4feffff     ADD ESP, 0xfffffed4
0x19a0009 56               PUSH ESI
0x19a000a 8b7508           MOV ESI, [EBP+0x8]
0x19a000d 6a00             PUSH 0x0
0x19a000f 6a02             PUSH 0x2
0x19a0011 ff96b9000000     CALL DWORD [ESI+0xb9]
0x19a0017 8985d4feffff     MOV [EBP+0xfffffed4], EAX
0x19a001d c785d8feffff28010000 MOV DWORD [EBP+0xfffffed8], 0x128
0x19a0027 8d8dd8feffff     LEA ECX, [EBP+0xfffffed8]
0x19a002d 51               PUSH ECX
0x19a002e ffb5d4feffff     PUSH DWORD [EBP+0xfffffed4]
0x19a0034 ff96bd000000     CALL DWORD [ESI+0xbd]
0x19a003a eb47             JMP 0x19a0083
0x19a003c ff750c           PUSH DWORD [EBP+0xc]
0x19a003f 8d               DB 0x8d

Process: explorer.exe Pid: 1096 Address: 0x1290000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01290000  55 8b ec 81 c4 30 fa ff ff 8b 75 08 8d 86 fb 03   U....0....u.....
0x01290010  00 00 50 6a 00 6a 00 ff 96 85 00 00 00 89 86 c5   ..Pj.j..........
0x01290020  08 00 00 ff 96 89 00 00 00 3d b7 00 00 00 75 04   .........=....u.
0x01290030  c9 c2 04 00 56 8d 86 6b 09 00 00 50 8d 86 45 01   ....V..k...P..E.

0x1290000 55               PUSH EBP
0x1290001 8bec             MOV EBP, ESP
0x1290003 81c430faffff     ADD ESP, 0xfffffa30
0x1290009 8b7508           MOV ESI, [EBP+0x8]
0x129000c 8d86fb030000     LEA EAX, [ESI+0x3fb]
0x1290012 50               PUSH EAX
0x1290013 6a00             PUSH 0x0
0x1290015 6a00             PUSH 0x0
0x1290017 ff9685000000     CALL DWORD [ESI+0x85]
0x129001d 8986c5080000     MOV [ESI+0x8c5], EAX
0x1290023 ff9689000000     CALL DWORD [ESI+0x89]
0x1290029 3db7000000       CMP EAX, 0xb7
0x129002e 7504             JNZ 0x1290034
0x1290030 c9               LEAVE
0x1290031 c20400           RET 0x4
0x1290034 56               PUSH ESI
0x1290035 8d866b090000     LEA EAX, [ESI+0x96b]
0x129003b 50               PUSH EAX
0x129003c 8d               DB 0x8d
0x129003d 864501           XCHG [EBP+0x1], AL

Process: explorer.exe Pid: 1096 Address: 0x1300000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01300000  55 8b ec 81 c4 30 fa ff ff 8b 75 08 8d 86 fb 03   U....0....u.....
0x01300010  00 00 50 6a 00 6a 00 ff 96 85 00 00 00 89 86 c5   ..Pj.j..........
0x01300020  08 00 00 ff 96 89 00 00 00 3d b7 00 00 00 75 04   .........=....u.
0x01300030  c9 c2 04 00 56 8d 86 6b 09 00 00 50 8d 86 45 01   ....V..k...P..E.

0x1300000 55               PUSH EBP
0x1300001 8bec             MOV EBP, ESP
0x1300003 81c430faffff     ADD ESP, 0xfffffa30
0x1300009 8b7508           MOV ESI, [EBP+0x8]
0x130000c 8d86fb030000     LEA EAX, [ESI+0x3fb]
0x1300012 50               PUSH EAX
0x1300013 6a00             PUSH 0x0
0x1300015 6a00             PUSH 0x0
0x1300017 ff9685000000     CALL DWORD [ESI+0x85]
0x130001d 8986c5080000     MOV [ESI+0x8c5], EAX
0x1300023 ff9689000000     CALL DWORD [ESI+0x89]
0x1300029 3db7000000       CMP EAX, 0xb7
0x130002e 7504             JNZ 0x1300034
0x1300030 c9               LEAVE
0x1300031 c20400           RET 0x4
0x1300034 56               PUSH ESI
0x1300035 8d866b090000     LEA EAX, [ESI+0x96b]
0x130003b 50               PUSH EAX
0x130003c 8d               DB 0x8d
0x130003d 864501           XCHG [EBP+0x1], AL

Process: explorer.exe Pid: 1096 Address: 0x1310000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01310000  00 11 42 ab 71 07 4a ab 71 2b 3e ab 71 27 4c ab   ..B.q.J.q+>.q'L.
0x01310010  71 6f 67 ab 71 53 2e ab 71 e1 2e ab 71 55 53 ab   qog.qS..q...qUS.
0x01310020  71 e1 9a 80 7c 74 9b 80 7c c7 06 81 7c 6b 23 80   q...|t..|...|k#.
0x01310030  7c 17 6c dd 77 42 78 dd 77 ab 7a dd 77 d7 ea dd   |.l.wBx.w.z.w...

0x1310000 0011             ADD [ECX], DL
0x1310002 42               INC EDX
0x1310003 ab               STOSD
0x1310004 7107             JNO 0x131000d
0x1310006 4a               DEC EDX
0x1310007 ab               STOSD
0x1310008 712b             JNO 0x1310035
0x131000a 3eab             STOSD
0x131000c 7127             JNO 0x1310035
0x131000e 4c               DEC ESP
0x131000f ab               STOSD
0x1310010 716f             JNO 0x1310081
0x1310012 67ab             STOS [ES:DI], EAX
0x1310014 7153             JNO 0x1310069
0x1310016 2eab             STOSD
0x1310018 71e1             JNO 0x130fffb
0x131001a 2eab             STOSD
0x131001c 7155             JNO 0x1310073
0x131001e 53               PUSH EBX
0x131001f ab               STOSD
0x1310020 71e1             JNO 0x1310003
0x1310022 9a807c749b807c   CALL FAR 0x7c80:0x9b747c80
0x1310029 c706817c6b23     MOV DWORD [ESI], 0x236b7c81
0x131002f 807c176cdd       CMP BYTE [EDI+EDX+0x6c], 0xdd
0x1310034 7742             JA 0x1310078
0x1310036 78dd             JS 0x1310015
0x1310038 77ab             JA 0x130ffe5
0x131003a 7add             JP 0x1310019
0x131003c 77d7             JA 0x1310015
0x131003e ea               DB 0xea
0x131003f dd               DB 0xdd

Process: explorer.exe Pid: 1096 Address: 0x1320000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01320000  55 8b ec 50 b8 10 00 00 00 81 c4 04 f0 ff ff 50   U..P...........P
0x01320010  48 75 f6 8b 45 fc 83 c4 b8 53 56 57 8b 75 08 33   Hu..E....SVW.u.3
0x01320020  c0 89 86 b9 08 00 00 33 c0 89 45 e4 68 4d 4b 58   .......3..E.hMKX
0x01320030  5a 8b 86 db 0a 00 00 50 8b 86 e1 00 00 00 50 ff   Z......P......P.

0x1320000 55               PUSH EBP
0x1320001 8bec             MOV EBP, ESP
0x1320003 50               PUSH EAX
0x1320004 b810000000       MOV EAX, 0x10
0x1320009 81c404f0ffff     ADD ESP, 0xfffff004
0x132000f 50               PUSH EAX
0x1320010 48               DEC EAX
0x1320011 75f6             JNZ 0x1320009
0x1320013 8b45fc           MOV EAX, [EBP+0xfffffffc]
0x1320016 83c4b8           ADD ESP, -0x48
0x1320019 53               PUSH EBX
0x132001a 56               PUSH ESI
0x132001b 57               PUSH EDI
0x132001c 8b7508           MOV ESI, [EBP+0x8]
0x132001f 33c0             XOR EAX, EAX
0x1320021 8986b9080000     MOV [ESI+0x8b9], EAX
0x1320027 33c0             XOR EAX, EAX
0x1320029 8945e4           MOV [EBP+0xffffffe4], EAX
0x132002c 684d4b585a       PUSH DWORD 0x5a584b4d
0x1320031 8b86db0a0000     MOV EAX, [ESI+0xadb]
0x1320037 50               PUSH EAX
0x1320038 8b86e1000000     MOV EAX, [ESI+0xe1]
0x132003e 50               PUSH EAX
0x132003f ff               DB 0xff

Process: explorer.exe Pid: 1096 Address: 0x1330000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01330000  e8 00 00 00 40 b3 0f 00 ff ff ff ff 00 00 00 00   ....@...........
0x01330010  00 00 00 00 00 00 00 00 00 00 00 00 18 b3 0f 00   ................
0x01330020  ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01330030  00 00 00 00 00 00 a2 01 00 00 00 00 01 00 00 00   ................

0x1330000 e800000040       CALL 0x41330005
0x1330005 b30f             MOV BL, 0xf
0x1330007 00ff             ADD BH, BH
0x1330009 ff               DB 0xff
0x133000a ff               DB 0xff
0x133000b ff00             INC DWORD [EAX]
0x133000d 0000             ADD [EAX], AL
0x133000f 0000             ADD [EAX], AL
0x1330011 0000             ADD [EAX], AL
0x1330013 0000             ADD [EAX], AL
0x1330015 0000             ADD [EAX], AL
0x1330017 0000             ADD [EAX], AL
0x1330019 0000             ADD [EAX], AL
0x133001b 0018             ADD [EAX], BL
0x133001d b30f             MOV BL, 0xf
0x133001f 00ff             ADD BH, BH
0x1330021 ff               DB 0xff
0x1330022 ff               DB 0xff
0x1330023 ff00             INC DWORD [EAX]
0x1330025 0000             ADD [EAX], AL
0x1330027 0000             ADD [EAX], AL
0x1330029 0000             ADD [EAX], AL
0x133002b 0000             ADD [EAX], AL
0x133002d 0000             ADD [EAX], AL
0x133002f 0000             ADD [EAX], AL
0x1330031 0000             ADD [EAX], AL
0x1330033 0000             ADD [EAX], AL
0x1330035 00a201000000     ADD [EDX+0x1], AH
0x133003b 0001             ADD [ECX], AL
0x133003d 0000             ADD [EAX], AL
0x133003f 00               DB 0x0

Process: explorer.exe Pid: 1096 Address: 0x1410000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01410000  55 8b ec 83 c4 fc 8b 75 08 68 ff 00 00 00 8d be   U......u.h......
0x01410010  13 0d 00 00 57 ff 96 ad 00 00 00 e8 2e 00 00 00   ....W...........
0x01410020  53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f   SOFTWARE\Microso
0x01410030  66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65   ft\Windows\Curre

0x1410000 55               PUSH EBP
0x1410001 8bec             MOV EBP, ESP
0x1410003 83c4fc           ADD ESP, -0x4
0x1410006 8b7508           MOV ESI, [EBP+0x8]
0x1410009 68ff000000       PUSH DWORD 0xff
0x141000e 8dbe130d0000     LEA EDI, [ESI+0xd13]
0x1410014 57               PUSH EDI
0x1410015 ff96ad000000     CALL DWORD [ESI+0xad]
0x141001b e82e000000       CALL 0x141004e
0x1410020 53               PUSH EBX
0x1410021 4f               DEC EDI
0x1410022 46               INC ESI
0x1410023 54               PUSH ESP
0x1410024 57               PUSH EDI
0x1410025 41               INC ECX
0x1410026 52               PUSH EDX
0x1410027 45               INC EBP
0x1410028 5c               POP ESP
0x1410029 4d               DEC EBP
0x141002a 6963726f736f66   IMUL ESP, [EBX+0x72], 0x666f736f
0x1410031 745c             JZ 0x141008f
0x1410033 57               PUSH EDI
0x1410034 696e646f77735c   IMUL EBP, [ESI+0x64], 0x5c73776f
0x141003b 43               INC EBX
0x141003c 7572             JNZ 0x14100b0
0x141003e 7265             JB 0x14100a5

Process: explorer.exe Pid: 1096 Address: 0x1970000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01970000  55 8b ec 8b 75 08 80 be f7 03 00 00 00 7e 07 56   U...u........~.V
0x01970010  ff 96 00 0d 00 00 80 be f8 03 00 00 01 75 30 b8   .............u0.
0x01970020  01 00 00 00 80 be f7 03 00 00 00 7e 14 8d be b1   ...........~....
0x01970030  06 00 00 57 8d be b2 05 00 00 57 ff 96 cd 00 00   ...W......W.....

0x1970000 55               PUSH EBP
0x1970001 8bec             MOV EBP, ESP
0x1970003 8b7508           MOV ESI, [EBP+0x8]
0x1970006 80bef703000000   CMP BYTE [ESI+0x3f7], 0x0
0x197000d 7e07             JLE 0x1970016
0x197000f 56               PUSH ESI
0x1970010 ff96000d0000     CALL DWORD [ESI+0xd00]
0x1970016 80bef803000001   CMP BYTE [ESI+0x3f8], 0x1
0x197001d 7530             JNZ 0x197004f
0x197001f b801000000       MOV EAX, 0x1
0x1970024 80bef703000000   CMP BYTE [ESI+0x3f7], 0x0
0x197002b 7e14             JLE 0x1970041
0x197002d 8dbeb1060000     LEA EDI, [ESI+0x6b1]
0x1970033 57               PUSH EDI
0x1970034 8dbeb2050000     LEA EDI, [ESI+0x5b2]
0x197003a 57               PUSH EDI
0x197003b ff               DB 0xff
0x197003c 96               XCHG ESI, EAX
0x197003d cd00             INT 0x0
0x197003f 00               DB 0x0

Process: explorer.exe Pid: 1096 Address: 0x1980000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01980000  55 8b ec 81 c4 7c f0 ff ff 8b 75 08 68 74 0f 00   U....|....u.ht..
0x01980010  00 56 8d bd 8c f0 ff ff 57 ff 96 a9 00 00 00 c7   .V......W.......
0x01980020  85 7c f0 ff ff 00 00 00 00 83 85 7c f0 ff ff 01   .|.........|....
0x01980030  ff b5 7c f0 ff ff e8 0d 00 00 00 65 78 70 6c 6f   ..|........explo

0x1980000 55               PUSH EBP
0x1980001 8bec             MOV EBP, ESP
0x1980003 81c47cf0ffff     ADD ESP, 0xfffff07c
0x1980009 8b7508           MOV ESI, [EBP+0x8]
0x198000c 68740f0000       PUSH DWORD 0xf74
0x1980011 56               PUSH ESI
0x1980012 8dbd8cf0ffff     LEA EDI, [EBP+0xfffff08c]
0x1980018 57               PUSH EDI
0x1980019 ff96a9000000     CALL DWORD [ESI+0xa9]
0x198001f c7857cf0ffff00000000 MOV DWORD [EBP+0xfffff07c], 0x0
0x1980029 83857cf0ffff01   ADD DWORD [EBP+0xfffff07c], 0x1
0x1980030 ffb57cf0ffff     PUSH DWORD [EBP+0xfffff07c]
0x1980036 e80d000000       CALL 0x1980048
0x198003b 657870           JS 0x19800ae
0x198003e 6c               INS [ES:EDI], DX
0x198003f 6f               OUTS DX, [ESI]

Process: explorer.exe Pid: 1096 Address: 0x1990000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01990000  55 8b ec 83 c4 fc 57 56 8b 75 08 6a 40 68 00 30   U.....WV.u.j@h.0
0x01990010  00 00 ff 75 10 6a 00 ff 75 0c ff 96 b1 00 00 00   ...u.j..u.......
0x01990020  50 8d 7d fc 57 ff 75 10 ff 75 14 50 ff 75 0c ff   P.}.W.u..u.P.u..
0x01990030  96 b5 00 00 00 58 5e 5f c9 c2 10 00 00 00 00 00   .....X^_........

0x1990000 55               PUSH EBP
0x1990001 8bec             MOV EBP, ESP
0x1990003 83c4fc           ADD ESP, -0x4
0x1990006 57               PUSH EDI
0x1990007 56               PUSH ESI
0x1990008 8b7508           MOV ESI, [EBP+0x8]
0x199000b 6a40             PUSH 0x40
0x199000d 6800300000       PUSH DWORD 0x3000
0x1990012 ff7510           PUSH DWORD [EBP+0x10]
0x1990015 6a00             PUSH 0x0
0x1990017 ff750c           PUSH DWORD [EBP+0xc]
0x199001a ff96b1000000     CALL DWORD [ESI+0xb1]
0x1990020 50               PUSH EAX
0x1990021 8d7dfc           LEA EDI, [EBP+0xfffffffc]
0x1990024 57               PUSH EDI
0x1990025 ff7510           PUSH DWORD [EBP+0x10]
0x1990028 ff7514           PUSH DWORD [EBP+0x14]
0x199002b 50               PUSH EAX
0x199002c ff750c           PUSH DWORD [EBP+0xc]
0x199002f ff96b5000000     CALL DWORD [ESI+0xb5]
0x1990035 58               POP EAX
0x1990036 5e               POP ESI
0x1990037 5f               POP EDI
0x1990038 c9               LEAVE
0x1990039 c21000           RET 0x10
0x199003c 0000             ADD [EAX], AL
0x199003e 0000             ADD [EAX], AL

Process: explorer.exe Pid: 1096 Address: 0x19c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x019c0000  55 8b ec 83 c4 f0 8b 75 08 8d be b1 06 00 00 68   U......u.......h
0x019c0010  ff 00 00 00 57 ff 96 ad 00 00 00 80 be af 08 00   ....W...........
0x019c0020  00 01 75 31 80 be f7 03 00 00 01 75 07 68 74 82   ..u1.......u.ht.
0x019c0030  24 fe eb 05 68 ce e7 3a 59 ff b6 bb 0a 00 00 ff   $...h..:Y.......

0x19c0000 55               PUSH EBP
0x19c0001 8bec             MOV EBP, ESP
0x19c0003 83c4f0           ADD ESP, -0x10
0x19c0006 8b7508           MOV ESI, [EBP+0x8]
0x19c0009 8dbeb1060000     LEA EDI, [ESI+0x6b1]
0x19c000f 68ff000000       PUSH DWORD 0xff
0x19c0014 57               PUSH EDI
0x19c0015 ff96ad000000     CALL DWORD [ESI+0xad]
0x19c001b 80beaf08000001   CMP BYTE [ESI+0x8af], 0x1
0x19c0022 7531             JNZ 0x19c0055
0x19c0024 80bef703000001   CMP BYTE [ESI+0x3f7], 0x1
0x19c002b 7507             JNZ 0x19c0034
0x19c002d 68748224fe       PUSH DWORD 0xfe248274
0x19c0032 eb05             JMP 0x19c0039
0x19c0034 68cee73a59       PUSH DWORD 0x593ae7ce
0x19c0039 ffb6bb0a0000     PUSH DWORD [ESI+0xabb]
0x19c003f ff               DB 0xff

Process: explorer.exe Pid: 1096 Address: 0x19b0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x019b0000  55 8b ec 81 c4 20 ef ff ff 56 53 57 52 51 c7 85   U........VSWRQ..
0x019b0010  24 ef ff ff 00 00 00 00 8b 75 08 68 74 0f 00 00   $........u.ht...
0x019b0020  56 8d bd 8c f0 ff ff 57 ff 96 a9 00 00 00 c7 87   V......W........
0x019b0030  b4 08 00 00 00 00 00 00 8d 85 30 ef ff ff 50 6a   ..........0...Pj

0x19b0000 55               PUSH EBP
0x19b0001 8bec             MOV EBP, ESP
0x19b0003 81c420efffff     ADD ESP, 0xffffef20
0x19b0009 56               PUSH ESI
0x19b000a 53               PUSH EBX
0x19b000b 57               PUSH EDI
0x19b000c 52               PUSH EDX
0x19b000d 51               PUSH ECX
0x19b000e c78524efffff00000000 MOV DWORD [EBP+0xffffef24], 0x0
0x19b0018 8b7508           MOV ESI, [EBP+0x8]
0x19b001b 68740f0000       PUSH DWORD 0xf74
0x19b0020 56               PUSH ESI
0x19b0021 8dbd8cf0ffff     LEA EDI, [EBP+0xfffff08c]
0x19b0027 57               PUSH EDI
0x19b0028 ff96a9000000     CALL DWORD [ESI+0xa9]
0x19b002e c787b408000000000000 MOV DWORD [EDI+0x8b4], 0x0
0x19b0038 8d8530efffff     LEA EAX, [EBP+0xffffef30]
0x19b003e 50               PUSH EAX
0x19b003f 6a               DB 0x6a

Process: explorer.exe Pid: 1096 Address: 0x19d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x019d0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x019d0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x019d0020  00 e1 9a 80 7c 74 9b 80 7c c7 06 81 7c 6b 23 80   ....|t..|...|k#.
0x019d0030  7c 17 6c dd 77 42 78 dd 77 ab 7a dd 77 d7 ea dd   |.l.wBx.w.z.w...

0x19d0000 0000             ADD [EAX], AL
0x19d0002 0000             ADD [EAX], AL
0x19d0004 0000             ADD [EAX], AL
0x19d0006 0000             ADD [EAX], AL
0x19d0008 0000             ADD [EAX], AL
0x19d000a 0000             ADD [EAX], AL
0x19d000c 0000             ADD [EAX], AL
0x19d000e 0000             ADD [EAX], AL
0x19d0010 0000             ADD [EAX], AL
0x19d0012 0000             ADD [EAX], AL
0x19d0014 0000             ADD [EAX], AL
0x19d0016 0000             ADD [EAX], AL
0x19d0018 0000             ADD [EAX], AL
0x19d001a 0000             ADD [EAX], AL
0x19d001c 0000             ADD [EAX], AL
0x19d001e 0000             ADD [EAX], AL
0x19d0020 00e1             ADD CL, AH
0x19d0022 9a807c749b807c   CALL FAR 0x7c80:0x9b747c80
0x19d0029 c706817c6b23     MOV DWORD [ESI], 0x236b7c81
0x19d002f 807c176cdd       CMP BYTE [EDI+EDX+0x6c], 0xdd
0x19d0034 7742             JA 0x19d0078
0x19d0036 78dd             JS 0x19d0015
0x19d0038 77ab             JA 0x19cffe5
0x19d003a 7add             JP 0x19d0019
0x19d003c 77d7             JA 0x19d0015
0x19d003e ea               DB 0xea
0x19d003f dd               DB 0xdd

Process: explorer.exe Pid: 1096 Address: 0x1a20000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01a20000  00 00 00 00 00 00 00 00 00 00 c4 01 00 00 cb 01   ................
0x01a20010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01a20020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01a20030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x1a20000 0000             ADD [EAX], AL
0x1a20002 0000             ADD [EAX], AL
0x1a20004 0000             ADD [EAX], AL
0x1a20006 0000             ADD [EAX], AL
0x1a20008 0000             ADD [EAX], AL
0x1a2000a c401             LES EAX, [ECX]
0x1a2000c 0000             ADD [EAX], AL
0x1a2000e cb               RETF
0x1a2000f 0100             ADD [EAX], EAX
0x1a20011 0000             ADD [EAX], AL
0x1a20013 0000             ADD [EAX], AL
0x1a20015 0000             ADD [EAX], AL
0x1a20017 0000             ADD [EAX], AL
0x1a20019 0000             ADD [EAX], AL
0x1a2001b 0000             ADD [EAX], AL
0x1a2001d 0000             ADD [EAX], AL
0x1a2001f 0000             ADD [EAX], AL
0x1a20021 0000             ADD [EAX], AL
0x1a20023 0000             ADD [EAX], AL
0x1a20025 0000             ADD [EAX], AL
0x1a20027 0000             ADD [EAX], AL
0x1a20029 0000             ADD [EAX], AL
0x1a2002b 0000             ADD [EAX], AL
0x1a2002d 0000             ADD [EAX], AL
0x1a2002f 0000             ADD [EAX], AL
0x1a20031 0000             ADD [EAX], AL
0x1a20033 0000             ADD [EAX], AL
0x1a20035 0000             ADD [EAX], AL
0x1a20037 0000             ADD [EAX], AL
0x1a20039 0000             ADD [EAX], AL
0x1a2003b 0000             ADD [EAX], AL
0x1a2003d 0000             ADD [EAX], AL
0x1a2003f 00               DB 0x0

Process: explorer.exe Pid: 1096 Address: 0x1a30000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01a30000  55 8b ec 83 c4 c8 53 56 57 8b 5d 08 8b 73 08 33   U.....SVW.]..s.3
0x01a30010  c0 89 45 f0 c6 45 e3 00 80 be b8 08 00 00 00 0f   ..E..E..........
0x01a30020  84 b2 00 00 00 c6 86 b8 08 00 00 00 8b 86 b4 08   ................
0x01a30030  00 00 33 d2 89 50 38 6a 01 8b 03 03 45 f0 50 8d   ..3..P8j....E.P.

0x1a30000 55               PUSH EBP
0x1a30001 8bec             MOV EBP, ESP
0x1a30003 83c4c8           ADD ESP, -0x38
0x1a30006 53               PUSH EBX
0x1a30007 56               PUSH ESI
0x1a30008 57               PUSH EDI
0x1a30009 8b5d08           MOV EBX, [EBP+0x8]
0x1a3000c 8b7308           MOV ESI, [EBX+0x8]
0x1a3000f 33c0             XOR EAX, EAX
0x1a30011 8945f0           MOV [EBP+0xfffffff0], EAX
0x1a30014 c645e300         MOV BYTE [EBP+0xffffffe3], 0x0
0x1a30018 80beb808000000   CMP BYTE [ESI+0x8b8], 0x0
0x1a3001f 0f84b2000000     JZ 0x1a300d7
0x1a30025 c686b808000000   MOV BYTE [ESI+0x8b8], 0x0
0x1a3002c 8b86b4080000     MOV EAX, [ESI+0x8b4]
0x1a30032 33d2             XOR EDX, EDX
0x1a30034 895038           MOV [EAX+0x38], EDX
0x1a30037 6a01             PUSH 0x1
0x1a30039 8b03             MOV EAX, [EBX]
0x1a3003b 0345f0           ADD EAX, [EBP+0xfffffff0]
0x1a3003e 50               PUSH EAX
0x1a3003f 8d               DB 0x8d

Process: explorer.exe Pid: 1096 Address: 0x1c40000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01c40000  55 8b ec 83 c4 cc 53 56 57 89 4d dc 89 55 e0 33   U.....SVW.M..U.3
0x01c40010  d2 8b f8 8b 87 b4 08 00 00 8b f0 8b 40 34 89 45   ............@4.E
0x01c40020  cc 8b 45 cc 8b 80 24 03 00 00 89 45 e8 8b 45 cc   ..E...$....E..E.
0x01c40030  8b 40 08 05 b0 01 00 00 89 45 e4 64 ff 35 00 00   .@.......E.d.5..

0x1c40000 55               PUSH EBP
0x1c40001 8bec             MOV EBP, ESP
0x1c40003 83c4cc           ADD ESP, -0x34
0x1c40006 53               PUSH EBX
0x1c40007 56               PUSH ESI
0x1c40008 57               PUSH EDI
0x1c40009 894ddc           MOV [EBP+0xffffffdc], ECX
0x1c4000c 8955e0           MOV [EBP+0xffffffe0], EDX
0x1c4000f 33d2             XOR EDX, EDX
0x1c40011 8bf8             MOV EDI, EAX
0x1c40013 8b87b4080000     MOV EAX, [EDI+0x8b4]
0x1c40019 8bf0             MOV ESI, EAX
0x1c4001b 8b4034           MOV EAX, [EAX+0x34]
0x1c4001e 8945cc           MOV [EBP+0xffffffcc], EAX
0x1c40021 8b45cc           MOV EAX, [EBP+0xffffffcc]
0x1c40024 8b8024030000     MOV EAX, [EAX+0x324]
0x1c4002a 8945e8           MOV [EBP+0xffffffe8], EAX
0x1c4002d 8b45cc           MOV EAX, [EBP+0xffffffcc]
0x1c40030 8b4008           MOV EAX, [EAX+0x8]
0x1c40033 05b0010000       ADD EAX, 0x1b0
0x1c40038 8945e4           MOV [EBP+0xffffffe4], EAX
0x1c4003b 64               DB 0x64
0x1c4003c ff               DB 0xff
0x1c4003d 35               DB 0x35
0x1c4003e 0000             ADD [EAX], AL

Process: explorer.exe Pid: 1096 Address: 0x1c60000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01c60000  53 56 8b c8 8b 99 b4 08 00 00 8b 73 34 8b da 33   SV.........s4..3
0x01c60010  c9 ff 96 d4 01 00 00 33 c0 89 43 04 33 c0 89 43   .......3..C.3..C
0x01c60020  08 5e 5b c3 00 00 00 00 00 00 00 00 00 00 00 00   .^[.............
0x01c60030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x1c60000 53               PUSH EBX
0x1c60001 56               PUSH ESI
0x1c60002 8bc8             MOV ECX, EAX
0x1c60004 8b99b4080000     MOV EBX, [ECX+0x8b4]
0x1c6000a 8b7334           MOV ESI, [EBX+0x34]
0x1c6000d 8bda             MOV EBX, EDX
0x1c6000f 33c9             XOR ECX, ECX
0x1c60011 ff96d4010000     CALL DWORD [ESI+0x1d4]
0x1c60017 33c0             XOR EAX, EAX
0x1c60019 894304           MOV [EBX+0x4], EAX
0x1c6001c 33c0             XOR EAX, EAX
0x1c6001e 894308           MOV [EBX+0x8], EAX
0x1c60021 5e               POP ESI
0x1c60022 5b               POP EBX
0x1c60023 c3               RET
0x1c60024 0000             ADD [EAX], AL
0x1c60026 0000             ADD [EAX], AL
0x1c60028 0000             ADD [EAX], AL
0x1c6002a 0000             ADD [EAX], AL
0x1c6002c 0000             ADD [EAX], AL
0x1c6002e 0000             ADD [EAX], AL
0x1c60030 0000             ADD [EAX], AL
0x1c60032 0000             ADD [EAX], AL
0x1c60034 0000             ADD [EAX], AL
0x1c60036 0000             ADD [EAX], AL
0x1c60038 0000             ADD [EAX], AL
0x1c6003a 0000             ADD [EAX], AL
0x1c6003c 0000             ADD [EAX], AL
0x1c6003e 0000             ADD [EAX], AL

Process: explorer.exe Pid: 1096 Address: 0x1c50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01c50000  55 8b ec 83 c4 e4 53 56 57 8b 5d 10 8b 45 08 8b   U.....SVW.]..E..
0x01c50010  90 b4 08 00 00 8b 72 34 8b 86 24 03 00 00 89 45   ......r4..$....E
0x01c50020  e8 8b 86 d8 01 00 00 05 e0 00 00 00 89 45 e4 64   .............E.d
0x01c50030  ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff   .5.....E..u..E..

0x1c50000 55               PUSH EBP
0x1c50001 8bec             MOV EBP, ESP
0x1c50003 83c4e4           ADD ESP, -0x1c
0x1c50006 53               PUSH EBX
0x1c50007 56               PUSH ESI
0x1c50008 57               PUSH EDI
0x1c50009 8b5d10           MOV EBX, [EBP+0x10]
0x1c5000c 8b4508           MOV EAX, [EBP+0x8]
0x1c5000f 8b90b4080000     MOV EDX, [EAX+0x8b4]
0x1c50015 8b7234           MOV ESI, [EDX+0x34]
0x1c50018 8b8624030000     MOV EAX, [ESI+0x324]
0x1c5001e 8945e8           MOV [EBP+0xffffffe8], EAX
0x1c50021 8b86d8010000     MOV EAX, [ESI+0x1d8]
0x1c50027 05e0000000       ADD EAX, 0xe0
0x1c5002c 8945e4           MOV [EBP+0xffffffe4], EAX
0x1c5002f 64ff3500000000   PUSH DWORD [FS:0x0]
0x1c50036 8f45ec           POP DWORD [EBP+0xffffffec]
0x1c50039 ff75e8           PUSH DWORD [EBP+0xffffffe8]
0x1c5003c 8f45f0           POP DWORD [EBP+0xfffffff0]
0x1c5003f ff               DB 0xff

Process: explorer.exe Pid: 1096 Address: 0x1cb0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01cb0000  55 8b ec 81 c4 b0 fe ff ff 53 56 57 8b fa 89 45   U........SVW...E
0x01cb0010  d8 8b 75 d8 8b 86 b4 08 00 00 8b 58 34 8b 83 24   ..u........X4..$
0x01cb0020  03 00 00 89 45 e8 8b 43 0c 05 c9 04 00 00 89 45   ....E..C.......E
0x01cb0030  e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45   .d.5.....E..u..E

0x1cb0000 55               PUSH EBP
0x1cb0001 8bec             MOV EBP, ESP
0x1cb0003 81c4b0feffff     ADD ESP, 0xfffffeb0
0x1cb0009 53               PUSH EBX
0x1cb000a 56               PUSH ESI
0x1cb000b 57               PUSH EDI
0x1cb000c 8bfa             MOV EDI, EDX
0x1cb000e 8945d8           MOV [EBP+0xffffffd8], EAX
0x1cb0011 8b75d8           MOV ESI, [EBP+0xffffffd8]
0x1cb0014 8b86b4080000     MOV EAX, [ESI+0x8b4]
0x1cb001a 8b5834           MOV EBX, [EAX+0x34]
0x1cb001d 8b8324030000     MOV EAX, [EBX+0x324]
0x1cb0023 8945e8           MOV [EBP+0xffffffe8], EAX
0x1cb0026 8b430c           MOV EAX, [EBX+0xc]
0x1cb0029 05c9040000       ADD EAX, 0x4c9
0x1cb002e 8945e4           MOV [EBP+0xffffffe4], EAX
0x1cb0031 64ff3500000000   PUSH DWORD [FS:0x0]
0x1cb0038 8f45ec           POP DWORD [EBP+0xffffffec]
0x1cb003b ff75e8           PUSH DWORD [EBP+0xffffffe8]
0x1cb003e 8f               DB 0x8f
0x1cb003f 45               INC EBP

Process: explorer.exe Pid: 1096 Address: 0x1c90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01c90000  55 8b ec 83 c4 e4 53 56 57 8b 7d 14 8b 55 08 8b   U.....SVW.}..U..
0x01c90010  82 b4 08 00 00 8b 40 34 8b 88 24 03 00 00 89 4d   ......@4..$....M
0x01c90020  e8 8b 80 d0 01 00 00 05 88 00 00 00 89 45 e4 64   .............E.d
0x01c90030  ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff   .5.....E..u..E..

0x1c90000 55               PUSH EBP
0x1c90001 8bec             MOV EBP, ESP
0x1c90003 83c4e4           ADD ESP, -0x1c
0x1c90006 53               PUSH EBX
0x1c90007 56               PUSH ESI
0x1c90008 57               PUSH EDI
0x1c90009 8b7d14           MOV EDI, [EBP+0x14]
0x1c9000c 8b5508           MOV EDX, [EBP+0x8]
0x1c9000f 8b82b4080000     MOV EAX, [EDX+0x8b4]
0x1c90015 8b4034           MOV EAX, [EAX+0x34]
0x1c90018 8b8824030000     MOV ECX, [EAX+0x324]
0x1c9001e 894de8           MOV [EBP+0xffffffe8], ECX
0x1c90021 8b80d0010000     MOV EAX, [EAX+0x1d0]
0x1c90027 0588000000       ADD EAX, 0x88
0x1c9002c 8945e4           MOV [EBP+0xffffffe4], EAX
0x1c9002f 64ff3500000000   PUSH DWORD [FS:0x0]
0x1c90036 8f45ec           POP DWORD [EBP+0xffffffec]
0x1c90039 ff75e8           PUSH DWORD [EBP+0xffffffe8]
0x1c9003c 8f45f0           POP DWORD [EBP+0xfffffff0]
0x1c9003f ff               DB 0xff

Process: explorer.exe Pid: 1096 Address: 0x1c80000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01c80000  55 8b ec 51 53 56 57 8b 7d 0c 8b 55 08 8b f2 8b   U..QSVW.}..U....
0x01c80010  86 b4 08 00 00 8b 40 34 8b df 83 7b 08 00 7c 56   ......@4...{..|V
0x01c80020  83 7d 14 00 7c 50 8b 4b 08 03 4d 14 89 4d fc 83   .}..|P.K..M..M..
0x01c80030  7d fc 00 7e 41 8b 4d fc 3b 4b 04 7e 1a 8b 4d fc   }..~A.M.;K.~..M.

0x1c80000 55               PUSH EBP
0x1c80001 8bec             MOV EBP, ESP
0x1c80003 51               PUSH ECX
0x1c80004 53               PUSH EBX
0x1c80005 56               PUSH ESI
0x1c80006 57               PUSH EDI
0x1c80007 8b7d0c           MOV EDI, [EBP+0xc]
0x1c8000a 8b5508           MOV EDX, [EBP+0x8]
0x1c8000d 8bf2             MOV ESI, EDX
0x1c8000f 8b86b4080000     MOV EAX, [ESI+0x8b4]
0x1c80015 8b4034           MOV EAX, [EAX+0x34]
0x1c80018 8bdf             MOV EBX, EDI
0x1c8001a 837b0800         CMP DWORD [EBX+0x8], 0x0
0x1c8001e 7c56             JL 0x1c80076
0x1c80020 837d1400         CMP DWORD [EBP+0x14], 0x0
0x1c80024 7c50             JL 0x1c80076
0x1c80026 8b4b08           MOV ECX, [EBX+0x8]
0x1c80029 034d14           ADD ECX, [EBP+0x14]
0x1c8002c 894dfc           MOV [EBP+0xfffffffc], ECX
0x1c8002f 837dfc00         CMP DWORD [EBP+0xfffffffc], 0x0
0x1c80033 7e41             JLE 0x1c80076
0x1c80035 8b4dfc           MOV ECX, [EBP+0xfffffffc]
0x1c80038 3b4b04           CMP ECX, [EBX+0x4]
0x1c8003b 7e1a             JLE 0x1c80057
0x1c8003d 8b4dfc           MOV ECX, [EBP+0xfffffffc]

Process: explorer.exe Pid: 1096 Address: 0x1ca0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01ca0000  53 56 57 55 51 89 0c 24 8b fa 8b f0 8b c6 8b 90   SVWUQ..$........
0x01ca0010  b4 08 00 00 8b 6a 34 8b df 54 57 56 ff 95 d8 01   .....j4..TWV....
0x01ca0020  00 00 89 03 8b 04 24 89 43 0c 5a 5d 5f 5e 5b c3   ......$.C.Z]_^[.
0x01ca0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x1ca0000 53               PUSH EBX
0x1ca0001 56               PUSH ESI
0x1ca0002 57               PUSH EDI
0x1ca0003 55               PUSH EBP
0x1ca0004 51               PUSH ECX
0x1ca0005 890c24           MOV [ESP], ECX
0x1ca0008 8bfa             MOV EDI, EDX
0x1ca000a 8bf0             MOV ESI, EAX
0x1ca000c 8bc6             MOV EAX, ESI
0x1ca000e 8b90b4080000     MOV EDX, [EAX+0x8b4]
0x1ca0014 8b6a34           MOV EBP, [EDX+0x34]
0x1ca0017 8bdf             MOV EBX, EDI
0x1ca0019 54               PUSH ESP
0x1ca001a 57               PUSH EDI
0x1ca001b 56               PUSH ESI
0x1ca001c ff95d8010000     CALL DWORD [EBP+0x1d8]
0x1ca0022 8903             MOV [EBX], EAX
0x1ca0024 8b0424           MOV EAX, [ESP]
0x1ca0027 89430c           MOV [EBX+0xc], EAX
0x1ca002a 5a               POP EDX
0x1ca002b 5d               POP EBP
0x1ca002c 5f               POP EDI
0x1ca002d 5e               POP ESI
0x1ca002e 5b               POP EBX
0x1ca002f c3               RET
0x1ca0030 0000             ADD [EAX], AL
0x1ca0032 0000             ADD [EAX], AL
0x1ca0034 0000             ADD [EAX], AL
0x1ca0036 0000             ADD [EAX], AL
0x1ca0038 0000             ADD [EAX], AL
0x1ca003a 0000             ADD [EAX], AL
0x1ca003c 0000             ADD [EAX], AL
0x1ca003e 0000             ADD [EAX], AL

Process: explorer.exe Pid: 1096 Address: 0x1ce0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01ce0000  53 56 57 55 51 8b e9 8b fa 8b f0 8b c6 8b 90 b4   SVWUQ...........
0x01ce0010  08 00 00 8b 5a 34 55 ff 53 70 88 04 24 6a 01 8d   ....Z4U.Sp..$j..
0x01ce0020  44 24 04 50 57 56 ff 93 cc 01 00 00 33 c0 8a 04   D$.PWV......3...
0x01ce0030  24 50 55 57 56 ff 93 cc 01 00 00 5a 5d 5f 5e 5b   $PUWV......Z]_^[

0x1ce0000 53               PUSH EBX
0x1ce0001 56               PUSH ESI
0x1ce0002 57               PUSH EDI
0x1ce0003 55               PUSH EBP
0x1ce0004 51               PUSH ECX
0x1ce0005 8be9             MOV EBP, ECX
0x1ce0007 8bfa             MOV EDI, EDX
0x1ce0009 8bf0             MOV ESI, EAX
0x1ce000b 8bc6             MOV EAX, ESI
0x1ce000d 8b90b4080000     MOV EDX, [EAX+0x8b4]
0x1ce0013 8b5a34           MOV EBX, [EDX+0x34]
0x1ce0016 55               PUSH EBP
0x1ce0017 ff5370           CALL DWORD [EBX+0x70]
0x1ce001a 880424           MOV [ESP], AL
0x1ce001d 6a01             PUSH 0x1
0x1ce001f 8d442404         LEA EAX, [ESP+0x4]
0x1ce0023 50               PUSH EAX
0x1ce0024 57               PUSH EDI
0x1ce0025 56               PUSH ESI
0x1ce0026 ff93cc010000     CALL DWORD [EBX+0x1cc]
0x1ce002c 33c0             XOR EAX, EAX
0x1ce002e 8a0424           MOV AL, [ESP]
0x1ce0031 50               PUSH EAX
0x1ce0032 55               PUSH EBP
0x1ce0033 57               PUSH EDI
0x1ce0034 56               PUSH ESI
0x1ce0035 ff93cc010000     CALL DWORD [EBX+0x1cc]
0x1ce003b 5a               POP EDX
0x1ce003c 5d               POP EBP
0x1ce003d 5f               POP EDI
0x1ce003e 5e               POP ESI
0x1ce003f 5b               POP EBX

Process: explorer.exe Pid: 1096 Address: 0x1cd0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01cd0000  55 8b ec 83 c4 a4 53 56 57 89 55 dc 89 45 e0 8b   U.....SVW.U..E..
0x01cd0010  45 e0 8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00   E........Z4..$..
0x01cd0020  00 89 45 e8 8b 83 54 04 00 00 05 41 01 00 00 89   ..E...T....A....
0x01cd0030  45 e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f   E.d.5.....E..u..

0x1cd0000 55               PUSH EBP
0x1cd0001 8bec             MOV EBP, ESP
0x1cd0003 83c4a4           ADD ESP, -0x5c
0x1cd0006 53               PUSH EBX
0x1cd0007 56               PUSH ESI
0x1cd0008 57               PUSH EDI
0x1cd0009 8955dc           MOV [EBP+0xffffffdc], EDX
0x1cd000c 8945e0           MOV [EBP+0xffffffe0], EAX
0x1cd000f 8b45e0           MOV EAX, [EBP+0xffffffe0]
0x1cd0012 8b90b4080000     MOV EDX, [EAX+0x8b4]
0x1cd0018 8b5a34           MOV EBX, [EDX+0x34]
0x1cd001b 8b8324030000     MOV EAX, [EBX+0x324]
0x1cd0021 8945e8           MOV [EBP+0xffffffe8], EAX
0x1cd0024 8b8354040000     MOV EAX, [EBX+0x454]
0x1cd002a 0541010000       ADD EAX, 0x141
0x1cd002f 8945e4           MOV [EBP+0xffffffe4], EAX
0x1cd0032 64ff3500000000   PUSH DWORD [FS:0x0]
0x1cd0039 8f45ec           POP DWORD [EBP+0xffffffec]
0x1cd003c ff75e8           PUSH DWORD [EBP+0xffffffe8]
0x1cd003f 8f               DB 0x8f

Process: explorer.exe Pid: 1096 Address: 0x1cc0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01cc0000  55 8b ec 83 c4 80 53 56 57 89 4d d8 89 55 dc 89   U.....SVW.M..U..
0x01cc0010  45 e0 8b 5d 08 8b 45 e0 89 45 c0 8b 45 c0 8b 80   E..]..E..E..E...
0x01cc0020  b4 08 00 00 89 45 bc 8b 70 34 8b 86 24 03 00 00   .....E..p4..$...
0x01cc0030  89 45 e8 8b 46 58 05 6e 03 00 00 89 45 e4 64 ff   .E..FX.n....E.d.

0x1cc0000 55               PUSH EBP
0x1cc0001 8bec             MOV EBP, ESP
0x1cc0003 83c480           ADD ESP, -0x80
0x1cc0006 53               PUSH EBX
0x1cc0007 56               PUSH ESI
0x1cc0008 57               PUSH EDI
0x1cc0009 894dd8           MOV [EBP+0xffffffd8], ECX
0x1cc000c 8955dc           MOV [EBP+0xffffffdc], EDX
0x1cc000f 8945e0           MOV [EBP+0xffffffe0], EAX
0x1cc0012 8b5d08           MOV EBX, [EBP+0x8]
0x1cc0015 8b45e0           MOV EAX, [EBP+0xffffffe0]
0x1cc0018 8945c0           MOV [EBP+0xffffffc0], EAX
0x1cc001b 8b45c0           MOV EAX, [EBP+0xffffffc0]
0x1cc001e 8b80b4080000     MOV EAX, [EAX+0x8b4]
0x1cc0024 8945bc           MOV [EBP+0xffffffbc], EAX
0x1cc0027 8b7034           MOV ESI, [EAX+0x34]
0x1cc002a 8b8624030000     MOV EAX, [ESI+0x324]
0x1cc0030 8945e8           MOV [EBP+0xffffffe8], EAX
0x1cc0033 8b4658           MOV EAX, [ESI+0x58]
0x1cc0036 056e030000       ADD EAX, 0x36e
0x1cc003b 8945e4           MOV [EBP+0xffffffe4], EAX
0x1cc003e 64               DB 0x64
0x1cc003f ff               DB 0xff

Process: explorer.exe Pid: 1096 Address: 0x1d00000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01d00000  55 8b ec 83 c4 d0 53 56 57 be 39 05 00 00 8b c6   U.....SVW.9.....
0x01d00010  8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00 00 89   .......Z4..$....
0x01d00020  45 e8 8b 83 ec 03 00 00 05 cd 00 00 00 89 45 e4   E.............E.
0x01d00030  64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0   d.5.....E..u..E.

0x1d00000 55               PUSH EBP
0x1d00001 8bec             MOV EBP, ESP
0x1d00003 83c4d0           ADD ESP, -0x30
0x1d00006 53               PUSH EBX
0x1d00007 56               PUSH ESI
0x1d00008 57               PUSH EDI
0x1d00009 be39050000       MOV ESI, 0x539
0x1d0000e 8bc6             MOV EAX, ESI
0x1d00010 8b90b4080000     MOV EDX, [EAX+0x8b4]
0x1d00016 8b5a34           MOV EBX, [EDX+0x34]
0x1d00019 8b8324030000     MOV EAX, [EBX+0x324]
0x1d0001f 8945e8           MOV [EBP+0xffffffe8], EAX
0x1d00022 8b83ec030000     MOV EAX, [EBX+0x3ec]
0x1d00028 05cd000000       ADD EAX, 0xcd
0x1d0002d 8945e4           MOV [EBP+0xffffffe4], EAX
0x1d00030 64ff3500000000   PUSH DWORD [FS:0x0]
0x1d00037 8f45ec           POP DWORD [EBP+0xffffffec]
0x1d0003a ff75e8           PUSH DWORD [EBP+0xffffffe8]
0x1d0003d 8f45f0           POP DWORD [EBP+0xfffffff0]

Process: explorer.exe Pid: 1096 Address: 0x1cf0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01cf0000  55 8b ec 8b 55 10 8b 45 0c 8b 48 08 89 8a b8 00   U...U..E..H.....
0x01cf0010  00 00 8b 48 0c 89 8a c4 00 00 00 8b 40 10 89 82   ...H........@...
0x01cf0020  b4 00 00 00 33 c0 5d c2 10 00 8b c0 55 8b ec 83   ....3.].....U...
0x01cf0030  c4 e4 53 56 57 8b 5d 10 8b 45 08 8b 90 b4 08 00   ..SVW.]..E......

0x1cf0000 55               PUSH EBP
0x1cf0001 8bec             MOV EBP, ESP
0x1cf0003 8b5510           MOV EDX, [EBP+0x10]
0x1cf0006 8b450c           MOV EAX, [EBP+0xc]
0x1cf0009 8b4808           MOV ECX, [EAX+0x8]
0x1cf000c 898ab8000000     MOV [EDX+0xb8], ECX
0x1cf0012 8b480c           MOV ECX, [EAX+0xc]
0x1cf0015 898ac4000000     MOV [EDX+0xc4], ECX
0x1cf001b 8b4010           MOV EAX, [EAX+0x10]
0x1cf001e 8982b4000000     MOV [EDX+0xb4], EAX
0x1cf0024 33c0             XOR EAX, EAX
0x1cf0026 5d               POP EBP
0x1cf0027 c21000           RET 0x10
0x1cf002a 8bc0             MOV EAX, EAX
0x1cf002c 55               PUSH EBP
0x1cf002d 8bec             MOV EBP, ESP
0x1cf002f 83c4e4           ADD ESP, -0x1c
0x1cf0032 53               PUSH EBX
0x1cf0033 56               PUSH ESI
0x1cf0034 57               PUSH EDI
0x1cf0035 8b5d10           MOV EBX, [EBP+0x10]
0x1cf0038 8b4508           MOV EAX, [EBP+0x8]
0x1cf003b 8b               DB 0x8b
0x1cf003c 90               NOP
0x1cf003d b408             MOV AH, 0x8
0x1cf003f 00               DB 0x0

Process: explorer.exe Pid: 1096 Address: 0x1d10000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01d10000  55 8b ec 81 c4 d0 fe ff ff 53 56 57 89 55 e0 8b   U........SVW.U..
0x01d10010  d8 8b f3 8b 86 b4 08 00 00 89 45 d8 8b 78 34 8b   ..........E..x4.
0x01d10020  87 24 03 00 00 89 45 e8 8b 87 e8 03 00 00 05 13   .$....E.........
0x01d10030  01 00 00 89 45 e4 64 ff 35 00 00 00 00 8f 45 ec   ....E.d.5.....E.

0x1d10000 55               PUSH EBP
0x1d10001 8bec             MOV EBP, ESP
0x1d10003 81c4d0feffff     ADD ESP, 0xfffffed0
0x1d10009 53               PUSH EBX
0x1d1000a 56               PUSH ESI
0x1d1000b 57               PUSH EDI
0x1d1000c 8955e0           MOV [EBP+0xffffffe0], EDX
0x1d1000f 8bd8             MOV EBX, EAX
0x1d10011 8bf3             MOV ESI, EBX
0x1d10013 8b86b4080000     MOV EAX, [ESI+0x8b4]
0x1d10019 8945d8           MOV [EBP+0xffffffd8], EAX
0x1d1001c 8b7834           MOV EDI, [EAX+0x34]
0x1d1001f 8b8724030000     MOV EAX, [EDI+0x324]
0x1d10025 8945e8           MOV [EBP+0xffffffe8], EAX
0x1d10028 8b87e8030000     MOV EAX, [EDI+0x3e8]
0x1d1002e 0513010000       ADD EAX, 0x113
0x1d10033 8945e4           MOV [EBP+0xffffffe4], EAX
0x1d10036 64ff3500000000   PUSH DWORD [FS:0x0]
0x1d1003d 8f45ec           POP DWORD [EBP+0xffffffec]

Process: explorer.exe Pid: 1096 Address: 0x1de0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x01de0000  00 00 ac 01 08 00 ac 01 02 10 00 00 05 00 c2 01   ................
0x01de0010  01 00 ac 01 01 00 c2 01 00 00 00 00 00 00 00 00   ................
0x01de0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01de0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x1de0000 0000             ADD [EAX], AL
0x1de0002 ac               LODSB
0x1de0003 0108             ADD [EAX], ECX
0x1de0005 00ac0102100000   ADD [ECX+EAX+0x1002], CH
0x1de000c 0500c20101       ADD EAX, 0x101c200
0x1de0011 00ac010100c201   ADD [ECX+EAX+0x1c20001], CH
0x1de0018 0000             ADD [EAX], AL
0x1de001a 0000             ADD [EAX], AL
0x1de001c 0000             ADD [EAX], AL
0x1de001e 0000             ADD [EAX], AL
0x1de0020 0000             ADD [EAX], AL
0x1de0022 0000             ADD [EAX], AL
0x1de0024 0000             ADD [EAX], AL
0x1de0026 0000             ADD [EAX], AL
0x1de0028 0000             ADD [EAX], AL
0x1de002a 0000             ADD [EAX], AL
0x1de002c 0000             ADD [EAX], AL
0x1de002e 0000             ADD [EAX], AL
0x1de0030 0000             ADD [EAX], AL
0x1de0032 0000             ADD [EAX], AL
0x1de0034 0000             ADD [EAX], AL
0x1de0036 0000             ADD [EAX], AL
0x1de0038 0000             ADD [EAX], AL
0x1de003a 0000             ADD [EAX], AL
0x1de003c 0000             ADD [EAX], AL
0x1de003e 0000             ADD [EAX], AL

Resolving the API Functions


If you have a good eye, you'll notice at least one injected segment that doesn't look anything like the others. Specifically, the disassembly of the segment at 0x1310000 does not make sense:

0x1310000 0011             ADD [ECX], DL
0x1310002 42               INC EDX
0x1310003 ab               STOSD
0x1310004 7107             JNO 0x131000d
0x1310006 4a               DEC EDX
0x1310007 ab               STOSD
0x1310008 712b             JNO 0x1310035

Luckily, malfind provides a hex dump preview of the memory as well. What you see is this:

0x01310000  00 11 42 ab 71 07 4a ab 71 2b 3e ab 71 27 4c ab   ..B.q.J.q+>.q'L.
0x01310010  71 6f 67 ab 71 53 2e ab 71 e1 2e ab 71 55 53 ab   qog.qS..q...qUS.
0x01310020  71 e1 9a 80 7c 74 9b 80 7c c7 06 81 7c 6b 23 80   q...|t..|...|k#.
0x01310030  7c 17 6c dd 77 42 78 dd 77 ab 7a dd 77 d7 ea dd   |.l.wBx.w.z.w...

There's an obvious pattern among the data. If its not as obvious to you as it was to me when I saw it, skip the first byte (00) and format the data as 32-bit integers using volshell:

$ python vol.py -f memory.img volshell
Volatile Systems Volatility Framework 2.3_alpha
Current context: process System, pid=4, ppid=0 DTB=0x39000
Welcome to volshell! Current memory image is:
file:///Volumes/Storage/memory/memory.img
To get help, type 'hh()'
>>> cc(pid = 1096)
Current context: process explorer.exe, pid=1096, ppid=1212 DTB=0x8cc000
>>> dd(0x01310000 + 1)
01310001  71ab4211 71ab4a07 71ab3e2b 71ab4c27
01310011  71ab676f 71ab2e53 71ab2ee1 71ab5355
01310021  7c809ae1 7c809b74 7c8106c7 7c80236b
01310031  77dd6c17 77dd7842 77dd7aab 77ddead7
01310041  77de4280 77dde9e4 77de4312 77de5196
01310051  7c831ec5 7c8286d6 7c801a28 7e44f6b4
01310061  7e42c2e8 7e43216b 7c810e17 7e42b3c6
01310071  7c810c1e 7e455721 7e42d226 7c80a864

See it now!? It looks like an array of memory addresses, all landing in the 7XXXXXXX range, which is typically where you find system DLLs on Windows XP (remember this is before ASLR). Even though Poison Ivy leaves no trace of a PE header and thus no IAT, you've just identified the call table used by the malware to find API functions it needs at run time. After dynamically resolving the APIs (via GetProcAddress or manually parsing a DLL's EAT), the addresses are saved into this table.

The next step is to compute the reverse of GetProcAddress - given an address, determine the name of the API function is. This will give you an idea of at least some of the malware's capabilities. Volatility is full of useful plugins from which you can "borrow" code and leverage for malware analysis. So we'll stay in volshell in the context of explorer.exe (note: after the cc command, the self.eproc variable is set to the target process's _EPROCESS object). We enumerate all DLLs in explorer with the get_load_modules() function.

>>> explorer = self.eproc
>>> all_mods = list(explorer.get_load_modules())

Now we call out to the impscan plugin and use its enum_apis() function. This parses the Export Address Table (EAT) of all DLLs and returns a dictionary of API information. The keys to the dictionary are addresses within explorer.exe where the API functions start. The values are tuples of the containing DLL and function name.

>>> import volatility.plugins.malware.impscan as impscan
>>> apis = impscan.ImpScan(self._config).enum_apis(all_mods)

Next we will read all the addresses in the call table starting at 0x1310001 into an array. Looking at the original dd output, the first address should be 0x71ab4211, so you can double check by printing the first element in the array:

>>> addrs = obj.Object("Array", targetType = "address", offset = 0x01310001, vm = explorer.get_process_address_space(), count = 100)

>>> hex(addrs[0])
'0x71ab4211L'

Finally, we can iterate over all addresses in the array and check if the apis dictionary has a key that matches. If so, we print the dictionary's values.

>>> for addr in addrs:
...   if int(addr) in apis:
...     (dll, func) = apis[int(addr)]
...     print hex(addr.obj_offset - 0x01310000), dll.BaseDllName, func
... 
0x1 WS2_32.dll socket
0x5 WS2_32.dll connect
0x9 WS2_32.dll closesocket
0xd WS2_32.dll send
0x11 WS2_32.dll recv
0x15 WS2_32.dll ntohs
0x19 WS2_32.dll inet_addr
0x1d WS2_32.dll gethostbyname
0x21 kernel32.dll VirtualAlloc
0x25 kernel32.dll VirtualFree
0x29 kernel32.dll CreateThread
0x2d kernel32.dll CreateProcessA
0x31 ADVAPI32.dll RegCloseKey
0x35 ADVAPI32.dll RegOpenKeyExA
0x39 ADVAPI32.dll RegQueryValueExA
0x3d ADVAPI32.dll RegSetValueExA
0x41 ADVAPI32.dll RegDeleteKeyA
0x45 ADVAPI32.dll RegCreateKeyExA
0x49 ADVAPI32.dll RegQueryInfoKeyA
0x4d ADVAPI32.dll RegEnumKeyExA
0x51 kernel32.dll DeleteFileA
0x55 kernel32.dll CopyFileA
0x59 kernel32.dll CreateFileA
0x5d USER32.dll GetKeyNameTextA
0x61 USER32.dll GetActiveWindow
0x65 USER32.dll GetWindowTextA
0x69 kernel32.dll WriteFile
0x6d USER32.dll CallNextHookEx
0x71 kernel32.dll SetFilePointer
0x75 USER32.dll ToAscii
0x79 USER32.dll GetKeyboardState
0x7d kernel32.dll GetLocalTime
0x81 kernel32.dll lstrcatA
0x85 kernel32.dll CreateMutexA
0x89 ntdll.dll RtlGetLastWin32Error
0x8d kernel32.dll GetFileTime
0x91 kernel32.dll SetFileTime
0x95 kernel32.dll OpenProcess
0x99 WS2_32.dll select
0x9d kernel32.dll LoadLibraryA
0xa1 kernel32.dll CloseHandle
0xa5 kernel32.dll Sleep
0xa9 ntdll.dll RtlMoveMemory
0xad ntdll.dll RtlZeroMemory
0xb1 kernel32.dll VirtualAllocEx
0xb5 kernel32.dll WriteProcessMemory
0xb9 kernel32.dll CreateToolhelp32Snapshot
0xbd kernel32.dll Process32First
0xc1 kernel32.dll Process32Next
0xc9 kernel32.dll CreateRemoteThread
0xcd kernel32.dll lstrcmpiA

As you can see, Poison Ivy uses APIs for networking (send, recv, gethostbyname, etc), for launching external processes (CreateProcessA), and modifying and querying the registry (for persistence with the Run key). It also includes CallNextHookEx (typically used in conjunction with SetWindowsHookEx which you may remember from MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem), ToAscii, and GetKeyboardState - all likely components of the keylogger; however as we noticed in the original post, that functionality of the RAT was disabled. There are various other clues you can gain from this, such as SetFileTime (timestomping), and VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread for the code injection.

Embedded Strings and Unconditional CALLs

The offsets we printed to the left of the API names are relative to the call table base (0x1310000). These are the values you would see being used in disassembles of the code.  For example, CALL DWORD PTR [EDI + 91] would be a call to SetFileTime. And this is one way you can proceed with reverse engineering the RAT's functionality even though its split across 20+ memory segments in explorer.exe and there is no PE header or IAT. Let's apply this knowledge to one of the memory segments that contains executable instructions:

>>> dis(0x1300000)
0x1300000 55                               PUSH EBP
0x1300001 8bec                             MOV EBP, ESP
0x1300003 81c430faffff                     ADD ESP, 0xfffffa30
0x1300009 8b7508                           MOV ESI, [EBP+0x8]
0x130000c 8d86fb030000                     LEA EAX, [ESI+0x3fb]
0x1300012 50                               PUSH EAX
0x1300013 6a00                             PUSH 0x0
0x1300015 6a00                             PUSH 0x0
0x1300017 ff9685000000                     CALL DWORD [ESI+0x85] ; CreateMutexA
0x130001d 8986c5080000                     MOV [ESI+0x8c5], EAX
0x1300023 ff9689000000                     CALL DWORD [ESI+0x89] ; GetLastError
0x1300029 3db7000000                       CMP EAX, 0xb7         ; ERROR_ALREADY_EXISTS
0x130002e 7504                             JNZ 0x1300034
0x1300030 c9                               LEAVE
0x1300031 c20400                           RET 0x4
0x1300034 56                               PUSH ESI
0x1300035 8d866b090000                     LEA EAX, [ESI+0x96b]
0x130003b 50                               PUSH EAX
0x130003c 8d8645010000                     LEA EAX, [ESI+0x145]
0x1300042 50                               PUSH EAX
0x1300043 ff96fd000000                     CALL DWORD [ESI+0xfd]  
0x1300049 e807000000                       CALL 0x1300055
0x130004e 7773                             JA 0x13000c3
0x1300050 325f33                           XOR BL, [EDI+0x33]
0x1300053 3200                             XOR AL, [EAX]
0x1300055 58                               POP EAX
0x1300056 50                               PUSH EAX
0x1300057 ff969d000000                     CALL DWORD [ESI+0x9d] ; LoadLibraryA
0x130005d 8986c30a0000                     MOV [ESI+0xac3], EAX

Now that we've applied labels to the calls, the purpose of the function in this memory segment is easily understood. It is the function that creates the mutex and then returns if the mutex already existed or not; otherwise it goes on to load the ws2_32 (winsock2) library. Here's what you know based on the above disassembly:
  • The function takes one argument (EBP+0x8). This is moved into ESI which is the register referenced when making the API calls (CALL DWORD [ESI+0x85]). Thus the argument is a pointer to the base address of the memory region that contains the API call table (0x1310000). 
  • When CreateMutexA is called, the third parameter (mutex name) is pushed on the stack from EAX, but before that it came from [ESI+0x3fb]. Now we know the offset of the mutex name inside the memory region. 
  • The return value of CreateMutexA (a HANDLE to the created or opened mutex) is placed into [ESI+0x8c5]. 
  • It calls GetLastError and if that reports ERROR_ALREADY_EXISTS, the function returns. Otherwise it jumps to 0x1300034. See below for what happens next. 
Assuming the mutex did not exist, the code reaches 0x1300049 where there is a CALL 0x1300055. Thus it unconditionally skips over the instructions between 0x130004e and 0x1300055 (shown in red). If instructions are always skipped, why do they need to be there? That is strange, not to mention the instructions do not make much sense. What is the meaning of all this? Well if you consider the context, the first two instructions after the CALL are POP EAX (puts the return address of the CALL into EAX) followed by a PUSH EAX. Thus the return address of the CALL (0x130004e) is being located in a position-independent manner and then pushed back on the stack to be used as the first parameter to LoadLibraryA. We can expect in this case that 0x130004e is actually a pointer to a NULL-terminated ANSI string, the name of the library to load.

>>> db(0x130004e)
0x0130004e  77 73 32 5f 33 32 00 58 50 ff 96 9d 00 00 00 89   ws2_32.XP.......
0x0130005e  86 c3 0a 00 00 e8 3a 00 00 00 e1 60 b4 8e 01 00   ......:....`....

The trick of "hiding" strings by embedding them between executable instructions is not new. Greg Hoglund discussed it in his "Detecting APT Attackers In Memory" post (and obviously Poison Ivy has been doing it for years). In the post, Poison Ivy wasn't identified by name, the term "APT" was dropped about 12 times, and you can tell based on similarities in the code that it was definitely Poison Ivy.

Reverse Engineering the Code

If Hex-Rays Decompiler worked on code fragments in physical memory, that would be awesome...but it doesn't. So we are left with the task of manually reversing code if we want to understand how it looks at a higher level language. The example function we displayed above, with partial structures, can be seen below:

typedef struct _PIVY_CALLS { 
    /* offset 0x000 */ unsigned char zero; // 00
    /* offset 0x001 */ VOID * p_socket; 
    /* offset 0x005 */ VOID * p_connect;
    /* offset 0x009 */ VOID * p_closesocket;
    .....
    /* offset 0x089 */ VOID * p_CreateMutexA;
    /* offset 0x09d */ VOID * p_LoadLibraryA;
} PIVY_CALLS, *PPIVY_CALLS;

// this is the structure at 0x1310000
typedef struct _PIVY_STRUCT { 
    /* offset 0x008 */ PIVY_CALLS PivyCalls; 
    /* offset 0x3fb */ CHAR szMutex[unknown_size];
    /* offset 0x8c5 */ HANDLE hMutex; 
    /* offset 0xac3 */ HMODULE hLibWinsock;
} PIVY_STRUCT, *PPIVY_STRUCT;

VOID Sub_1300000 (PPIVY_STRUCT PivyStruct) // EBP+0x8
{ 
    PivyStruct->hMutex = PivyStruct->PivyCalls.p_CreateMutexA(
                                        NULL, 
                                        FALSE, 
                                        PivyStruct->szMutex);
                                        
    if (GetLastError() == ERROR_ALREADY_EXISTS)
        return;
        
    PivyStruct->hLibWinsock = PivyStruct->PivyCalls.p_LoadLibraryA("ws2_32");
    ......
}

Not bad for a start, right? The Poison Ivy functions are spread across multiple memory segments, strings are interspersed with code, and the API call table is in yet another segment. But its still possible to reverse engineer and figure out what each function does when you put the pieces together.

Automating the Solution

To help automate the task of labeling API calls throughout the different memory segments, pulling out the embedded strings, and things of that nature, we built a new Volatility plugin called pivydasm. We use the distorm3 stream disassembler, just like many other existing plugins. However, we had to handle some special cases. Instead of doing a simple linear scan through the code blocks (since there are anti-disassembling tricks), we had to use additional checks to make sure the results were correct.

Basic usage:

$ python vol.py -f memory.img pivydasm --pid=1096 --output=html --output-file=report.html

Here's a brief description of how the plugin works:
  • It scans for injected code segments, just like malfind
  • It distinguishes between PoisonIvy's functions blocks and the API call table
  • It does an initial linear pass with distorm3 on all functions, applying labels to imported function calls and collecting called addresses that exist within other code fragments. 
  • It does a second pass with the disassembler making sure to start at all addresses that other instructions called. It discards instructions that don't match up, effectively identifying the anti-disassembling tricks and eliminating them from the final disassembly view
The plugin can render output as text (to the terminal) or HTML. I prefer to use the HTML report for this particular plugin, because it uses colors similar to IDA Pro and makes things "feel" more familiar. Here's an example - click to enlarge:


So you can make a few conclusions from the screen shot:
  • The instruction at address 0x0129000c references the mutex name ")!VoqA.I4" using a LEA EAX, [ESI + 0x3fb]. It is passed to CreateMutexA, which itself is accessed as CALL DWORD [ESI + 0x85]. Code which used to just be meaningless offsets and registers now makes perfect sense. 
  • The instruction at address 0x01290043 calls [ESI + 0xfd] which Andreas Schuster named "func_Key_expansion" in this original set of Poison Ivy plugins for Volatility. This would seem to be accurate since the parameters passed to the function include the RAT's secret password "tigers" and a pointer to the Camellia key schedule.
  • The initial pass through the data with a linear scan identified the bytes at 0x0129004e (77 73) as JA 0x12900c3. That does not make sense since there is no comparison before the JA. Thus three instructions are shown in a strike-out font, they're labeled as ANTI-DISASM, and the bytes for those "fake" instructions are interpreted as a string "ws2_32" and displayed in a comment.
In the next screen shot, you can see a much larger set of fake instructions, but the extracted string contains non-ASCII characters like 0xe1 and 0x8e. What's that all about?


If you examine the subroutine immediately following the fake instructions (at 0x012900a2), it is a loop around func_GetProcAddressByCRC32. The first parameter to the function is a handle to the ws2_32.dll library. The second parameter (PUSH DWORD [EDI]) is a pointer that increments by 6 (ADD EDI, 6) each iteration of the loop; until the four bytes pointed to by EDI are all zero. You may notice the last four bytes in the strike-out region are 00 00 00 00. Also, due to the CALL/POP sequence, EDI points to the first byte in the strike-out region at the time the loop begins. So its not an ASCII string in those bytes at all, its a series of checksums!

In the next screen shot, you can see where the command and control communications take place. The func_Send_Receive function is just a wrapper around the ws2_32.send and ws2_32.recv calls. Notice the Cemellia key schedule is referenced before calling the encryption and decryption routines:


In the next screen shot, you can see the registry Run key we noticed in the original forensic analysis. This string is also embedded between executable code blocks. After referencing the string, it calls RegOpenKeyExA, RegSetValueExA, and RegCloseKey.


The final screen shot shows the few functions involved in code injection to other processes. From top to bottom, you see a CALL DWORD [ESI + 0xd1] which goes to 0x01990000 (the function in the middle). At that location, the well-known combination of VirtualAllocEx and WriteProcessMemory allocates memory and transfers data to the remote process. Then CreateRemoteThread is called to execute code at offset 0x0197000 (func_Extra). The function you see in the bottom that calls CreateToolhelp32Snapshot, Process32First, and lstrcmpiA is how the malware finds a process by name (i.e. it maps "explorer.exe" to its process ID).


Visualizing Relationships

Since Volatility can render data in various formats, we added a Graphviz .dot style rendering function to the pivydasm plugin. It can be called like this:

$ python vol.py -f memory.img pivydasm --pid=1096 --output=dot --output-file=graph.dot

You can click (or download) and enlarge the image below. It basically shows the relationship among injected code fragments and how they call each other. To lend some context to the graph, all labels displayed in the HTML disassembly were ported to the graph nodes.


Conclusion

Volatility is more than just a memory forensics framework. Its a malware analysis tool with unparalleled visibility and power. In this post, we took an hour or so and produced a plugin that can do more than certain products that vendors sell for $10,000+. It reconstructs code fragments that the PoisonIvy RAT disperses into more than two dozen small allocations throughout process memory, puts them in context, and allows you to attribute the artifacts we saw in the original forensic analysis to exact code instructions that produced them. Code or it didn't happen? Oh, it definitely happened!

No comments:

Post a Comment