Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg
Рет қаралды 6,773
Күн бұрын
@dassumpfhuhn7225 6 жыл бұрын
Again a great video! I love the kind of short videos where you explain a certain specific technique(s) in detail. Its just good to learn thinking like a maleware author!
@Ivo-- 6 жыл бұрын
Excellent video. Can't make it to RECon but looking forward to your project, and future videos!
@ISquishWorms 6 жыл бұрын
Great content, looking forward to finding out what this project is that you are working on.
@OALABS 6 жыл бұрын
Thanks! It's slow going but we will get there eventually : )
@belialblack3182 6 жыл бұрын
No dislikes? I guess even the malware devs are happy with these videos :D Great work and thanks! :)
@OALABS 6 жыл бұрын
; )
@joeshmoe000 3 жыл бұрын
Don't worry about answering this. I know it's old, but figured I would comment anyway. I find it strange that they are doing that in goot itself because if someone had the skill to unpack it, I would think they'd have the skill to figure this out. PLUS, do you even really need to know what those CRCs are anyway? I would think you could just NOP or jump over the checks without even figuring out the CRCs. I'm just a programmer though so maybe I don't know what I'm talking about. Thanks for the video. I'm learning a lot.
@tiberiusvetus9113 6 жыл бұрын
Great video. Would be interesting to see something on radare2 at some point.
@OALABS 6 жыл бұрын
I don't think we will be covering radare2 as it's not really an efficient tool for the type of reversing that we are doing. In the tutorials we try to demonstrate techniques that we use daily as reverse engineers and radare2 is definitely not something I would use. If you are interested though I have seen a few CTF videos here on KZbin where people are using radare2, the one that stands out the most is from LiveOverflow, his videos are fantastic and I highly recommend them kzbin.info/www/bejne/sJyWe5eDhLaDmZo
@dave5623 6 жыл бұрын
exit_if_false appears to see if there is an environment variable named "tvsjymuyo" using the same CRC32 method. Still working my way though the exit_if_true_1 check. That seems trickier...
@OALABS 6 жыл бұрын
You are definitely headed in the right direction but I think there is a bit more to it ... take a look the strings that are used for the environment variable name and the xor encryption that gootkit is using to hide them gist.github.com/herrcore/e7d35def657aa620efdbc77a477f602a ... then take a look at what is assigned to the variable and the custom CRC32 method you mentioned...
@dave5623 6 жыл бұрын
OK, take 2. It xor decrypts a string, crackmeololo, and grabs the environment variable with that name and the value of it is CRC32 checked against the value of 0x964B360E. I'm not sure if I can take any of the scripts from Lastline or R3mrum can be repurposed easily to crack that hash though. I tried to locate where it creates the environment variable, but looking at xrefs of SetEnvironmentVariableA and SetEnvironmentVariableW only returned other variables, vendor_id, RandomListenPortBase, etc.
@OALABS 6 жыл бұрын
Hey right on!! Thats exactly what I got! Let me know if you brute force that hash I think you could repurpose r3mrum's scripts to do it but you would need a good wordlist or a lot of time to iterate through one letter at a time... Anyway I'm totally stoked that you nailed this, if we had swag we would definitely send you some : )
@dave5623 6 жыл бұрын
Got the hash! Hash matches: IM_1ON --> 964B360E
@OALABS 6 жыл бұрын
Awesome! It's funny, I think there are a few hash collisions here because there is another string that hashes to the same value but it's also fairly meaningless. I'm not sure which one the developer actually intended, or if there is even a third string that we haven't found yet. Either way nice find!
@bperzor1 6 жыл бұрын
Great video, as usual! Although, I did have some problems downloading the unpacked sample (I do have an account). Is it just me? Is it possible to upload it to hybrid as well? Thanks a lot!
@OALABS 6 жыл бұрын
Thanks! It seems the malshare download button is a bit broken. To download the samples you can log into malshare then go to the pull page malshare.com/pull.php and just paste in the hashes from the video description.
@bperzor1 6 жыл бұрын
I tried through the pull page yesterday, and it didn't work. Although, it does work now. Thanks!
@dave5623 6 жыл бұрын
I have a feel for what exit_if_true_1 is doing, but I still don't have the exact details on everything. It does the same xor decryption stuff for ntdll.dll and NtQuerySystemInformation. It will then import ntdll.dll and get the process address for NtQuerySystemInformation. It then gets the process list using NtQuerySystemInformation. Then it walks the process list and for each process that is not the current process it will check if it is running under Wow64 and it will check the process name against some CRC32 hash that I can't determine what the value of is. If it does find a match it will then break out of the process walking loop.
@OALABS 6 жыл бұрын
Heck yeh! It's checking for running processes of analysis tools etc. To speed up the CRC32 hash matching process you could use a wordlist of known processes like this hiddencodes.wordpress.com/2014/09/18/windows-process-name-hashes-list-1/ instead of brute forcing them letter by letter. As always awesome work! Maybe you could turn this into a blog post or something?
@dave5623 6 жыл бұрын
I'm not sure where the hashes are being derived from. Is it in contained in the v1 variable in the exit_if_true_1 function? Can you determine what values are stored in there from a purely static analysis perspective?
@OALABS 6 жыл бұрын
Yes you can pull them statically but now I can't remember how it works ... I'll go back and check the binary again when I have a few minutes and update this comment.
@oeijgkrloejlgira 6 жыл бұрын
Can someone throw me the sample? MalShare won't let me download :( "pending Analysis"?
@OALABS 6 жыл бұрын
To download from MalShare you will need to register for a free account then browse to the Pull Sample page malshare.com/pull.php and enter the hash from the page that we link in the description. Sometimes the site is a bit buggy but it should be working ok now. If it's still giving you trouble just send @silascutler a ping on Twitter.
OALabs
Рет қаралды 14 М.