Malware Journey Day 13
Ive been struggling with unpacking process hollowing. The below screenshots will hopefully show some progress.
Process Hollowing usually has 2 executables. The first executable starts a legit process, then itll suspend the process. The 2nd executable then wipes the legit executable from process memory. Eventually itll write the malicious executable into memory.
So the common API functions are
CreateProcessA VirtualAllocEx and WriteProcessMemory. These are the main functions of my concern. Though there are plenty more. Also CreateProcessA could be a good indication for process hollowing. Remeber that the 4 Flag in CreateProcessA is what to look out for.
GetTreadContext is also needed and itll fetch the handle from CreateProcessA.
Also once a process is unmapped, WriteProcessMemory is used to write the header and sections.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
OSIRIS.EXE
For Process Doppel ganging, which is similar to the above I mentioned. But the APIs I will bp is NtCreateThreadEx,VirtualAlloc, and VirtualProtect. I am just trying to unpack currently.
When returning from CreateProcessInternalW, I see the executable is suspending wermgr.exe.
Looks like it is an existing process
Later on in my debugging I notice it is calling NtCreateFile
Goal is to find the file name through NtCreateFile
Looks like I found it mapping the data to a process memory
Note the section handle and what I am passing into NtCreateFile.
1cc
After dumping the 3rd arg from NtCreateFile it appears I have the wermgr code
The above is the mapped code.
After going through each call to the executable I find this.
Looks like its creating a file path
Jumping to the allocating region of memory, I dump the address
Now I found a file handle
I hit an API for CreateFile. It appears from the below image im writing to the handle 0x1c4
After dumping the 5th arg for CreateFile I find the unpacked exe.
We can tell by looking at the amount of section headers
Again to confirm, I know this is process dopplerganing since I see the transaction id.
All transaction functions are being called. And then eventually being closed.
Seems like CreateFileTransactionW is the bp to lookout for.
