Malware Journey Day 25

Ive Seen GetUserNameA used quite a bit in info stealers. Time to code it up from stratch to really understand it and then debug it.

This is what it looks like.

_TCHAR  infoBuffer[] = L"10000";

void main() {
    LPSTR lpBuffer[10000];
    if (GetUserNameA(lpBuffer, &infoBuffer))
        printf(("\nUser name: %s"), lpBuffer);
}

With this I can get my username. Time to see it in action with x64dbg.

Seems when continuing to step through I hit LdrResolveDelayLoadedAPI

What it seems to of happened is since I loaded this DLL in runtime, and I didnt use LoadLibrary and GetProcAddress.

I Resulted in having to use this function. Prehaps in future debugging sessions of actual malware if I see this, maybe could be a good tell that the malware author is trying to hide something.

I see this function eventually Returns GetUserName

The next function I see called is RtlAllocateHeap. My guess is the os is making space for printing out my UserName? I decided for fun to dump the EAX of RtlAllocateHeap. Note in RBX register I can see my allocated space I created for the buffer.

Well, right after the call of GetUserNameExW, I see the dumped memory fill with my username

After this the heap will be freed automatically due to Visual studio security protections. The function will be RtlFreeHeap.