Malware Journey Day 26

Continuing on from yesterday, I want to continue to debug and this time run through IDA window API functions.

This time it is CreateProcessW.

First I will run through IDA

This is the export start. Where my program begins.

Pretty obvious I want to jump to main

The above pictures appears to have security checks for buffer overflows. Im interested that there are declarations of several pointers at the start of the block.

The below picture is really the interesting part

From the rdata section I can see where I declared my ApplicationName. Though the above screenshot is in the .text section. This makes sense due to .text meant for code and rdata meant for read only items. Whats also interesting is the offsets it is creating of 1E0 in the stack.

After this the program goes again to check for securitycookie which is just a buffer overflow protection.

In x64dbg the program looks like this

Whats interesting to me is it calls CreateProcessW twice.

Apart from that I see eventually it calls CreateProcessInternalW

It is at this function that notepad.exe opens up.

Its important for me to regonize that the call to this winapi would not be possible without first loading kernel32.dll into the address space. Oddly enough I didnt see any dynamic linking occurring with this function. I was expecting to see a LoadLibary or GetProcAddress. Unfortunately there wasnt any of this.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —