Technical Summaries Of Reports&Articles

  1. Cool technical report:

    The interesting stuff:

    1)Cool original way of hooking:
    the malware will open Explorer.exe with NtOpenProcess and
    search for the ntdll.dll from the PEB (FS:[0x30]). The initial goal is to copy explorer.exe’s ntdll.dll to itself,
    and lastly it patches the end of the second section of
    ntdll.dll with its evil code.It also includes ZwClose function with the ‘CALL’ instruction. The malware’s next step is to unmap the original explorer.exe’s ntdll using ntdll!NtUnmapViewOfSection and maps the patched version of ntdll.dll at the same address using ntdll!NtMapViewOfSection and terminates itself with ntdll!NtTerminateProcess.

    2) The malware is a 32bit executable, but has 64bit payload. The 32bit loader is heavily packed and encrypted
    using mutated Yoda packer. The payload calls to the 64bit
    Native Windows API function to bypass usermod hooks.
    The hooking bypass trick is simple, each translation from
    32bit to 64bit will not be detected by hooking what is
    injected to the Windows-on-Windows subsystem. The
    FAR CALL instruction translates the malware operations
    to Native 64bit code, hiding the malicious activity.

    3)The malware verifies that the Windows boot was
    successful and that the OS is not in safe mode by
    querying the GetSystemMetrics(SM_CCLEANBOOT). If
    the function returns false, it will turn off Windows by calling ExitWindowsEx(EWX_REBOOT, 0)

    4)The Gyges malware uses API redirection in order to
    prevent import table rebuilding. The malware API code is
    redirected to an allocated memory region.

    5)It rebuilds the import address table (IAT) when the decryptor finishes its task.

    6)Anti-debugging, using the NtSetInformationThread with ThreadInformationClass to 0x11 (ThreadHideFromDebugger), the thread will be detached from the debugger

    7)Anti-debugging uses the NtQueryInformationProcess Native API with DebugPort parameter


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s