Malware Analysis Patterns (Part 21)
Hooksware pattern originally came from memory dump analysis pattern catalog and is too general for malware analysis pattern catalog. So we decided to factor out 3 separate patterns. The first one is called Patched Code and includes cases such as in-place patching:
0:004> u ntdll!ZwQueryDirectoryFile
ntdll!ZwQueryDirectoryFile:
77814db4 b8da000000 mov eax,0DAh
77814db9 bae8af0500 mov edx,5AFE8h
77814dbe ff12 call dword ptr [edx]
77814dc0 c22c00 ret 2Ch
77814dc3 90 nop
ntdll!NtQueryDirectoryObject:
77814dc4 b8db000000 mov eax,0DBh
77814dc9 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
77814dce ff12 call dword ptr [edx]
and detour patching:
0:004> u wininet!InternetReadFile
wininet!InternetReadFile:
7758654b e98044ac88 jmp 0004a9d0
77586550 83ec24 sub esp,24h
77586553 53 push ebx
77586554 56 push esi
77586555 57 push edi
77586556 33ff xor edi,edi
77586558 393db8116277 cmp dword ptr [wininet!GlobalDataInitialized (776211b8)],edi
7758655e 897df4 mov dword ptr [ebp-0Ch],edi
In case of WinDbg such pattern is usually detected on the crash spot such as from RIP Stack Trace or from !chkimg command output.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -