### Delphi Calling Convention Example Source: https://malwareunicorn.org/workshops/re102 Demonstrates a typical function call sequence in Delphi, illustrating how arguments are passed using registers (eax, ecx, edx) and the stack. This is crucial for understanding function arguments in disassembled code. ```assembly push 3 push 4 mov ecx, 2 mov edx, 1 xor eax, eax call function xor eax,eax retn 10 ``` -------------------------------- ### Persistence: Create .bat file Source: https://malwareunicorn.org/workshops/re102 This snippet shows the content of a .bat file created by the malware to establish persistence. The file uses the 'start' command with the '/d' option to specify the directory, likely to launch another component or script from a specific location. ```batch start /d "C:\Users\victim\AppData\" ``` -------------------------------- ### x86 Assembly Instruction Example (Assembly) Source: https://malwareunicorn.org/workshops/re101 This example demonstrates an x86 assembly instruction that moves a value from a memory address (0xaaaaaaaa) into the ECX register. The corresponding opcode is also provided. ```assembly mov ecx,[0xaaaaaaaa] ``` -------------------------------- ### Loading Resources with Windows API Source: https://malwareunicorn.org/workshops/re102 Demonstrates the standard Windows API calls to load a resource from an executable. This includes obtaining a module handle, finding the resource, loading it into memory, determining its size, and locking the resource to get its address. It's a common pattern for malware to embed and retrieve resources. ```cpp HMODULE hModule = GetModuleHandle(NULL); // get the handle to self (exe) HRSRC hResource = FindResource(hModule, MAKEINTRESOURCE(RESOURCE_ID), RESOURCE_TYPE); HGLOBAL hMemory = LoadResource(hModule, hResource); DWORD dwSize = SizeofResource(hModule, hResource); LPVOID lpAddress = LockResource(hMemory); ``` -------------------------------- ### Verify inetsim Service Status (Bash) Source: https://malwareunicorn.org/workshops/re101 This command checks if the 'inetsim' service is currently running on the Sniffer VM. If it's not running, the subsequent command can be used to start it. ```bash ps -ef | grep inetsim /etc/init.d/inetsim start ``` -------------------------------- ### Link Object File into Executable with GoLink Source: https://malwareunicorn.org/workshops/re102 This command utilizes the GoLink linker to create an executable file from the assembled object file (decrypted_shellcode.obj). The '/ni' flag is used for non-interactive mode, and 'Start' specifies the entry point of the program. ```bash golink /ni /entry Start decrypted_shellcode.obj ``` -------------------------------- ### Define Shellcode Section in Assembly Source: https://malwareunicorn.org/workshops/re102 This assembly code defines a global entry point named 'Start' and creates a section named 'AyyLmao' with read, write, and execute permissions. It then includes the decrypted shellcode binary directly into this section using the 'incbin' directive. ```assembly Global Start SECTION 'AyyLmao' write, execute,read Start: incbin "decrypted_shellcode.bin" ``` -------------------------------- ### Define Shellcode Section in Assembly Source: https://malwareunicorn.org/workshops/re102_0 This assembly code defines a global entry point 'Start' and a section named 'AyyLmao' with read, write, and execute permissions. It then includes the 'decrypted_shellcode.bin' file directly into this section using the 'incbin' directive. ```assembly Global Start SECTION 'AyyLmao' write, execute,read Start: incbin "decrypted_shellcode.bin" ``` -------------------------------- ### Analyze CreateFileA API Call in C and Assembly Source: https://malwareunicorn.org/workshops/re101 This snippet demonstrates the C prototype for the CreateFileA function and its corresponding assembly implementation. It shows how arguments, including file names and creation dispositions, are pushed onto the stack before the API call. Understanding this is key to analyzing file operations performed by malware. ```c HANDLE CreateFileA( LPCSTR lpFileName, // Arg1 DWORD dwDesiredAccess, // Arg2 DWORD dwShareMode, //Arg3 LPSECURITY_ATTRIBUTES lpSecurityAttributes, //Arg4 DWORD dwCreationDisposition, //Arg5 DWORD dwFlagsAndAttributes, //Arg6 HANDLE hTemplateFile //Arg7 ); ``` ```assembly .text:004010B8 push 0 ; Arg7 hTemplateFile .text:004010BA push 80h ; Arg6 .text:004010BF push 2 ; Arg5 .text:004010C1 push 0 ; Arg4 .text:004010C3 push 0 ; Arg3 dwShareMode .text:004010C5 push 40000000h ; Arg2 dwDesiredAccess .text:004010CA push esi ; Arg1 lpFileName .text:004010CB call ds:CreateFileA ``` -------------------------------- ### Check Physical Drive for VM Evasion (IDA Pro) Source: https://malwareunicorn.org/workshops/re102 This snippet describes how to check for VM evasion by attempting to access and read from the physical drive (PhysicalDrive0) using the CreateFile API. It highlights the use of DeviceIoControl to check for specific strings indicative of a virtualized environment. ```assembly loc_402192: ; ... other code ... call dword ptr ds:[esi+98] ; Calls CreateFile for PhysicalDrive0 ; ... other code ... loc_406266: call dword ptr ds:[esi+94] ; Calls DeviceIoControl to check \\.\PhysicalDrive0 for VM strings ``` -------------------------------- ### HTTP Request with InternetReadFile in Assembly Source: https://malwareunicorn.org/workshops/re101 This assembly code illustrates the arguments being pushed onto the stack before calling the InternetReadFile function. It shows the buffer pointer (edi) and other parameters required for reading data from an HTTP request. ```assembly .text:00401104 push eax ; lpdwNumberOfBytesRead .text:00401105 push 0FEh ; dwNumberOfBytesToRead .text:0040110A push edi ; lpBuffer .text:0040110B push esi ; hFile .text:0040110C mov [ebp+dwNumberOfBytesRead], 0 .text:00401116 call ebx ; InternetReadFile ``` -------------------------------- ### Pseudo-code for Stack Initialization Loop Source: https://malwareunicorn.org/workshops/re102 This pseudo-code represents a loop that initializes a buffer on the stack with values from 0 to 255. This is a common step in cryptographic algorithms like RC4's key-scheduling algorithm. ```pseudo int ebx = 0; int length = 256 // 0x100 While (ebx < 256) { push(ebx) ebx++ } ``` -------------------------------- ### Check Physical Drive Access using DeviceIoControl (IDA Pro) Source: https://malwareunicorn.org/workshops/re102_0 This snippet describes how to analyze a malware sample in IDA Pro to detect VM evasion techniques. It focuses on the `DeviceIoControl` API call used to check for specific strings on the \\.\PhysicalDrive0, indicating a virtualized environment. ```assembly 0040218D call dword ptr ds:[esi+98] ; CreateFile for PhysicalDrive0 00406266 call dword ptr ds:[esi+94] ; DeviceIoControl on \\.\PhysicalDrive0 ``` -------------------------------- ### Stack Operations for Key Storage in Assembly Source: https://malwareunicorn.org/workshops/re102 This section illustrates the assembly output showing chunks of data being pushed onto the stack. This is part of the key scheduling algorithm where parts of the key are saved in preparation for further processing. ```assembly 00183BCC 3669C7AF 00183BD0 CBD60266 00183BD4 0C33A849 00183BD8 973AD4C1 00183BDC C868B780 00183BE0 820B3D00 00183BE4 2C9BED2C 00183BE8 F94D125D ``` -------------------------------- ### Accessing PEB and Kernel32 Base Address via Assembly Source: https://malwareunicorn.org/workshops/re102 This assembly code snippet demonstrates how to access the Process Environment Block (PEB) and subsequently retrieve the base address of the Kernel32 library. It utilizes the FS segment register to get the PEB address, then navigates through PEB_LDR_DATA to find the Kernel32 module. This is a common shellcode tactic to obtain handles to loaded Windows libraries. ```assembly mov eax, 30h mov eax, fs:[eax] ; Get the address of PEB mov eax, [eax+0Ch] ; Get the address of PEB_LDR_DATA mov eax, [eax+0Ch] ; InLoadOrderModuleList mov eax, [eax] ; get the next entry mov eax, [eax+18h] ; get Kernel32 ``` -------------------------------- ### Buffer Manipulation and Function Call in Assembly Source: https://malwareunicorn.org/workshops/re101 This assembly snippet demonstrates how a buffer is prepared and passed as an argument to a function (sub_401000). It also shows a comparison of the buffer's content against a specific byte value (6Ch). ```assembly .text:00401169 lea edi, [ebp-104h] .text:0040116F mov byte ptr [ebp-104h], 0 .text:00401176 call sub_401000 .text:0040117B cmp byte ptr [ebp-104h], 6Ch ``` -------------------------------- ### Mount Shared Folder in Sniffer VM (Bash) Source: https://malwareunicorn.org/workshops/re101 This command mounts a shared folder named 'sniffershare' from the host machine into the Sniffer VM's filesystem. It creates a directory '~/host' and mounts the shared folder there with appropriate user and group permissions. ```bash mkdir ~/host sudo mount -t vboxsf -o uid=$UID,gid=$(id -g) sniffershare ~/host ``` -------------------------------- ### Persistence: Create .vbs script Source: https://malwareunicorn.org/workshops/re102 This snippet displays the content of a .vbs script used for persistence. It utilizes the 'WScript.Shell' object to run a .bat file in a hidden window (0), ensuring the execution is not visible to the user. The script points to a .bat file located in the AppData\Roaming directory. ```vbscript Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "C:\Users\victim\AppData\Roaming\.bat" & Chr(34), 0 Set WshShell = Nothing ``` -------------------------------- ### Saving Key and Sizes in IDA Pro Assembly Source: https://malwareunicorn.org/workshops/re102 This snippet shows assembly instructions in IDA Pro that move the key and its size, along with the shellcode size, into base pointer offsets on the stack. These are crucial for subsequent cryptographic operations. ```assembly 45b5cb: mov [ebp-0xc], ecx ; Key 45b5ce: mov [ebp-0x8], edx ; Size of Key 45b5d1: mov [ebp-0x4], eax ; Size of Shellcode ``` -------------------------------- ### RC4 Key Schedule and PRGA Implementation in Python Source: https://malwareunicorn.org/workshops/re102 This Python script implements the RC4 key scheduling and pseudo-random generation algorithm. It takes a key file and an encrypted file as input and outputs the decrypted shellcode. The script requires the 'os' and 'sys' modules. ```python import os import sys def key_schedule(key): keylength = len(key) S = range(256) j = 0 for i in range(256): k = ord(key[i % keylength]) j = (j + S[i] + k) % 256 S[i], S[j] = S[j], S[i] # swap return S with open(sys.argv[1], 'rb') as key_file, open(sys.argv[2], 'rb') as encrypted, open("decrypted_shellcode.bin", 'wb') as out: key_size = os.path.getsize(sys.argv[1]) # 0x20 key = key_file.read(key_size) S = key_schedule(key) j = 0 i = 0 shellcode_size = os.path.getsize(sys.argv[2]) # 0x65E4 while (shellcode_size > 0): char = encrypted.read(1) i = (i + 1) % 256 j = (j + S[i]) % 256 # swap S[i], S[j] = S[j], S[i] k = S[(S[i] + S[j]) % 256] shellcode_size -= 1 out.write(chr(ord(char) ^ k)) out.close() key_file.close() encrypted.close() ``` -------------------------------- ### Malware Packer: Create .bat and .vbs Scripts (Windows) Source: https://malwareunicorn.org/workshops/re102_0 This snippet outlines the process by which a custom packer creates a batch (.bat) file and a visual basic script (.vbs) file to execute the unpacked payload. It details the file paths and script contents used to achieve this. ```batch start /d "C:\Users\victim\AppData\" ``` ```vbscript Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "C:\Users\victim\AppData\Roaming\.bat" & Chr(34), 0 Set WshShell = Nothing ```