In this post, we are going to talk about code injection. This is mainly about allocating and inserting code into the memory space of a remote process. Some typical API calls are “VirtualAllocEx”, ”WriteProcesMemory”, “CreateProcess”, ”CreateRemoteThread”. These are the APIs that you want to set a breakpoint on.
Before we start, I have to mention that MalwareAnalysisForhedgehogs has already done a good video tutorial for what I am going to talk about. You can check it here.
So open that sample in x64dbg now. And set breakpoints on “VirtualAllocEx”, ”WriteProcesMemory”, “CreateProcess”, ”CreateRemoteThread” using “CTRL+G”. Then press F9 to run it.
This is the first breakpoint at “CreateProcess”. You can see that it’s going to create the rundll32.exe process. And you can see that “00000004” which is the suspended flag in the CreateProcess API. press F9 again and come to here.
This is the breakpoint in “VirtualAllocEx” and you can see that the “rundll32.exe” process has been created.Press F9 again. And it allocate some memory in 6D1F78, you can keep an eye on it.
Yeah. This is the breakpoint at “WriteProcessMemory”. You can see that in the memory of the sample there are some malicious code. Actually the address of the rundll32.exe that the sample going to write the codes are 0x90000. So let’s use HxD to attach to the rundll32.exe and see what it has in that address.
Yeah, that’s it. Nothing in this address in rundll32.exe before the sample call “WriteProcessMemory”. But now let’s come back to the x64dbg and press F9 again.
This is the picture in the x64dbg. And while in the HxD, there is something.
Yeah. That’s it. The malicious code actually written into that memory address in the rundll.exe! Now you can just dump it in the HxD.
When you came back to X64dbg and press F9 you will stop at this “CreateProcess” API which calls cmd to delete the file itself.
Ok, that’s all. You can analyze that file you dumped in the IDA. Actually I tried and don’t know how to start analyze that due to the limitation of my knowledge. But I will keep learning and hoping one day I can succeed in analyzing those things!
Any question, please contact me at firstname.lastname@example.org