This post is part of the series of Practical Malware Analysis Exercises.
This is a stealth launcher that uses process replacement to execute a usermode hooking
keylogger. The keylogger stores window titles and keystrokes in plain text to the file
practicalmalwareanalysis.log in the working directory.
The launcher program uses process replacement on an svchost.exe instance to hide the keylogging executable.
First, the launcher program creates an instance of svchost.exe in a suspended state,
calling CreateProcess
with the CREATE_SUSPENDED flag.
It then follows through with unmapping, allocating, writing new code, setting the
thread context, and resuming the svchost thread with the keylogging code.
The launcher executable has a resource named LOCALIZATION. The keylogger
executable is stored in that resource, to be later loaded into dynamically
allocated space.
The entire payload (keylogger PE executable) is hidden in the resource section and
XOR encoded, using 41h (A) as the key.
Found where the XOR decoding routine is called at 401425, and saw that it compares the
first two bytes to MZ, the signature of a PE executable. If it isn't MZ, the
decoding code is called with the key, 41h.
The resource was extracted to a binary file with Resource Hacker. A short python script was used to decode the bytes, and save the results to a file.
res_file = "Lab12-02_resource"
decode_file = "Lab12-02_decoded.exe"
xor_byte = 0x41</code>
bytes = bytearray(open(res_file, "rb").read())
for i in range(len(bytes)):
bytes[i] ^= xor_byte
open(decode_file, "wb").write(bytes)
The entire payload, including the strings, are XOR encoded with A as the key.
The decoding routine is at 401000.
