2

I am debugging a malware do injection to Notepad.exe use following approach: 

CreateProcess(notepad.exe , create_suspend)  
GetThreadContext  
VirtualProtectEx  
WriteProcessMemory(address=1000000, Size:10200)  
WriteProcessMemory(address=7FFD8008, Size:4)  
SetThreadContext  
ResumeThread
  1. There is no pid to attach Notepad.exe to debugger before it resume.
  2. after resume, the thread run so fast that I can't attach to ollydgb in time.
  3. I Dump memory and save it as PE from what it write to Notepad.exe, but it run with error.

so how to debug malware injected code? thanks!!

Improve this question

2 Answers 2

Reset to default
4
  1. You should modify the first byte of the injected code to 'int 3' (opcode is cc) before invoking WriteProcessMemory.
  2. OD can't attach to the process that hasn't started the main thread, use WinDbg instead.
  3. Invoke ResumeThread after WinDbg is attached to the subprocess.
  4. Press F5 to let the main thread run.
  5. The main thread will stop when it sees 'int 3', now you should change the byte to the original value. For example: eb addr_to_change 55. PS: opcode 55 means 'push ebp', which is the most common instruction executed at the beginning of one function.
  6. Now, Press F10 to start single-step debugging.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

After CreateProcess returns, the process should already exist and you should be able to attach to it. Another approach is to skip the ResumeThread call and attach at that point.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.