PMA - CH 11-1

Looking at the executable in PEStudio we see a resource section and function calls to LoadResource, FindResource, and LockResource. Which clearly holds another executable

Looking at main it calls GetModuleHandleA to itself and passes the handle to the function load_rsrc_write_to_dll

Within load_rsrc_write_to_dll which is used to obtain the resource and a pointer to the resource (calling FindResource, LoadResource, LockResource, SizeOfResource). It then calls VirtualAlloc to allocate memory and stores the resource in the allocated memory.

The function then calls fopen and passes in "wb" for writing bytes and passes in the file name msgina.dll. It will write the resource allocated in memory to msgina.dll.

Back in main the file calls GetModuleFileName which returns the path to the file name then calls strrchr and passes in a "\" this will return the file name like so: (\\Lab11-01.exe)

Then uses repne scasb and rep movsb to replace the FILENAME with msgina.dll

Then it calls registry_create and creates a registry key with the name GinaDLL and sets the value to the DLL to be executed upon login for persistence. (As I was executing this on Windows 7 it failed but if run on Windows XP it should work)

Next, we will need to analyze MSGINA.dll. GINA is a legitimate DLL used for Winlogon. However, GINA.dll no longer works properly on Windows Vista and I did not have an XP system set up at the time so I will be walking through the static analysis of GINA.dll

Looking through the exported functions all but three exports call sub10001000 -- which calls GetProcAddress and then calls _wsprintfA to write a formatted string to buffer.

The three exported functions that do not call sub10001000 are:

WlxLoggedOutSAS

DLLUnregister -- un-registers DLL

DLLRegister -- registers DLL

WlxLoggedOutSAS -- Looking at MSDN this function when it receives a secure attention sequence (SAS) event while no user is logged on.

After which it will take the SID of the user logged in and pass it to a string formatting sequence.

The final function calls _wfopen on msutil32.sys, this is the file that the formatted data will be written to. It also writes the time and date using calls to _wstrtime and _wstrdate.

The executable drops msgina32.dll to disk and creates persistence using the registry. Within msgina32.dll it exports WlxLoggedOutSAS which is used to capture the login information of the user and writes the output to a file "msutil.sys" which is stored in the System directory.

Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Kindle Locations 7302-7311). No Starch Press.