This is in continuation to my previous posts on reverse engineering malware. Therefore, I would strongly recommend that you go through the posts one, two, and three, before moving forth with this one.
If you recall, in the last post, we used disassembling and debugging techniques on the specimen to our utility and successfully identified the correct IRC login password.
But is there a way to simply modify or bypass this whole password protection mechanism in the bot? If authentication process can be controlled, that'd be awesome. So, here it is; this post will show you just that.
Objective: To modify the malware executable so we can control the authentication process.
How: Via Patching the executable.
Patching in RE universe refer to making such modifications to a compiled specimen executable, which will change the flow of program execution.
In our slackbot.exe specimen, we will get around with the password authentication by patching JNZ instruction.
We will load up unpacked malware exe in IDA and work on !@login command block, since !@login is a privileged command, i.e. requires authentication. You can locate !@login in the code by pressing Alt-T and searching for it.
Here's what the program flow looks like for the !@login block:
As you see, the top block [ Block 1 ] checks if the user entered command is '!@login' or not. If it is, then the program flow moves to the left, middle block [ Block 2 ]. If it is not, then move to down, right block [ Block 3 ]. We are interested in Block 2. You see the last instruction in this code block is ---> jnz short loc_40210D
If you've read this post, you will understand that this Block 2 is the place where password authentication takes place. If the password entered by the user in the IRC channel does not match with the actual bot password, then the program execution flow jumps to memory location 40210D.
Here's the text view of the same routine:
Instruction JNZ is at memory location 4020C3. If the strings do not match, the program takes JNZ route. If the strings do match, then 'pass accepted' is pushed on to the stack, and program execution continues. The user can then execute any privileged commands.
Our first attempt will be to somehow bypass this JNZ jump at 4020C3. The most easy way to do this will be to remove this instruction and replace it with NOPs [ \x90 in hex or 90 in dec ]. NOPs are No Ops, that says, do nothing and move on, to the cpu. Remember to keep the check box 'Fill with NOPs' ticked. It's the default and it replaces the original instructions with \x90.
No JNZ --> no jump --> 'pass accepted' --> privileged access.
Open up the unpacked executable in OllyDbg, press the 'Play' button.
Next, we will find the address 4020C3 in the memory. Press Ctrl+G, type 4020C3 and Ok. This will locate for us the JNZ instruction.
Now press spacebar. A box will pop up and here we will enter "NOP".
After this, simply 'Assemble' the modified executable.
Now you will see new instructions '90' have been added on addresses 4020C3 and 4020C4. And that's it. We have a modified bot exe, which doesn't care what password we enter.
Let's test this out in the IRC channel.
Start the IRC server on the analyst's system, connect first to the channel #jigyaasa so as to get the OP role.
Voila! Even though I entered a wrong password, bot allowed me in and I can execute privileged commands such as '!@execute'.
You can go ahead and save the modifications made into the executable.
To conclude, we learnt how an analyst can leverage OllyDbg to patch the malware specimen, thereby, bypassing the inbuilt authentication mechanism and gaining privileged access.
I hope these articles are useful to you. Share your comments and feedback if you liked these or if you have any questions.
I highly recommend you start referring and going deep dive with these books to follow on and enhance learning pace.
After listening to all of readers' positive feedbacks and requests, I have now collated this entire 5-part Malware Analysis series into a short, easy to read book. If you have found this series useful, and would like to show some love, you can purchase it from here:
This series will still be available for free here on the blog.!