cd ../../Random Posts

Hinder naïve malware analysts with change of code execution path

1 minute read

singlestepping

These techniques are not complicated ones, but still can confuse some beginner malware analysts and/or reverse engineers. Change of code execution path using SEH (Structured Exception Handling) is common in malware samples, a simple example is following:

SEH

If he/she single steps, he/she will lose control.

But there are other ways to get similar results using Windows API functions with callbacks, we can use these callbacks to hinder an analyst.

ReadFileEx/WriteFileEx are asynchronous analogies for ReadFile and WriteFile, the interesting part is that is calls lpCompletionRoutine completion routine when writing/reading is completed or canceled:

WriteFileEx

Same there, he/she loses control.

What about EnumDisplayMonitors?

EnumDisplayMonitors

Note: We can stop the enumeration with return FALSE.

What about EnumWindowStations, EnumDesktops, EnumDesktopWindows, EnumThreadWindows, EnumWindows, EnumChildWindows, EnumResourceTypes/Ex, EnumResourceNames/Ex, EnumResourceLanguages/Ex, EnumDirTree, EnumThreadWindows, AddSecureMemoryCacheCallback, SetThreadpoolTimer/Ex, SetThreadpoolThreadMinimum, SetThreadpool, StackWalk64/Ex, EnumerateLoadedModulesEx, EnumerateLoadedModules64 and so on, there are many of them, just play with MSDN little bit.

EnumerateLoadedModules64