Thursday, 14 July 2011
How to debug MBR Ransomware.
I received several questions about previously posted MBRLock, the idea here to resume all: a tiny tutorial for pwned these lockers.
Firstly get infected (lol) you have two options, browsing a fake porn site and get exe or visit an infected webpage who lead to MBRlock execution.
The xxxvideo.avi.exe file have generally a ~61Kb size and most of time use a VB crypter.
It spawns new copy of process, decrypts data and writes them to new process ImageBaseAddress and then resumes main thread.
A quick way to unpack it is to set breaks on CreateProcess/WriteProcessMemory, but here the unpacking is not really important (We want just the MBR right?)
A fast way is to use HideToolz by Fyyre and enable the reboot protection, then you can infect your machine, HideToolz will block ExitWindowsEx done by the MBRLock.
The MBR is infected... what's now ?
For make a dump personally I know two way: Hiew and HDHacker.
HDHacker is really handy:
Hiew is fastest (and used by most of malware researcher?)
For make a dump with Hiew, load it like this: hiew32 \\.\PhysicalDrive0
Then in hex mode press * for select the infected block and * again for finish,
Then, F2 to save the dump.
Now we have a copy of our infected MBR
To debug it, we will use IDA Pro, but firstly you need the good packages.
- Python 2.6
- MBR package of Elias
Install 'em all, then build your image file with mbr.py
Or just open command prompt, make sure IDA is in the path Set path=%path%;"C:\Program Files\IDA 6" for example and run ida.bat, it will take care of the rest.
Drag 'n' drop your bochsrc file on IDA, and you can start to debug, if everything load properly :þ
For do it fast with these lame lockers:
As a tutorial, special hello and thanks to: Fyyre, EP_X0FF, Corkami, Hex-Rays guys.