In this article, I will give you information about taking executable file which is inside of dump file. If I talk about our scenario, there is a dump file from svchost.exe that look suspicious. So we’ll load a dump file on WindDbg then we’ll look output. After to get all information, we’ll use Radare to get binaries from the executable file. Lastly, we’ll use IDA Pro to check binary file.
Why am I using Radare tool?
Main idea is to get executable file from the dump. When I try with WinDbg, there was a problem related with the SDK (even with last version) and some missing Dll files. It was also some plugins need to be install. I had some problems with SOS.dll, mscorwks.dll, clr.dll and psscor4.dll about integration and install. When I fix one of them, it wasn’t work another ones. Honestly, it was really chaos for me.
When I tried to find something related with this, I was tired of looking at the same things. Then I remembered that I tried a Radare tool some while ago. So I decide to use 🙂
1- Virtualization : Virtualbox or others
2- Operating System : Windows7 x86/x64
3- Softwares: Radare, Windbg, IDA Pro
Most important section to be considered WinDBG here. I have published a series of articles on Windows Kernel Exploitation including Windbg installation and Symbol Path addition. So you can check it.
Let’s start to analyze with Windbg
First, we’ll open WinDbg then load dump file.
If there are no problems with the loading of Symbol files, it will prompt you to run this file with !analyze -v command for analysis. So we can use !analyze -v command to begin.
As a result of the analysis in the above section, we’ll see stack trace output of this dump file. This meaning that when events in this dump file occur, this indicates which drives are running with this event in the back. Here we see that wow64cpu and ntdll are running during this time.
In the above section, in addition to the stack information, there is a also FOLLOWUP_IP output. This section provides information about the command executed before the error check.
This section contains the name of the driver that is thought to cause the error. But if I talk about our dump, there was a executable file which is illegal executable under the legal executable file. That’s why we took dump.
After obtaining the information from dump file, we can use the lm command to get information about all installed modules.
We can obtain information about the memory used by the target process or the target computer with the !address command. Obviously these are the blocks of code we are interested in.
MEM_IMAGE : The page is used to store the module(EXE/DLL). It may share the physical storage with other process because shared DLL is loaded to memory only once and shared by multiple processes.
MEM_PRIVATE : The page is private to this process. It’s not shared.
MEM_COMMIT : The page has been committed. Committed page is associated to physical storage and you can read/write the page.
MEM_FREE : The page is not used.
In this step, we’ll use !peb command. When we check output of this command, we’ll get information about operating system, architecture of system, Powershell Module Path, defined pc, user and domain name etc.
Access binary with Radare
As I mentioned at the beginning of the article, I had difficulty in preparing the environment for doing this in Windbg. That’s why I used radare2 mdmp module.
Obviously, I installed with brew on Mac OS that I used as the main host instead of installing it in my Windows environment. Then we use Carving method to achieve the desired to result. We’ll simply extract the executable file contained in the dump file.
First, we’ll open terminal then we’ll go to path way where the dump file. Then we open it with ‘r2 filename.dmp‘ command.
At this point, using the iS ~ exe command, we extract the list of our executable files. The reason why two identical exe appear is that there is an illegal exe file with the same name running under a legal exe.
As seen above, we are looking at the binary views of exe files. We can see that the file with the offset value 0x0046000 is more worth reviewing.
After that, we’ll get as binary with wtf command. The next step is the review with IDA Pro.
Binary analyzing with IDA Pro
After obtaining the binary file, we’ll load on IDA Pro. Remcos Mutex Inj is noticed as we begin to examine the resulting graph.
If we do a little more review, we can see that Remcos is RAT Malware.
Then we’ll load on VirusTotal and the result is above.
SHA-1 : 12eb3c953d8a7af1e34bc87a6ac59bd70c845bb45