{"id":7499,"date":"2020-11-04T23:28:11","date_gmt":"2020-11-04T23:28:11","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7499"},"modified":"2023-06-03T22:10:38","modified_gmt":"2023-06-03T22:10:38","slug":"memory-buffers-for-initiated","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/11\/04\/memory-buffers-for-initiated\/","title":{"rendered":"Memory buffers for&#8230; initiated"},"content":{"rendered":"\n<p>Early Visual Basic program crackers knew that if you put a breakpoint in a right <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/01\/19\/enter-sandbox-part-24-intercepting-buffers-3-the-punto-h-magic-points\/\">place<\/a>, you can intercept strings entered into a text\/input box. Once you do that, finding the key verification routine is easy as it will refer the memory buffer we can track after data is copied to it.<\/p>\n\n\n\n<p>Around 13 years ago I was asked by an analyst on my team to help him with a WinBatch-compiled malicious sample. At that time there were not many options for analyzing these types of programs and of course, reading producers&#8217; web site one would be discouraged to reverse engineer such executables as they are &#8216;close to impossible to crack&#8217;. After poking around I realized that the code of the &#8216;compiled&#8217; batch file was actually available in plain text during run-time! It was decrypted and then stored in a memory block on a heap. <\/p>\n\n\n\n<p>I was experimenting a lot with API hooking at that time and this particular experience led me to write a tool that was intercepting calls to a RtlFreeHeap function (HeapFree was forwarded to it), then dumping the content of a memory block the API referenced to a file before releasing the memory. You see, if you are a coder that is taught to free memory buffers after use, it&#8217;s only natural you will call these APIs. Even if you don&#8217;t really need to, because after process is killed these memory buffer will be killed anyway&#8230;<\/p>\n\n\n\n<p>That tool I wrote back in 2008 was essential in handling many &#8216;script hidden by obfuscation more than anything else&#8217; &#8211; it dealt with executables created by perl2exe, winbatch, and many bat2exe converters, and alike. It would literally take seconds to run a suspicious sample through that tool, review the data file it created, and cherry-pick the content that was of interest. <\/p>\n\n\n\n<p>Because of that tool I was probably one of the first analysts being able to systematically dump code of many perl2exe samples <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/12\/19\/malware-attacking-pos-systems\/\">targeting POS<\/a> as well as forensic tools shared by prominent forensic experts e.g. compare <a href=\"https:\/\/www.dropbox.com\/s\/meidho52ndxq4wx\/wfa4e.zip?file_subpath=%2Fch4%2Frfc.exe\">rfc.exe<\/a> vs. its <a href=\"https:\/\/github.com\/keydet89\/Tools\/blob\/master\/source\/rfc.pl\">source code<\/a>, where the dump from my tool shows this (raw data + formatted):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"609\" height=\"553\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/11\/rfc1-1.png\" alt=\"\" class=\"wp-image-7502\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/11\/rfc1-1.png 609w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/11\/rfc1-1-300x272.png 300w\" sizes=\"(max-width: 609px) 100vw, 609px\" \/><\/figure>\n\n\n\n<p>Over next few years I started building a more robust sandbox and I added handling for buffers freed by many memory functions including VirtualFree, RtlFreeHeap, GlobalFree\/LocalFree, free, NtFreeVirtualMemory and a few others that I knew contained buffers worth looking at.<\/p>\n\n\n\n<p>Software analysis progressed really a lot since then and we have a gamut of decompilers, sandboxes, emulators, debuggers, plug-ins and both dynamic and static-oriented analysis tools now. It&#8217;s a treat. <\/p>\n\n\n\n<p>Yet.<\/p>\n\n\n\n<p>One thing remains constant &#8211; tricks are here to stay.<\/p>\n\n\n\n<p>If you can cut reversing corners &#8211; you definitely should.<\/p>\n\n\n\n<p>Check the <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/11\/12\/memory-buffers-for-initiated-part-2-friday-edition\/\">second part<\/a> of this series.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Early Visual Basic program crackers knew that if you put a breakpoint in a right place, you can intercept strings entered into a text\/input box. Once you do that, finding the key verification routine is easy as it will refer &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/11\/04\/memory-buffers-for-initiated\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[112,44,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7499"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7499"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7499\/revisions"}],"predecessor-version":[{"id":7520,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7499\/revisions\/7520"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}