If you're running malware in IDA and get a error such as
8A1EE: The instruction at 0x8A1EE referenced memory at 0x0. The memory could not be written -> 0000000000000000 (exc.code c0000006, tid 2268)
Per the OALabs youtube video
https://www.youtube.com/watch?v=ScBB-Hi7NxQ
This might be caused by the Debugger holding a handle to malware sample and the malware itself wanting its own exclusive handle to the file.
Thus the malware errors out because it cannot collect an exclusive handle to the malware sample since the debugger already has a handle.
To remediate, one potential fix is to try ...
- Set a breakpoint in IDA on startup
- In the debugger "Modules" window, find "ntdll.dll" and the "NtCreateFile" function, set a breakpoint
- Continue the debugger, it will eventually hit NtCreateFile
- Then "Continue until Return" multiple times until you return to the malware code
- In my case it was a call to "kernel32.dll" "CreateFileA" that triggered this call
- If you look at the parameters to "CreateFileA", the 3rd parameter was set to 0 which means an exclusive handle
- If you look in the return result of CreateFileA it returned FFFFFFFF which means an "invalid file handle" which is what's causing the error
- So, add a breakpoint to this CreateFileA call
- Kill the debugging process
- Re-launch the program until it hits your new breakpoint
- Change that 3rd parameter from 0x0 to 0x7 to give yourself full access
- Now allow it to run, and notice the return value is no longer FFFFFFFF , it's a valid file handle now, and thus you've gotten past that error caused by the exclusive handle!
Showing posts with label CreateFileA. Show all posts
Showing posts with label CreateFileA. Show all posts
Monday, November 12, 2018
Tuesday, October 30, 2018
\\\\.\\PhysicalDrive0 and CreateFileA , MBR overwriting
If you see malware performing this action in windows assembly
push ...
push ...
push ...
push ...
push ...
push ...
push offset FileName ; "\\\\.\\PhysicalDrive0"
call ds:CreateFileA
It may be trying to open the entire C drive as 1 large file and write to it which can be catastrophic
For example if you see this followed up with this code
push 0
push ...
push ...
push ...
push ...
call ds:WriteFile
Where the offset is 0, that means it's trying to overwrite your MBR (master boot record)
------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own
https://www.youtube.com/watch?v=b0WQwCQGjv4
push ...
push ...
push ...
push ...
push ...
push ...
push offset FileName ; "\\\\.\\PhysicalDrive0"
call ds:CreateFileA
It may be trying to open the entire C drive as 1 large file and write to it which can be catastrophic
For example if you see this followed up with this code
push 0
push ...
push ...
push ...
push ...
call ds:WriteFile
Where the offset is 0, that means it's trying to overwrite your MBR (master boot record)
------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own
https://www.youtube.com/watch?v=b0WQwCQGjv4
Subscribe to:
Posts (Atom)