Our first step will be to find the entry point of the hollowed out process, patch it with 0xCC (int9), set Ollydbg as the just in time debugger, let the malware execute till after it calls ResumeThread. At this point we the malware cause the hollowed process to be opened in Ollydbg. We can then patch the malware with the original bytes and we will be good to go.
In the recommended blog posts it was stated that the entry point will be stored in the EAX register of the CONTEXT structure. If we were to compile CodeReversing's C++ and view the code in IDA we would have the above assembly (left) and the CONTEXT structure (right). Since we know EAX will contain the address we need to find that address in the CONTEXT structure of the memory of the malware. We know that the malware will use SetThreadContext to set the register of EAX so we can set a breakpoint on it before it's called.
BOOL WINAPI SetThreadContext( _In_ HANDLE hThread, _In_ const CONTEXT *lpContext );
Process Hacker. Once we have it running we will locate the hollowed out process running under the malware. Right Click, Properties and the locate the memory section of the hollowed out process.
We will then need to patch the memory with 'cc' aka INT3 (remember the original byte) , press "Write" and now the hollowed out process has been patched. We will need to setup our just in time debugger by opening Ollydbg > Options > Just-in-time debugging. Then we will need to step through the code after the SetThreadContext until ResumeThread is called. After it's called the INT3 instruction will be executed and our Just in time debugger will open up Ollydbg. We now can patch the INT3 with the original byte and now continue stepping through the code that was written to the hollow process.
Patching with INT3 can be very useful. I have used it many times when I want to debug a service with ollydbg. Hope this was helpful to anyone who might come across this problem. Cheers.
If the sample uses the CreateRemoteThread and LoadLibrary* technique the following steps can be used.
- Open the sample in a debugger
- Set a breakpoint on OpenProcess and execute till the breakpoint is hit.
- Open a separate instance of the child process that is being injected into.
- Change the process-id (3rd argument for OpenProcess) to the newely created child process.
- Set a bp on LoadLibrary* in the child/dummy process in the debugger.
- Execute to LoadLibrary* is hit.
- Set a breakpoint on the DLLEntryPoint of the dll.
- Start walking through the code.