Users login

Create an account »

JOIN XATRIX

Users login

Home » Technical Papers» Dissecting the Dyre Loader » Rsrc Decoding and Injection by Jason Reaves on December 31, 2015

Statically looking at the loader we can see 3 resource sections(Figure ??), first it loads the smaller of the three resource sections which is 256 bytes in length, the next resource section loaded depends on if the system is 32 bit or 64 bit.

Pseudo-Random filename generation

temp = 0
val = c int64 ()
resp = ""
for i in range (15):
for j in range (2):
windll.Kernel32.QueryPerformanceCounter( byref ( val ))
perf = val.value
temp ^= perf >>32
temp ^= perf & 0xFFFFFFFF
temp *= int ( '343fd' ,16)
temp = temp & 0xFFFFFFFF
temp = temp + int ( '269ec3' ,16)
temp2 = temp
temp = (temp ? int ( '343fd' ,16)) & 0xFFFFFFFF
temp2 >>= 16
temp += int ( '269ec3' ,16)
if j == 0:
if temp2 % 2 == 1:
even = True
else :
even = False

temp = temp & 0xFFFF0000
temp = temp | temp2
remain = temp % 25
if even :
remain += int ( '61' ,16)
else :
remain += int ( '41' ,16)

resp += chr(remain)
print( resp )


Depending on the outcome of that check the loader loads in one of the remaining resource sections.
After loading the proper resource the loader will find the appropriate process

Mutex

Resources Sections

Figure 12. Large Resource

Resource Section Decode POC

to inject. In the event the loader is running from APPDATA then it will inject explorer.exe, if however the loader is running from the Windows directory then it will inject svchost.exe.

The loader will perform the injection by creating a handle to a empty file mapping object using CreateFileMappingW and attain the base address with MapViewOfFile. The encoded data(Figure ??) is then copied over to this memory section before the loader maps the section into the remote process using ZwMapViewOfSection. Next an APC thread is created using the processes main thread id, this is attained using NtQuerySystemInformation.
The loader calls NtQuerySystemInformation for the SystemProcessInformation option which will pull in a giant linked list of SYSTEM PROCESS INFORMATION structures. After enumerating this list to find its target by comparing process ids, the loader will then check if the number of threads is <= 0 and if so it will continue enumerating the list. If number of threads is < 0 however then it will jump 0xDC bytes into the structure which lands you at 4 bytes into the CLIENT ID structure within the SYSTEM THREAD INFORMATION structure which is located at the bottom of the relevant SYSTEM PROCESS INFORMATION structure. The loader checks that the threadState is 5 and then reads in the thread id from the CLIENT ID structure.

After queueing the APC thread the loader will decode the injected code. The decoding is done using the smaller resource section as a lookup table. The two larger resource sections are the 32 bit and 64 bit encoded injects respectively and this can be proven with a simple proof of concept as in Figure 12. In the previous figure we can see the decoded inject appears to be a dll wrapped in shellcode.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »