Module six inside packed sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog: Hancitor packer demystified If you landed here via Google, you probably want to go to the home page instead
debug032:00242630 debug032:00242630 ; =============== S U B R O U T I N E ======================================= debug032:00242630 debug032:00242630 debug032:00242630 my_find_address_of_kernelbase proc near ; CODE XREF: my_module_six_fill_importTable+2A↓p debug032:00242630 56 push esi debug032:00242631 33 C0 xor eax, eax debug032:00242633 64 A1 30 00 00 00 mov eax, large fs:30h debug032:00242639 78 0C js short loc_242647 debug032:0024263B 8B 40 0C mov eax, [eax+0Ch] debug032:0024263E 8B 70 1C mov esi, [eax+1Ch] debug032:00242641 AD lodsd debug032:00242642 8B 40 08 mov eax, [eax+8] debug032:00242645 EB 09 jmp short loc_242650 debug032:00242647 ; --------------------------------------------------------------------------- debug032:00242647 debug032:00242647 loc_242647: ; CODE XREF: my_find_address_of_kernelbase+9↑j debug032:00242647 8B 40 34 mov eax, [eax+34h] debug032:0024264A 8D 40 7C lea eax, [eax+7Ch] debug032:0024264D 8B 40 3C mov eax, [eax+3Ch] debug032:00242650 debug032:00242650 loc_242650: ; CODE XREF: my_find_address_of_kernelbase+15↑j debug032:00242650 5E pop esi debug032:00242651 C3 retn debug032:00242651 my_find_address_of_kernelbase endp debug032:00242651 debug032:00242651 ; --------------------------------------------------------------------------- debug032:00242652 CC CC CC CC dd 0CCCCCCCCh debug032:00242656 CC CC CC CC dd 0CCCCCCCCh debug032:0024265A CC CC CC CC dd 0CCCCCCCCh debug032:0024265E CC db 0CCh ; Ì debug032:0024265F CC db 0CCh ; Ì debug032:00242660 debug032:00242660 ; =============== S U B R O U T I N E ======================================= debug032:00242660 debug032:00242660 ; Attributes: bp-based frame debug032:00242660 debug032:00242660 my_module_six_fill_importTable proc near debug032:00242660 ; CODE XREF: my_module_six_parent+18↓p debug032:00242660 debug032:00242660 var_hint_name_table= dword ptr -3Ch debug032:00242660 var_RVA_import_directory= dword ptr -38h debug032:00242660 pointer_RVA_import_directory= dword ptr -34h debug032:00242660 var_start_pe_header= dword ptr -30h debug032:00242660 var_2C= dword ptr -2Ch debug032:00242660 var_library_name= dword ptr -28h debug032:00242660 var_getProcAddr= dword ptr -24h debug032:00242660 var_LoadLibrary= dword ptr -20h debug032:00242660 var_1C= dword ptr -1Ch debug032:00242660 var_kernelBase= dword ptr -18h debug032:00242660 var_function_addr= dword ptr -14h debug032:00242660 var_addr_rva_hint_name_table= dword ptr -10h debug032:00242660 var_addr_inside_import_address_table= dword ptr -0Ch debug032:00242660 var_library_addr= dword ptr -8 debug032:00242660 var_addr_OriginalFirstThunk= dword ptr -4 debug032:00242660 arg_Location_Exe_In_Memory= dword ptr 8 debug032:00242660 debug032:00242660 55 push ebp debug032:00242661 8B EC mov ebp, esp debug032:00242663 83 EC 3C sub esp, 3Ch debug032:00242666 8B 45 08 mov eax, [ebp+arg_Location_Exe_In_Memory] debug032:00242669 89 45 D4 mov [ebp+var_2C], eax debug032:0024266C 8B 4D D4 mov ecx, [ebp+var_2C] debug032:0024266F 8B 55 08 mov edx, [ebp+arg_Location_Exe_In_Memory] debug032:00242672 03 51 3C add edx, [ecx+3Ch] debug032:00242675 89 55 D0 mov [ebp+var_start_pe_header], edx debug032:00242678 B8 08 00 00 00 mov eax, 8 debug032:0024267D C1 E0 00 shl eax, 0 debug032:00242680 8B 4D D0 mov ecx, [ebp+var_start_pe_header] debug032:00242683 8D 54 01 78 lea edx, [ecx+eax+78h] debug032:00242687 89 55 CC mov [ebp+pointer_RVA_import_directory], edx debug032:0024268A E8 A1 FF FF FF call my_find_address_of_kernelbase debug032:0024268F 89 45 E8 mov [ebp+var_kernelBase], eax debug032:00242692 68 50 42 24 00 push offset aLoadlibrarya_1 ; "LoadLibraryA" debug032:00242697 8B 45 E8 mov eax, [ebp+var_kernelBase] debug032:0024269A 50 push eax debug032:0024269B E8 A0 FE FF FF call sub_242540 debug032:002426A0 83 C4 08 add esp, 8 debug032:002426A3 89 45 E4 mov [ebp+var_1C], eax debug032:002426A6 68 60 42 24 00 push offset aLoadlibraryexa ; "LoadLibraryExA" debug032:002426AB 8B 4D E8 mov ecx, [ebp+var_kernelBase] debug032:002426AE 51 push ecx debug032:002426AF E8 8C FE FF FF call sub_242540 debug032:002426B4 83 C4 08 add esp, 8 debug032:002426B7 89 45 E0 mov [ebp+var_LoadLibrary], eax debug032:002426BA 68 70 42 24 00 push offset aGetprocaddress_2 ; "GetProcAddress" debug032:002426BF 8B 55 E8 mov edx, [ebp+var_kernelBase] debug032:002426C2 52 push edx debug032:002426C3 E8 78 FE FF FF call sub_242540 debug032:002426C8 83 C4 08 add esp, 8 debug032:002426CB 89 45 DC mov [ebp+var_getProcAddr], eax debug032:002426CE 83 7D E4 00 cmp [ebp+var_1C], 0 debug032:002426D2 75 0B jnz short loc_2426DF debug032:002426D4 83 7D E0 00 cmp [ebp+var_LoadLibrary], 0 debug032:002426D8 75 05 jnz short loc_2426DF debug032:002426DA E9 0B 01 00 00 jmp loc_2427EA debug032:002426DF ; --------------------------------------------------------------------------- debug032:002426DF debug032:002426DF loc_2426DF: ; CODE XREF: my_module_six_fill_importTable+72↑j debug032:002426DF ; my_module_six_fill_importTable+78↑j debug032:002426DF 83 7D DC 00 cmp [ebp+var_getProcAddr], 0 debug032:002426E3 75 05 jnz short loc_2426EA debug032:002426E5 E9 00 01 00 00 jmp loc_2427EA debug032:002426EA ; --------------------------------------------------------------------------- debug032:002426EA debug032:002426EA loc_2426EA: ; CODE XREF: my_module_six_fill_importTable+83↑j debug032:002426EA 8B 45 CC mov eax, [ebp+pointer_RVA_import_directory] debug032:002426ED 8B 08 mov ecx, [eax] debug032:002426EF 89 4D C8 mov [ebp+var_RVA_import_directory], ecx debug032:002426F2 8B 55 08 mov edx, [ebp+arg_Location_Exe_In_Memory] debug032:002426F5 03 55 C8 add edx, [ebp+var_RVA_import_directory] debug032:002426F8 89 55 FC mov [ebp+var_addr_OriginalFirstThunk], edx debug032:002426FB debug032:002426FB loc_2426FB: ; CODE XREF: my_module_six_fill_importTable+185↓j debug032:002426FB 8B 45 FC mov eax, [ebp+var_addr_OriginalFirstThunk] debug032:002426FE 83 78 0C 00 cmp dword ptr [eax+0Ch], 0 debug032:00242702 0F 84 E2 00 00 00 jz loc_2427EA debug032:00242708 8B 4D FC mov ecx, [ebp+var_addr_OriginalFirstThunk] debug032:0024270B 8B 55 08 mov edx, [ebp+arg_Location_Exe_In_Memory] debug032:0024270E 03 51 10 add edx, [ecx+10h] ; FirstThunk debug032:0024270E ; RVA inside Import Address Table debug032:00242711 89 55 F4 mov [ebp+var_addr_inside_import_address_table], edx debug032:00242714 8B 45 FC mov eax, [ebp+var_addr_OriginalFirstThunk] ; eax=RVA of the Import Lookup Table (ILT) debug032:00242717 8B 4D 08 mov ecx, [ebp+arg_Location_Exe_In_Memory] debug032:0024271A 03 08 add ecx, [eax] debug032:0024271C 89 4D F0 mov [ebp+var_addr_rva_hint_name_table], ecx ; ecx contains RVA to hint/name table debug032:0024271F debug032:0024271F loc_24271F: ; CODE XREF: my_module_six_fill_importTable+177↓j debug032:0024271F 8B 55 F4 mov edx, [ebp+var_addr_inside_import_address_table] debug032:00242722 83 3A 00 cmp dword ptr [edx], 0 debug032:00242725 0F 84 B1 00 00 00 jz loc_2427DC debug032:0024272B 8B 45 F0 mov eax, [ebp+var_addr_rva_hint_name_table] debug032:0024272E 8B 4D 08 mov ecx, [ebp+arg_Location_Exe_In_Memory] debug032:00242731 03 08 add ecx, [eax] debug032:00242733 89 4D C4 mov [ebp+var_hint_name_table], ecx debug032:00242736 8B 55 FC mov edx, [ebp+var_addr_OriginalFirstThunk] debug032:00242739 8B 45 08 mov eax, [ebp+arg_Location_Exe_In_Memory] debug032:0024273C 03 42 0C add eax, [edx+0Ch] debug032:0024273F 89 45 D8 mov [ebp+var_library_name], eax debug032:00242742 C7 45 F8 00 00 00 00 mov [ebp+var_library_addr], 0 debug032:00242749 C7 45 EC 00 00 00 00 mov [ebp+var_function_addr], 0 debug032:00242750 83 7D E4 00 cmp [ebp+var_1C], 0 debug032:00242754 74 0C jz short loc_242762 debug032:00242756 8B 4D D8 mov ecx, [ebp+var_library_name] debug032:00242759 51 push ecx debug032:0024275A FF 55 E4 call [ebp+var_1C] debug032:0024275D 89 45 F8 mov [ebp+var_library_addr], eax debug032:00242760 EB 14 jmp short loc_242776 debug032:00242762 ; --------------------------------------------------------------------------- debug032:00242762 debug032:00242762 loc_242762: ; CODE XREF: my_module_six_fill_importTable+F4↑j debug032:00242762 83 7D E0 00 cmp [ebp+var_LoadLibrary], 0 debug032:00242766 74 0E jz short loc_242776 debug032:00242768 6A 00 push 0 debug032:0024276A 6A 00 push 0 debug032:0024276C 8B 55 D8 mov edx, [ebp+var_library_name] debug032:0024276F 52 push edx debug032:00242770 FF 55 E0 call [ebp+var_LoadLibrary] debug032:00242773 89 45 F8 mov [ebp+var_library_addr], eax debug032:00242776 debug032:00242776 loc_242776: ; CODE XREF: my_module_six_fill_importTable+100↑j debug032:00242776 ; my_module_six_fill_importTable+106↑j debug032:00242776 83 7D F8 00 cmp [ebp+var_library_addr], 0 debug032:0024277A 75 02 jnz short loc_24277E debug032:0024277C EB 6C jmp short loc_2427EA debug032:0024277E ; --------------------------------------------------------------------------- debug032:0024277E debug032:0024277E loc_24277E: ; CODE XREF: my_module_six_fill_importTable+11A↑j debug032:0024277E 8B 45 F0 mov eax, [ebp+var_addr_rva_hint_name_table] debug032:00242781 8B 08 mov ecx, [eax] debug032:00242783 81 E1 00 00 00 80 and ecx, 80000000h debug032:00242789 74 17 jz short loc_2427A2 debug032:0024278B 8B 55 F0 mov edx, [ebp+var_addr_rva_hint_name_table] debug032:0024278E 8B 02 mov eax, [edx] debug032:00242790 25 FF FF 00 00 and eax, 0FFFFh debug032:00242795 50 push eax debug032:00242796 8B 4D F8 mov ecx, [ebp+var_library_addr] debug032:00242799 51 push ecx debug032:0024279A FF 55 DC call [ebp+var_getProcAddr] debug032:0024279D 89 45 EC mov [ebp+var_function_addr], eax debug032:002427A0 EB 11 jmp short loc_2427B3 debug032:002427A2 ; --------------------------------------------------------------------------- debug032:002427A2 debug032:002427A2 loc_2427A2: ; CODE XREF: my_module_six_fill_importTable+129↑j debug032:002427A2 8B 55 C4 mov edx, [ebp+var_hint_name_table] debug032:002427A5 83 C2 02 add edx, 2 debug032:002427A8 52 push edx ; edx=function name debug032:002427A9 8B 45 F8 mov eax, [ebp+var_library_addr] debug032:002427AC 50 push eax debug032:002427AD FF 55 DC call [ebp+var_getProcAddr] debug032:002427B0 89 45 EC mov [ebp+var_function_addr], eax debug032:002427B3 debug032:002427B3 loc_2427B3: ; CODE XREF: my_module_six_fill_importTable+140↑j debug032:002427B3 8B 4D F4 mov ecx, [ebp+var_addr_inside_import_address_table] debug032:002427B6 8B 11 mov edx, [ecx] debug032:002427B8 3B 55 EC cmp edx, [ebp+var_function_addr] debug032:002427BB 74 08 jz short loc_2427C5 debug032:002427BD 8B 45 F4 mov eax, [ebp+var_addr_inside_import_address_table] debug032:002427C0 8B 4D EC mov ecx, [ebp+var_function_addr] debug032:002427C3 89 08 mov [eax], ecx ; FILL IMPORT TABLE! debug032:002427C5 debug032:002427C5 loc_2427C5: ; CODE XREF: my_module_six_fill_importTable+15B↑j debug032:002427C5 8B 55 F4 mov edx, [ebp+var_addr_inside_import_address_table] debug032:002427C8 83 C2 04 add edx, 4 debug032:002427CB 89 55 F4 mov [ebp+var_addr_inside_import_address_table], edx debug032:002427CE 8B 45 F0 mov eax, [ebp+var_addr_rva_hint_name_table] debug032:002427D1 83 C0 04 add eax, 4 debug032:002427D4 89 45 F0 mov [ebp+var_addr_rva_hint_name_table], eax debug032:002427D7 E9 43 FF FF FF jmp loc_24271F debug032:002427DC ; --------------------------------------------------------------------------- debug032:002427DC debug032:002427DC loc_2427DC: ; CODE XREF: my_module_six_fill_importTable+C5↑j debug032:002427DC 8B 4D FC mov ecx, [ebp+var_addr_OriginalFirstThunk] debug032:002427DF 83 C1 14 add ecx, 14h debug032:002427E2 89 4D FC mov [ebp+var_addr_OriginalFirstThunk], ecx debug032:002427E5 E9 11 FF FF FF jmp loc_2426FB debug032:002427EA ; --------------------------------------------------------------------------- debug032:002427EA debug032:002427EA loc_2427EA: ; CODE XREF: my_module_six_fill_importTable+7A↑j debug032:002427EA ; my_module_six_fill_importTable+85↑j ... debug032:002427EA 8B E5 mov esp, ebp debug032:002427EC 5D pop ebp debug032:002427ED C3 retn debug032:002427ED my_module_six_fill_importTable endp debug032:002427ED debug032:002427ED ; ---------------------------------------------------------------------------