Reverse Engineering — Injection Series Part 3

nosfera0x2
4 min readSep 8, 2023

This is a writeup of the Blue Team Labs Online challenge “Injection Series Part 3”

I’m by no means an expert (far from it) but was able to navigate through the questions using these tools:
cutter
cyberchef
and of course
google

Question 1) How many arguments does the sample take?

Opening up Cutter and navigating to the main function shows us this:

We can see that the main function takes in one argument of type int32_t.

Answer) 1

Question 2) Again, what is the size of the shellcode?

In order for the shellcode to be used in the program, what really matters is going to be the concept of ‘size’ in memory. The function that is being used to allocate a space in memory to store the shellcode is VirtualAlloc.

We can reference the Microsoft Docs to learn more about VirtualAlloc and it’s arguments https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc

LPVOID VirtualAlloc(
[in, optional] LPVOID lpAddress,
[in] SIZE_T dwSize,
[in] DWORD flAllocationType,
[in] DWORD flProtect
);

The second argument passed to VirtualAlloc will be the a doubleword value for ‘size’ — in this case it is 0x120.

We can convert it from hex to decimal, which comes out to 288.

Answer) 288

Question 3) In VirtualAlloc what does the flAllocationType value represents?

Fortunately, the previous question has the graphics needed to solve this question.
Using the Microsoft docs, flAllocationType is the third argument passed to the VirtualAlloc API — in this case it was a value of 0x1000.

Back to the Microsoft Docs…

Answer) MEM_COMMIT

Question 4) What is the argument required by the sample to run the shellcode?

In the edx register, a variable “message” is being stored. It is used in comparisons farther down the program.

Question 4) “message”

Question 5) What is the payload in Metasploit that would have been used to generate the shellcode?

I went to google for this one. I searched for metasploit payload “message” and came across this site:
https://www.infosecmatter.com/metasploit-module-library/?mm=payload/windows/messagebox

Answer) windows/messagebox

Question 6) What is the API used to create a wait object?

Answer) CreateThreadpoolWait

Question 7) What is the library function used to copy shellcode between memory blocks?

Answer) memmove

Question 8) What argument to the sample invokes powershell process?

After all the shellcode business is sorted, “killall” is then stored in the eax register.

It’s easier to understand from the ‘graph’ view. There is a branching condition that shows at the top str.killall being moved into eax, and that makes the following instructions possible.

Answer) killall

Question 9) After decoding the powershell, list the log names as in the order in the script

Farther down the main function, we can see an encoded powershell command execution. We can decode that in cyberchef.

Answer) Application, Windows Powershell, Security, System

After doing our reversing we can deduce what this ‘malware’ does.
1. If run with ‘message’ as an argument, it will pop a messagebox on the machine. It uses the metasploit payloads/windows/messagebox functionality to do this
2. If run with ‘killall’ as an argument, it will delete critical logs to cover its tracks.

Thanks for tuning in!

--

--