Closed KillerInstinct closed 8 years ago
With exceptions turned on, heres my debug logs (copy them out since I'm using code blocks):
2015-12-30 06:11:05,321 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2088 EIP: WININET.DLL+2ec1a SEH: WININET.DLL+ae687 774bec1a, Fault Address: 000003e8, Esp: 0012fc20, Exception Code: c0000005, cuckoomon.dll+601d cuckoomon.dll+601d SAMCLI.DLL+6e49 WININET.DLL+ae687 cuckoomon.dll+e04e WININET.DLL+177d3 ntdll.dll+12844 WININET.DLL+17a0f SHELL32.dll+b7bf8c WININET.DLL+117ba ntdll.dll+52d88 kernel32.dll+4ccfc KERNELBASE.dll+76a4 KERNELBASE.dll+76ba kernel32.dll+4ccfc KERNELBASE.dll+19f85 KERNELBASE.dll+76ba cuckoomon.dll+211a0 cuckoomon.dll+cf56 cuckoomon.dll+4469c cuckoomon.dll+4492c cuckoomon.dll+44925 cuckoomon.dll+448fc cuckoomon.dll+44654 cuckoomon.dll+4466c cuckoomon.dll+44660 ibd3.jpg.exe+f020 cuckoomon.dll+43370 ibd3.jpg.exe+37ac ibd3.jpg.exe+19e2 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+1153 kernel32.dll+4ee6c ntdll.dll+63ab3 SHELL32.dll+b7bd9c ntdll.dll+1e15d ntdll.dll+63a86 ibd3.jpg.exe+1000 ibd3.jpg.exe+1000, Bytes at EIP: 8b 33 89 75 9c c7 45 fc fe ff ff ff 85 c9 0f 85
2015-12-30 06:11:05,321 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2088 EIP: cuckoomon.dll+e080 SEH: ntdll.dll+1e15d 7372e080, Fault Address: 000003e8, Esp: 0012fd28, Exception Code: c0000005, WININET.DLL+177d3 ntdll.dll+12844 WININET.DLL+17a0f SHELL32.dll+b7bf8c WININET.DLL+117ba ntdll.dll+52d88 kernel32.dll+4ccfc KERNELBASE.dll+76a4 KERNELBASE.dll+76ba kernel32.dll+4ccfc KERNELBASE.dll+19f85 KERNELBASE.dll+76ba cuckoomon.dll+211a0 cuckoomon.dll+cf56 cuckoomon.dll+4469c cuckoomon.dll+4492c cuckoomon.dll+44925 cuckoomon.dll+448fc cuckoomon.dll+44654 cuckoomon.dll+4466c cuckoomon.dll+44660 ibd3.jpg.exe+f020 cuckoomon.dll+43370 ibd3.jpg.exe+37ac ibd3.jpg.exe+19e2 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+1153 kernel32.dll+4ee6c ntdll.dll+63ab3 SHELL32.dll+b7bd9c ntdll.dll+1e15d ntdll.dll+63a86 ibd3.jpg.exe+1000 ibd3.jpg.exe+1000, Bytes at EIP: ff 37 8b 45 08 68 d8 33 76 73 53 68 04 47 76 73
2015-12-30 06:11:05,322 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2088 EIP: cuckoomon.dll+e080 SEH: kernel32.dll+aa122 7372e080, Fault Address: 000003e8, Esp: 0012fd28, Exception Code: c0000005, WININET.DLL+177d3 ntdll.dll+12844 WININET.DLL+17a0f SHELL32.dll+b7bf8c WININET.DLL+117ba ntdll.dll+52d88 kernel32.dll+4ccfc KERNELBASE.dll+76a4 KERNELBASE.dll+76ba kernel32.dll+4ccfc KERNELBASE.dll+19f85 KERNELBASE.dll+76ba cuckoomon.dll+211a0 cuckoomon.dll+cf56 cuckoomon.dll+4469c cuckoomon.dll+4492c cuckoomon.dll+44925 cuckoomon.dll+448fc cuckoomon.dll+44654 cuckoomon.dll+4466c cuckoomon.dll+44660 ibd3.jpg.exe+f020 cuckoomon.dll+43370 ibd3.jpg.exe+37ac ibd3.jpg.exe+19e2 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+1153 kernel32.dll+4ee6c ntdll.dll+63ab3 SHELL32.dll+b7bd9c kernel32.dll+60781 kernel32.dll+60781 ntdll.dll+1e15d ntdll.dll+63a86 ibd3.jpg.exe+1000 ibd3.jpg.exe+1000, Bytes at EIP: ff 37 8b 45 08 68 d8 33 76 73 53 68 04 47 76 73
In this case, it says my exception offset is 0xe080. (for some reason my binary is also now about 30k larger when I compile it myself with exceptions turned on, 28k larger when just regularly compiling.) Which puts us in our InternetSetOptionA hook.
Here's the disassembly for that region:
.text:0000E030 ; =============== S U B R O U T I N E =======================================
.text:0000E030
.text:0000E030 ; Attributes: bp-based frame
.text:0000E030
.text:0000E030 ; int __stdcall New_InternetSetOptionA(void *hInternet, unsigned int dwOption, void *lpBuffer, unsigned int dwBufferLength)
.text:0000E030 _New_InternetSetOptionA@16 proc near ; DATA XREF: .data:0004D124o
.text:0000E030
.text:0000E030 hInternet = dword ptr 8
.text:0000E030 dwOption = dword ptr 0Ch
.text:0000E030 lpBuffer = dword ptr 10h
.text:0000E030 dwBufferLength = dword ptr 14h
.text:0000E030
.text:0000E030 push ebp
.text:0000E031 mov ebp, esp
.text:0000E033 and esp, 0FFFFFFF8h
.text:0000E036 push ecx
.text:0000E037 push ebx
.text:0000E038 mov ebx, [ebp+dwOption]
.text:0000E03B push esi
.text:0000E03C push edi
.text:0000E03D push [ebp+dwBufferLength]
.text:0000E040 mov edi, [ebp+lpBuffer]
.text:0000E043 push edi
.text:0000E044 push ebx
.text:0000E045 push [ebp+hInternet]
.text:0000E048 call _Old_InternetSetOptionA
.text:0000E04E mov esi, eax
.text:0000E050 test edi, edi
.text:0000E052 jz loc_E131
.text:0000E058 mov eax, [ebp+dwBufferLength]
.text:0000E05B cmp eax, 4
.text:0000E05E jnz short loc_E0C7
.text:0000E060 cmp dword_52B00, 0
.text:0000E067 jnz short loc_E080
.text:0000E069 push offset _g_log_index ; lpAddend
.text:0000E06E call ds:__imp__InterlockedIncrement@4 ; InterlockedIncrement(x)
.text:0000E074 push eax ; Value
.text:0000E075 push offset dword_52B00 ; Target
.text:0000E07A call ds:__imp__InterlockedExchange@8 ; InterlockedExchange(x,x)
.text:0000E080
.text:0000E080 loc_E080: ; CODE XREF: New_InternetSetOptionA(x,x,x,x)+37j
.text:0000E080 push dword ptr [edi]
.text:0000E082 mov eax, [ebp+hInternet]
.text:0000E085 push offset aBuffer ; "Buffer"
.text:0000E08A push ebx
.text:0000E08B push offset aOption ; "Option"
.text:0000E090 push eax
.text:0000E091 push offset aInternethandle ; "InternetHandle"
.text:0000E096 xor eax, eax
.text:0000E098 test esi, esi
.text:0000E09A push offset aPhh ; "phh"
.text:0000E09F push esi ; return_value
.text:0000E0A0 setnz al
.text:0000E0A3 push eax ; is_success
.text:0000E0A4 mov eax, dword_52B00
.text:0000E0A9 push offset aInternetsetopt ; "InternetSetOptionA"
.text:0000E0AE push offset aNetwork ; "network"
.text:0000E0B3 push eax ; index
.text:0000E0B4 call _loq
.text:0000E0B9 add esp, 30h
.text:0000E0BC mov eax, esi
.text:0000E0BE pop edi
.text:0000E0BF pop esi
.text:0000E0C0 pop ebx
.text:0000E0C1 mov esp, ebp
.text:0000E0C3 pop ebp
.text:0000E0C4 retn 10h
Should be fixed now, thanks!
-Brad
Sample SHA1: e54c43312f800c2d9d6d54223af97d6af5387622
->