Wednesday, August 3, 2011

Reversing Stuxnet: 2 (Breaking into Mrxnet.sys)


This is how to break into Mrxnet.sys to perform dynamic analysis on Stuxnet:
1) start windbg and hit ctrl+k to attach to a kernel. 
2) start the VM with Suxnet installed on it 
3) manually break(ctrl+break) As Soon As Possible in the boot sequence. 
4) "sxe ld:mrxnet" it's not a very well known fact that an exception is thrown upon driver load (probably to make debugging easier), and then caught so we don't have an unhandled exception. This command breaks when an exception is thrown during the loading of the mrxnet module. 
5) 'g' this will continue execution of the VM until the above exception is thrown 
6) "!dh mrxnet". This will list information about the mrxnet module, including the address of the entry point. Below is the output (notice the value of "address of entry point"):

kd> !dh mrxnet

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
     14C machine (i386)
       6 number of sections
4B5DAD1C time date stamp Mon Jan 25 09:39:24 2010

       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
     102 characteristics
            Executable
            32 bit word machine

OPTIONAL HEADER VALUES
     10B magic #
    8.00 linker version
    1B00 size of code
     A00 size of initialized data
       0 size of uninitialized data
    2005 address of entry point
     480 base of code
         ----- new -----
00010000 image base
      80 section alignment
      80 file alignment
       1 subsystem (Native)
    6.00 operating system version
    6.00 image version
    5.00 subsystem version
    2980 size of image
     480 size of headers
    8352 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
       0  DLL characteristics
       0 [       0] address [size] of Export Directory
    2044 [      28] address [size] of Import Directory
    2380 [     3F8] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
    2980 [    1A78] address [size] of Security Directory
    2780 [     154] address [size] of Base Relocation Directory
    1C70 [      1C] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
    1D38 [      40] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
    1C00 [      70] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory


SECTION HEADER #1
   .text name
    1736 virtual size
     480 virtual address
    1780 size of raw data
     480 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
68000020 flags
         Code
         Not Paged
         (no align specified)
         Execute Read

SECTION HEADER #2
  .rdata name
     2B4 virtual size
    1C00 virtual address
     300 size of raw data
    1C00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
48000040 flags
         Initialized Data
         Not Paged
         (no align specified)
         Read Only


Debug Directories(1)
                Type       Size     Address  Pointer
                cv           44        1d80     1d80            Format: RSDS, guid, 1, b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

SECTION HEADER #3
   .data name
      A0 virtual size
    1F00 virtual address
     100 size of raw data
    1F00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C8000040 flags
         Initialized Data
         Not Paged
         (no align specified)
         Read Write

SECTION HEADER #4
    INIT name
     302 virtual size
    2000 virtual address
     380 size of raw data
    2000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E2000020 flags
         Code
         Discardable
         (no align specified)
         Execute Read Write

SECTION HEADER #5
   .rsrc name
     3F8 virtual size
    2380 virtual address
     400 size of raw data
    2380 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         (no align specified)
         Read Only

SECTION HEADER #6
  .reloc name
     1B8 virtual size
    2780 virtual address
     200 size of raw data
    2780 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         (no align specified)
         Read Only


7) once the exception in part 4 is thrown, a breakpoint  was set on the entry point of mrxnet module by using "bp mrxnet+2005". This command sets a software breakpoint at 0x2005 bytes past the base of the mrxnet module. As seen in step 6, the "address of entry point" of mrxnet.sys is 0x2005.
8) 'g'
9) now, the VM execution should stop at the entry point of the mrxnet module:

Screenshot of a debugger broken in mrxnet.sys

This is the disassembly of DriverEntry in mrxnet.sys as shown in IDA. Notice, it is the same as the disassembly shown in the above windbg screenshot.

4 comments:

  1. also notice the string "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb". this was probably accidentally left in by the programmers. it is the path to the debug file containing the symbols for this executable. It gives insight into what the programmers might have called this project. Project Myrtus maybe?

    ReplyDelete
  2. Nice, where can i find the Stuxnet to do the same reverse ing????

    ReplyDelete
    Replies
    1. http://www.offensivecomputing.net/
      Here you go..
      This site is called OpenMalware a database of live malware samples for CRE people

      Delete
  3. Hi thanks for reading. Can you send me your email address or tell me your twitter handle? We can discuss more.

    ReplyDelete