Question x32 dbg not showing strings

[barbarian1992]

Hi Everyone,

I am not an expert malware reverse engineering.

I have been struggling with one sample.

Opening it in ghidra shows me many usefull strings like "psexec", "mega login" (may be for data exfiltration)
But when i load the sample in x32dbg and try to search for strings (all modules) i cannot see the strings i saw in ghidra. (may be they are being dynamically generated)

My plan was to put a break point on them and try to analyze the stack and maybe figure our what it is doing.

Can anyone help me on how to find the strings??

 

[struppigel]

If you are able to find the code location where those strings are used in Ghidra, you can use those addresses to find the same code in x32dbg. Look at the memory map in x32dbg to determine the base address of the image, then rebase the image in Ghidra and the addresses should match in both.
Alternatively disable ASLR before you execute the sample in x32dbg.

It will be easier to help you if you share the sample.

 

[barbarian1992]

If you are able to find the code location where those strings are used in Ghidra, you can use those addresses to find the same code in x32dbg. Look at the memory map in x32dbg to determine the base address of the image, then rebase the image in Ghidra and the addresses should match in both.
Alternatively disable ASLR before you execute the sample in x32dbg.

It will be easier to help you if you share the sample.

Hi
Thanks for the reply
sure i will try it sure i will share the sample

 

[barbarian1992]

so in x32 dbg you can see we have no "mega"

 

[barbarian1992]

so in x32 dbg you can see we have no "mega"

but in ghidra we can see the string

 

[harlan4096]

@struppigel: please check the approval queue, direct links to malware are not allowed in forum

 

[struppigel]

I got the file, thanks. Sorry, I was not precise with my instructions regarding the sample sharing.

This file is a .NET library, which you can see if you put it into Detect it Easy.
x32dbg is not the right tool for debugging managed .NET applications.
Use DnSpy instead: Release v6.1.8 · dnSpy/dnSpy

There you also find the code with MEGA references. E.g. in csharp_streamer.CommandMEGA:

 

[barbarian1992]

Hi @struppigel
thanks for the reply
you are absolutely , i can see everything in dnspy
any reason why .net should not be analyzed in ghidra
i mean eventually everything boils down to assembly right??
sorry if the question is stupid
i am from pentest/source review back ground, so malware analysis is new to me

 

[barbarian1992]

one more thing
(may be i should open another topic for it because its not realted to strings)
when i execute the malware, it create a tcp connection to an ip ( i can see it in tcp view)
I wanted to find what Api it is using for that
i used Api monitor and its not showing me anything
i decided to use use frida-trace ( frida-trace -i "*http*" sample.exe)
it did not hook any function . I tried "tcp" but still nothing
any suggestion regarding that


basically i want to see what .net part of the code is responsible of making that connection, put a breakpoint on it and view the parameter
thanks for the help
highly appreciated

 

[barbarian1992]

Hi
So i figured out that one can view call stack in dnspy and locate the socket function called and but a break point on it

 

[struppigel]

Hi @struppigel
thanks for the reply
you are absolutely , i can see everything in dnspy
any reason why .net should not be analyzed in ghidra
i mean eventually everything boils down to assembly right??
sorry if the question is stupid
i am from pentest/source review back ground, so malware analysis is new to me

.NET is compiled to an intermediate language (IL), not machine code. x32dbg is not able to decompile or disassemble IL. It will show you initialization code of the .NET runtime instead but that is not what you want to analyse.
Ghidra might have capabilities to show IL assembly, I am not sure about that, I only know that IDA Pro can do that. But in that case you would have to tell it to do so.

 

[Trident]

@struppigel , is that a RAT that makes use of the mega.co.nz api client?

 

[struppigel]

I did not spend enough time to form a final verdict.

 

[barbarian1992]

.NET is compiled to an intermediate language (IL), not machine code. x32dbg is not able to decompile or disassemble IL. It will show you initialization code of the .NET runtime instead but that is not what you want to analyse.
Ghidra might have capabilities to show IL assembly, I am not sure about that, I only know that IDA Pro can do that. But in that case you would have to tell it to do so.

Thanks for the detailed reply
much appreciated
you are awesome