Question x32 dbg not showing strings

Please provide comments and solutions that are helpful to the author of this topic.

barbarian1992

New Member
Thread author
Jun 21, 2023
8
Hi Everyone,

I am not an expert malware reverse engineering.

I have been struggling with one sample.

Opening it in ghidra shows me many usefull strings like "psexec", "mega login" (may be for data exfiltration)
But when i load the sample in x32dbg and try to search for strings (all modules) i cannot see the strings i saw in ghidra. (may be they are being dynamically generated)

My plan was to put a break point on them and try to analyze the stack and maybe figure our what it is doing.

Can anyone help me on how to find the strings??
 
  • Like
Reactions: Nevi and upnorth

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
If you are able to find the code location where those strings are used in Ghidra, you can use those addresses to find the same code in x32dbg. Look at the memory map in x32dbg to determine the base address of the image, then rebase the image in Ghidra and the addresses should match in both.
Alternatively disable ASLR before you execute the sample in x32dbg.

It will be easier to help you if you share the sample.
 

barbarian1992

New Member
Thread author
Jun 21, 2023
8
If you are able to find the code location where those strings are used in Ghidra, you can use those addresses to find the same code in x32dbg. Look at the memory map in x32dbg to determine the base address of the image, then rebase the image in Ghidra and the addresses should match in both.
Alternatively disable ASLR before you execute the sample in x32dbg.

It will be easier to help you if you share the sample.
Hi
Thanks for the reply
sure i will try it sure i will share the sample
 

barbarian1992

New Member
Thread author
Jun 21, 2023
8
so in x32 dbg you can see we have no "mega"
 

Attachments

  • image_2023-06-21_193339249.png
    image_2023-06-21_193339249.png
    79.7 KB · Views: 188

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
I got the file, thanks. Sorry, I was not precise with my instructions regarding the sample sharing.

This file is a .NET library, which you can see if you put it into Detect it Easy.
x32dbg is not the right tool for debugging managed .NET applications.
Use DnSpy instead: Release v6.1.8 · dnSpy/dnSpy

There you also find the code with MEGA references. E.g. in csharp_streamer.CommandMEGA:

mega.png
 

barbarian1992

New Member
Thread author
Jun 21, 2023
8
Hi @struppigel
thanks for the reply
you are absolutely , i can see everything in dnspy :)
any reason why .net should not be analyzed in ghidra
i mean eventually everything boils down to assembly right??
sorry if the question is stupid
i am from pentest/source review back ground, so malware analysis is new to me:geek:
 
  • +Reputation
Reactions: kylprq

barbarian1992

New Member
Thread author
Jun 21, 2023
8
one more thing
(may be i should open another topic for it because its not realted to strings)
when i execute the malware, it create a tcp connection to an ip ( i can see it in tcp view)
I wanted to find what Api it is using for that
i used Api monitor and its not showing me anything
i decided to use use frida-trace ( frida-trace -i "*http*" sample.exe)
it did not hook any function . I tried "tcp" but still nothing
any suggestion regarding that


basically i want to see what .net part of the code is responsible of making that connection, put a breakpoint on it and view the parameter
thanks for the help
highly appreciated :)
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hi @struppigel
thanks for the reply
you are absolutely , i can see everything in dnspy :)
any reason why .net should not be analyzed in ghidra
i mean eventually everything boils down to assembly right??
sorry if the question is stupid
i am from pentest/source review back ground, so malware analysis is new to me:geek:

.NET is compiled to an intermediate language (IL), not machine code. x32dbg is not able to decompile or disassemble IL. It will show you initialization code of the .NET runtime instead but that is not what you want to analyse.
Ghidra might have capabilities to show IL assembly, I am not sure about that, I only know that IDA Pro can do that. But in that case you would have to tell it to do so.
 

barbarian1992

New Member
Thread author
Jun 21, 2023
8
.NET is compiled to an intermediate language (IL), not machine code. x32dbg is not able to decompile or disassemble IL. It will show you initialization code of the .NET runtime instead but that is not what you want to analyse.
Ghidra might have capabilities to show IL assembly, I am not sure about that, I only know that IDA Pro can do that. But in that case you would have to tell it to do so.
Thanks for the detailed reply
much appreciated :)
you are awesome
 
  • Like
Reactions: struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top