Analysis of “Heaven’s Gate” part 2

Overview

Required points

Getting process handle

Figure 1. Process tree
Figure 2. Search “OpenProcess” by text search
Figure 3. Search result of “OpenProcess” text search
Figure 4. Move EIP and set arguments
Figure 5. Result of OpenProcess

Getting thread handle

Figure 6. Properties of “svchost.exe(3656)”
Figure 7. Move EIP and set arguments
Figure 8. Result of OpenThread

Reference of malicious code

Figure 9. Move EIP and set arguments
Figure 10. Result of VirtualAlloc
Figure 11. Menu of Loading binary file
Figure 12. Select loading file
Figure 13. Parameters for loading file
Figure 14. Loaded data

Accurate execution of 64-bit code and attach to the code of the injected svchost.exe

Figure 15. Set EIP to starting position
Figure 16. Calling NtAllocateVirtualMemory API
Figure 17. Calling NtWriteVirtualMemory API
Figure 18. Calling NtWriteVirtualMemory API (2)
Figure 19. Calling ResumeThread
Figure 20. Menu for attaching to a process
Figure 21. Select the process to attach
Figure 22. Set breakpoint to stop malware process
Figure 23. Stop the process at a breakpoint

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store