 Hello, in this video I want to show you how to use the immunity debugger and jump to it to analyze the shell code that I extracted from the handset or Maldoc. So here on this machine I have the immunity debugger running, process explorer and also command line and they are all three running as elevated administrator. And here in the demo folder I have created a file that contains the 32-bit shell code followed by the encoded payload that is found in the document. So I'm going to use the jump to it utility to execute shell code in a process. So first you give it the file that contains the shell code, this file here. And this file, remember, not only the shell code but it also contains the payload. I need it to give the address where it needs to start, 1f9, hexadecimal and then when I launch it I don't want to run immediately the shell code I want it to pass so that I can attach the debugger and single step through it to do a dynamic analysis. So let's start this, and as you can see here jump to it was launched and here it is waiting. So I can now go to the immunity debugger and attach to the process, let me find it, here it is, jump to it, so attach. And now I run and I pass. And now when you pass, you pass in an endless loop, a jump short onto itself. This is the endless loop that is executed because of the pass argument that we gave it to it, the command line. And here in next instruction called edi, there the shell code will be executed. So I'm going to change the origin here and now we are going to single step through it like this. And now we are single stepping through the shell code. Now I'm not going to single step through all the shell code because here in the beginning it sets up the environment and looks up all the libraries and functions that it needs from the API. So I'm not going to show you that, but I'm going to show you some other interesting parts and I have some break points for that. So let me set those break points. So this is the first break point and I will really run to that first break point here. And now here you have a call to the function, the kernel 32 function, expand environment string. And the string that needs to be expanded is %10%, so the temp environment variable which represents a temporary folder and then 12345.exe. So let's run this. And this will look up the value and create a full part to that 12345.exe in the temporary folder. Now I'm showing you this because this is present in the shell code, but this value is later on never used in the shell code. So it's maybe something that remains from another version, but this here is not used in this shell code after this calculation. Now the next break point here and let's run. So the word document has the embedded payload which is an exe file which is encoded and embedded into the word document. The shell code has to find that embedded payload and it will do an egg hunt for this. And this is here this set of assembly instructions that will do this egg hunt. Here you have a call to isBot read pointer to locate memory segments that can be read and here it will actually look for the shell code, no not for the shell code for the egg hunt, for the payload doing an egg hunt and the egg hunt here, the keys that it has to find is starfall. So this here, those extra decimal characters here, they represent the string starfall. So I'm going to set also break points on this, break point here and a break point here and now I'm going to start to run. Okay I'm going to remove this break point because we know it is looping through the different memory segments to find readable memory. Okay we are past here now and I can show you here if I do a follow dump here, sorry one more. Let's run again, here you can see star and fall, those are the instructions, the operands to the instructions so this is looking for string starfall in memory. So let's remove this first break point now, this one here, okay and let's run, this running, okay nice past. Okay so it found somewhere in memory star and now it is checking if it finds fall, so let's work through this and the jump is not taken so it didn't actually find fall so let's continue to run and here now second time let's go look into the memory, okay here you can see starfall then a couple of bytes and then you can see here characters. This is actually the embedded payload which has been found by the shellcode, okay. So it has found the payload and now it will copy, it will allocate memory and it will copy that payload to the memory so that it can be decoded. So let me go to the next break point, so this one here, okay and let's start again, okay and now here so the payload has been copied into memory so that it can be decoded and that is what is going to happen here in this loop. So let's single step, okay here let's follow this in the dump, okay and here we have the payload and you will see when I single step to it that these characters here will be decoded. So first value 3 is added and then XOR with F is made and this character has now changed and this is done for every character in the payload, okay you can here see slowly the text that is changing and this is done in a loop and we can run till here so let me set the break point, this will do the complete decoding, okay so it has now been decoded and this is actually base 64 and this function here that will be called will do the base 64 decoding. So here we have base 64, let's execute this function and now you have the decoded payload and you can see here it starts with mz and here you can see this program cannot be run from those so this is actually an executable a PE file. So let's set the last break point because now we have the decoded payload into memory so what will happen next is a process replacement by the shellcode. So first a test is done to see if we are actually in a 32-bit process on a 64-bit machine but this is not the case here so in that case we are going to launch explorer.exe so an expand environment string for explorer.exe and then the next thing that happens here is create process to create that explorer.exe process in a suspended state and we can check this here in process explorer we have jumped to it and then if we step over the system called create process the explorer process is created here you have it and it is grayed out it means that it is suspended see suspended so explorer.exe has been started and next the shellcode will do the process replacement to replace the code of explorer.exe by the payload that has been decoded into memory so we get the thread context because we need to change the entry point then unmap view of section to unmap the code at this address which is the other the code of explorer and next a virtual lock of memory at that address where we want to write our payload code and then write process memory of the PE file header of the decoded payload that is in memory and then next the different sections of the PE file so this is the first called write process memory for the first section and you can see we loop here another call for the second section looping a third call for the third section of the PE file and then the last section the fourth section here write it to memory and the jump is not taken now so here now the shellcode has replaced the explorer.exe code by the payload and the payload has been decoded into memory and next a set thread context is called to set the new entry point and then next a resume thread is called and this will start the explorer.exe process so you can see here a fuel dll's loaded but if we do a resume thread like this the process starts to run different dll's all necessary sorry dll's here are loaded and now the payload is running inside the explorer.exe process and the shellcode here actually just returns it is finished