Hi, I'm new to this, so sorry for the stupid questions.
I'm analysing a piece of malware that is using a few anti debugging techniques.
The main tool that I'm currently using is IDA pro.
I'm at the point where the malware has created the explorer.exe.
So here are the steps that the malware is currently taking.
1. It's creating the explorer.exe process using CreateProcessInternalW
2. Next it creates a section using NTCreateSection.
3. Then it maps the section to itself using NTMapViewOfSection.
4. Then it copies itself into that new section using memcopy.
5. Then it does another mapviewofsection, but this time it maps it to the Eplorer.exe process.
6. Then it does some decryption into Explorer.exe section (I haven't confimed this yet).
7. Creates a thread using NTCreateThreadEx for the Explorer.exe process
8. Does some preprocessing then it resumes the thread using NtResumeThread.
I have a couple of questions.
How do you debug and/or trace the explorer.exe process when it does the NtResumeThread?
Every time I try it gives me a memory could not be written error.
What exactly does NTResumeThread do?
Looking at the stack before the call, it looks like it's resuming the thread that it created earlier.
I'm confused with the process vs a thread. The process is suspended when the thread is created in that process. When you resume the thread, does that actually start the process?
Is there some special reason why it's doing mapviewofsection twice?