HGLOBAL __userpurge Global_alloc_Then_Create_Thread<eax>(int a1<eax>, int a2, int a3, int a4) {
  hglobal v4;     // eax@1
  hglobal v5;     // esi@1
  handle v6;      // eax@2
  handle v7;      // eax@4
  char v9;        // [sp-28h] [bp-2ch]@1
  hglobal v10;    // [sp-20h] [bp-24h]@1
  char *v11;      // [sp-1ch] [bp-20h]@1
  int v12;        // [sp-10h] [bp-14h]@1
  int (*v13)[66]; // [sp-ch] [bp-10h]@1
  int v14;        // [sp-8h] [bp-ch]@1
  signed int v15; // [sp-4h] [bp-8h]@1

  dword (__stdcall *v16)(lpvoid); // [sp+4h] [bp+0h]@4

  v15 = -1;
  v13 = off_9b8cbd;
  v12 = a1;
  v11 = &v9;
  v10 = 0;
  v14 = 0;
  v4 = call_global_alloc(0x14u);
  v5 = v4;
  v10 = v4;
  if ( v4 ) {
    *(_dword *)v4 = 0;
    *((_dword *)v4 + 1) = 0;
    *((_dword *)v4 + 2) = 0;
    *((_dword *)v4 + 3) = 0;
    *((_dword *)v4 + 4) = 0;
    *((_dword *)v4 + 3) = a2;
    *((_dword *)v4 + 4) = a3;
    v6 = createeventa(0, 0, 0, 0);
    *((_dword *)v5 + 2) = v6;
    if ( !v6 || v6 == (handle)-1 )
      goto label_7;
    v7 = createthread(0, 0, v16, v5, 0, (lpdword)v5);
    *((_dword *)v5 + 1) = v7;
    if ( !v7 || v7 == (handle)-1 ) {
      closehandle(*((handle *)v5 + 2));
label_7:
      call_globalfree(v5);
      v5 = 0;
      v10 = 0;
      return v5;
    }
  }
  return v5;
}
 
// 9abf08: could not find valid save-restore pair for ebx
// 9b8cbd: using guessed type int (*off_9b8cbd)[66];

__CDECL Global_alloc_Then_Create_Thread(dword (__stdcall *a1)(lpvoid), int a2, int a3) {
  hglobal v3;   // eax@1
  hglobal v4;   // esi@1
  handle v5;   // eax@2
  handle v6;   // eax@4

  v8 = 0;
  v3 = call_global_alloc(0x14u);
  v4 = v3;
  if ( v3 ) {
    *(_dword *)v3 = 0;
    *((_dword *)v3 + 1) = 0;
    *((_dword *)v3 + 2) = 0;
    *((_dword *)v3 + 3) = 0;
    *((_dword *)v3 + 4) = 0;
    *((_dword *)v3 + 3) = a2;
    *((_dword *)v3 + 4) = a3;
    v5 = createeventa(0, 0, 0, 0);
    *((_dword *)v4 + 2) = v5;
    if ( !v5 || v5 == (handle)-1 )
      goto label_7;
    v6 = createthread(0, 0, a1, v4, 0, (lpdword)v4);
    *((_dword *)v4 + 1) = v6;
    if ( !v6 || v6 == (handle)-1 ) {
      closehandle(*((handle *)v4 + 2));
label_7:
      call_globalfree(v4);
      return 0;
    }
  }
  return v4;
}
 
SOURCE LISTING 1:  Obfuscation Example


 







Acknowledements

  This material is based upon work supported through the U.S. Army Research Office under the Cyber-TA Research Grant No. W911NF-06-1- 0316 and by the National Science Foundation, Grant No. CNS-07-16 612. The views expressed in this document are those of the authors and do not necessarily represent the official position of the sponsors.