There are several articles on internet about unpacking Packed Executables. Most demonstrate the ESP trick. This trick may not work in most packers. These days most malwares use custom packers which are created using some toolkit. You can find lot of malwares of such type like Zbot, SpyeEye, Cycbot.
How PE Packers work
PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would
1)Decompress the compressed code:
To do this usually it allocates some space using VirtualAlloc(),ZwAllocateVirtualMemory().Then it will decompress the data to the allocated memory.
2)Fixes the imports:
The imports are fixed so the malware can use the imported API’s . To resolve the import addresses it will use the API’ GetProcAddress() .
3)Jump to OEP:
Finally jumps to the OEP where the the actual malware code begins. Many malwares use multilevel packers.
How to Unpack:
We can set breakpoint on VirtualAlloc() first then after the breakpoint is hit we can remove the breakpoint on VirtualAlloc() and set breakpoint GetProcAddress().
We see that GetProcAddress() would be called repetedly in the loop. This loop is used to resolve all the API’s in the dll. We bypass the loop after that continue debugging.
After few lines of codes we will reach the OEP.
DEMO:
I have taken a sample of SpyEye for the demo.
I had set breakpoint on VirtualAlloc()
Then I set breakpoint on GetProcAddress() and break at the following
We see that getProcAddress is called in loop. We bypass the loop and little below u can see a jump seems like jump to OEP.
I follow the jump
This is another layer of packer .
The trick applies to most packers. May not work in case packers combined with protectors like asprotect.
Feel free to comment
iirc setting a breakpoint on ZwAllocateVirtualMemory can make things a bit more simpler. second packing uses ZwAllocateVirtualMemory rather than VirtualProtect
ReplyDeleteIt would be nice to have u on board in our team
ReplyDeleteThanks Regards
K5H
www.x-factor.in
This post is really nice and informative. The explanation given is really comprehensive and informative..
ReplyDeletePackers and Movers Sithalapakkam
Thanks for your post. Can I get the sample please ?
ReplyDelete