Many tricks can be devised to unpack malware. This trick is applicable to
malware that overwrite their image header while unpacking.
sample used:
sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7
md5:dca9106dc8556f9a15d7e18b4fad5d44
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.
Fig : PE header- entry point 0x1D16
Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static
Fig: memory string in process Explorer
Now dump the header from memory .I have used process hacker for the purpose. Other tools can also be used.
Fig:Process Hacker dump header from memory
Now see the dumped header Entry Point
Fig dumped header EP-0x4C00
The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)
Fig: ollydbg set hardware breakpoint on expected OEP
Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point
Fig: Olly Dbgbreaks at OEP
Now you can dump the unpacked file and analyse. OllyDumpEx is one of best options to unpack. you need not fix imports if you do that.
Hope this helps .
sample used:
sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7
md5:dca9106dc8556f9a15d7e18b4fad5d44
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.
Fig : PE header- entry point 0x1D16
Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static
Fig: memory string in process Explorer
Now dump the header from memory .I have used process hacker for the purpose. Other tools can also be used.
Fig:Process Hacker dump header from memory
Now see the dumped header Entry Point
Fig dumped header EP-0x4C00
The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)
Fig: ollydbg set hardware breakpoint on expected OEP
Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point
Fig: Olly Dbgbreaks at OEP
Now you can dump the unpacked file and analyse. OllyDumpEx is one of best options to unpack. you need not fix imports if you do that.
Hope this helps .
nice post abhijit!
ReplyDeletehow to get malware sample?!
ReplyDeleteThis was an old sample I got from wild. You can try the same on Packers from tuts4you or get samples from malwr
ReplyDelete