counter

View My Stats

Friday, March 3, 2017

Unpacking Malware in minutes

Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking.
sample used:
sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7
md5:dca9106dc8556f9a15d7e18b4fad5d44
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.








Fig : PE header- entry point 0x1D16

Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static
















Fig: memory string in process Explorer

Now dump the header  from memory .I have used process hacker for the purpose. Other tools can also be used.








Fig:Process Hacker dump header from memory

Now see the dumped header Entry Point








Fig dumped header EP-0x4C00

The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)









Fig: ollydbg set hardware breakpoint on expected OEP

Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point









Fig: Olly Dbgbreaks at OEP

Now you can dump the unpacked file and analyse. OllyDumpEx is one of best options to unpack. you need not fix imports if you do that.
Hope this helps .

3 comments:

  1. This was an old sample I got from wild. You can try the same on Packers from tuts4you or get samples from malwr

    ReplyDelete