View My Stats

Friday, March 3, 2017

Unpacking Malware in minutes

Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking.
sample used:
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.

Fig : PE header- entry point 0x1D16

Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static

Fig: memory string in process Explorer

Now dump the header  from memory .I have used process hacker for the purpose. Other tools can also be used.

Fig:Process Hacker dump header from memory

Now see the dumped header Entry Point

Fig dumped header EP-0x4C00

The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)

Fig: ollydbg set hardware breakpoint on expected OEP

Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point

Fig: Olly Dbgbreaks at OEP

Now you can dump the unpacked file and analyse. OllyDumpEx is one of best options to unpack. you need not fix imports if you do that.
Hope this helps .