Recognizing Packed Malware and its Unpacking Approaches-Part 2
In Part 1 of this article series, we had a look at the ways to recognize packed executables and various ways to automate the unpacking process. In this article, we will look at the manual process of unpacking a packed malware specimen.
In the last article, we have seen how the malware specimen was packed with UPX, and we used UPX utility to unpack itself. But image if we have a custom packer for which there is no direct unpacker available. In those, we need to adopt the manual approach to reach the Original Code for further analysis.
Become a certified reverse engineer!
We know that when the program runs, its available in original code in memory so if we dump the memory of a packed running process then we can have what is called an unpacked specimen. We can use tools like Scylla, Import Fixer, etc. to dump the memory of a running process.
Below is a snapshot of Scylla where we must attach the active malware-specimen to it first to extract its memory contents. It should be running process. If we try to attach the process in the paused state and try to load IAT, then it cannot find any IAT at mentioned OEP. The Same error can be seen in red below in the screenshot. So, make sure the specimen is running in the debugger. Also, note that the OEP mentioned below need not be the actual OEP and we need to find the real value (More on this later)
After we run the process in a controlled environment, we can see the below success message "IAT found" w.r.t to OEP.
Once we have the IAT build up, we can click on Get Imports to get all the imports information that this specimen make calls to. We can see here that of them are in green, so we can just click on dump to dump a copy of this
However, there are few challenges to running dumped specimen
- The newly dumped process might have invalid or corrupted IAT. With tools like Scylla, we can auto-build the IAT.
- Even after fixing the IAT, the specimen might not be runnable because the Original Entry Point might not be pointing to the right address. Wait, Original Entry Point(OEP), what's that? There is an Entry Point mentioned in the PE header of a specimen which specifies the first instruction that should be executed. Since we are examining the packed malware specimen, the Entry Point will specify the unpacker code which should be first executed to unpack the program. OEP instead points to original code address.
To reach the OEP and dump the process from there, we will load the program into OllyDbg. Before loading makes sure to clear ASLR flag for specimen (For more detail on how to fix ASLR, see Part 1 of this article series). After that load the program into OllyDbg. While examining a UPX packed specimen lookout for a jump instruction followed by a lot of zeroes. Sometimes we must adopt a single step approach to finding out when the OEP starts but sometimes there are hints that we can use to see the call to OEP directly
- If the specimen is packed with UPX, then lookout for JMP instruction followed by lot of zeroes instructions
- Lookout for CALL EAX instruction since many packers stores the value of OEP into the EAX register.
- Lookout for stack pushes and clean because normally those will be cleaned before code gets transferred to OEP.
-
We could also face situations in which malicious author used TLS to execute the code before the OEP. In these cases, we need to make sure that we recognize these TLS callback functions and see the exact context of that TLS callback function. For example, it is possible that the TLS function might include techniques like process hollowing which could take our analysis to a different process(that have been hollowed) to see the contents of the new code that have been inserted.
Below is a screenshot of our specimen loaded into OllyDbg. Since we know that this specimen is UPX packed, so we need to look out for JMP before zeroes instructions.
This jmp instruction will indicate the end of the unpacking code. For controlled analysis set a breakpoint there. Any guesses what this address if? Yes, it is OEP.
Now since we know this can be the actual OEP, we can dump the contents using OllyDBG dump utility. Below is a screenshot for the same. We need to click on "Get EIP as OEP" to replace the Entry Point value.
After that click, Dump and OllyDbg will ask you for the confirmation with all the changes mentioned.
Now still we need to fix the IAT and import tables, so open Scylla and attach the malware specimen to it again. Replace the OEP value with what we have discovered above. Then click on "Get Imports."
Once all the Imports are resolved, click on Fix Dump and point to the process we dumped from OllyDbg. A new process will be created with SCY name appended to the dumped process. This new process is now runnable, and we can now perform static, dynamic and code analysis on it.
So in this article, we have seen that how we have used Scylla and OllyDBG to find OEP, fix IAT and imports to create a running unpacked process.
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Recognizing Packed Malware and its Unpacking Approaches-Part 2
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis