Recognizing Packed Malware and its Unpacking Approaches-Part 2
In Part 1 of this article series, we had a look at the ways to recognize packed executables and various ways to automate the unpacking process. In this article, we will look at the manual process of unpacking a packed malware specimen.
In the last article, we have seen how the malware specimen was packed with UPX, and we used UPX utility to unpack itself. But image if we have a custom packer for which there is no direct unpacker available. In those, we need to adopt the manual approach to reach the Original Code for further analysis.
Become a certified reverse engineer!
We know that when the program runs, its available in original code in memory so if we dump the memory of a packed running process then we can have what is called an unpacked specimen. We can use tools like Scylla, Import Fixer, etc. to dump the memory of a running process.
Below is a snapshot of Scylla where we must attach the active malware-specimen to it first to extract its memory contents. It should be running process. If we try to attach the process in the paused state and try to load IAT, then it cannot find any IAT at mentioned OEP. The Same error can be seen in red below in the screenshot. So, make sure the specimen is running in the debugger. Also, note that the OEP mentioned below need not be the actual OEP and we need to find the real value (More on this later)
After we run the process in a controlled environment, we can see the below success message "IAT found" w.r.t to OEP.
Once we have the IAT build up, we can click on Get Imports to get all the imports information that this specimen make calls to. We can see here that of them are in green, so we can just click on dump to dump a copy of this
However, there are few challenges to running dumped specimen
- The newly dumped process might have invalid or corrupted IAT. With tools like Scylla, we can auto-build the IAT.
- Even after fixing the IAT, the specimen might not be runnable because the Original Entry Point might not be pointing to the right address. Wait, Original Entry Point(OEP), what's that? There is an Entry Point mentioned in the PE header of a specimen which specifies the first instruction that should be executed. Since we are examining the packed malware specimen, the Entry Point will specify the unpacker code which should be first executed to unpack the program. OEP instead points to original code address.
To reach the OEP and dump the process from there, we will load the program into OllyDbg. Before loading makes sure to clear ASLR flag for specimen (For more detail on how to fix ASLR, see Part 1 of this article series). After that load the program into OllyDbg. While examining a UPX packed specimen lookout for a jump instruction followed by a lot of zeroes. Sometimes we must adopt a single step approach to finding out when the OEP starts but sometimes there are hints that we can use to see the call to OEP directly
- If the specimen is packed with UPX, then lookout for JMP instruction followed by lot of zeroes instructions
- Lookout for CALL EAX instruction since many packers stores the value of OEP into the EAX register.
- Lookout for stack pushes and clean because normally those will be cleaned before code gets transferred to OEP.
We could also face situations in which malicious author used TLS to execute the code before the OEP. In these cases, we need to make sure that we recognize these TLS callback functions and see the exact context of that TLS callback function. For example, it is possible that the TLS function might include techniques like process hollowing which could take our analysis to a different process(that have been hollowed) to see the contents of the new code that have been inserted.
Below is a screenshot of our specimen loaded into OllyDbg. Since we know that this specimen is UPX packed, so we need to look out for JMP before zeroes instructions.
This jmp instruction will indicate the end of the unpacking code. For controlled analysis set a breakpoint there. Any guesses what this address if? Yes, it is OEP.
Now since we know this can be the actual OEP, we can dump the contents using OllyDBG dump utility. Below is a screenshot for the same. We need to click on "Get EIP as OEP" to replace the Entry Point value.
After that click, Dump and OllyDbg will ask you for the confirmation with all the changes mentioned.
Now still we need to fix the IAT and import tables, so open Scylla and attach the malware specimen to it again. Replace the OEP value with what we have discovered above. Then click on "Get Imports."
Once all the Imports are resolved, click on Fix Dump and point to the process we dumped from OllyDbg. A new process will be created with SCY name appended to the dumped process. This new process is now runnable, and we can now perform static, dynamic and code analysis on it.
So in this article, we have seen that how we have used Scylla and OllyDBG to find OEP, fix IAT and imports to create a running unpacked process.