Practical Malware Analysis - Lab 18 =================================== Your goal for the labs in this chapter is simply to unpack the code for further analysis. For each lab, you should try to unpack the code so that other static analysis techniques can be used. While you may be able to find an automated unpacker that will work with some of these labs, automated unpackers won’t help you learn the skills you need when you encounter custom packers. Also, once you master unpacking, you may be able to manually unpack a file in less time than it takes to find, download, and use an automated unpacker. Each lab is a packed version of a lab from a previous chapter. Your task in each case is to unpack the lab and identify the chapter in which it appeared. The files are Lab18-01.exe through Lab18-05.exe. Lab 18-1 -------- Openning it in exeinfo we see it is packed with UPX so we could unpack it with :: UPX -d file.exe .. image:: 1q1.png but i will unpack it manually, Open it in IDA we get this .. image:: 1q2.png It has very few libraries (as it is packed) with one standing out urlmon and since it is using VirtualAlloc we can use it for hardware read breakpoint for the place in memory it will write the malware to .. image:: 1q5.png the urlmon is used in a packed section .. image:: 1q6.png The graph view of the unpacking stub is dreadful, i will look for the tail jumps .. image:: 1q3.png Something interesting a jump for location over 0x8000 away, also before it some weird instructions (like cmp esp,eax), so this is likely our tail jump opening in x32dbg to test it .. image:: 1q4.png The unpacking stub started with pushad, looking at the stack see interesting memory address setting another hardware read breakpoint there (first on the stack click read memory in dump then in dump set the breakpoint) .. image:: 1q7.png We arrive near out suspected tail jump .. image:: 1q9.png and here is the memory dump,(notice at stack there is MZ which is the start of exe file) .. image:: 1q8.png opening scylla plugin in x32dbg then type memory that will be jumped to as our OEP and then click on IAT Autosearch (to autosearch for IAT import address table) .. image:: 1q10.png clicking yes, it was successful .. image:: 1q11.png Then click Get imports then clicking Dump .. image:: 1q12.png we find our malware functional with full imports .. image:: 1q13.png the malware is the same as Lab14-01.exe .. image:: 1q14.png Lab 18-2 -------- Running the malware in peid we see it is packed with FSG 1.0 .. image:: 1q15.png looking at imports .. image:: 1q16.png since i didnt notice a tail jump, i will follow the getprocadress breakpoint technique, setting bp at getprocadress in x32dbg then work backwards to find the OEP (as that function is used for getting addresses of the libraries that will be used), i also set another breakpoint at this pushed memory address .. image:: 2q1.png .. image:: 2q2.png We hit the hardware read breakpoint .. image:: 2q3.png suspecting this maybe our OEP but no it failed to IAT auto search .. image:: 2q4.png Looks like this isn't the memory we want, so keep running till we find our break at getprocadress .. image:: 2q5.png Reading the around code we find some pushed data (with MZ the start of exe file) then calling an address suspecting that may be our OEP .. image:: 2q11.png we find our Lab07-02.exe but with wrong entry point .. image:: 2q12.png Using ollydbg, we can easily just find OEP by section hop trace over, then dump debugged process .. image:: 2q14.png and we get the same exe .. image:: 2q15.png Lab 18-3 -------- In peid it is packed using PECompact .. image:: 3q1.png Imports the libraries i will break GetProcAddress and VirtualAlloc .. image:: 3q2.png opening it in x32dbg, at the start we see pushad .. image:: 3q4.png In the stack, i set bp at 18FF7C at the stack, and 7EFDE000, 76F43368 in memory .. image:: 3q3.png our bp at 18FF7C is hit (with popad) .. image:: 3q11.png Hitting we step over we get this which is likely our OEP (as retn pops what is on stack then jumps to it) .. image:: 3q12.png we can dump it with scylla but Imports failed to get it .. image:: 3q13.png Going over breakpoint GetProcAddress we can get the imports, found also its place in memory .. image:: 3q7.png and we get the Lab09-02.exe .. image:: 3q10.png Lab 18-4 -------- exeinfo shows it is packed with Aspack v2.12 .. image:: 4q2.png imports shows quite important information .. image:: 4q1.png I set bp at GetProcAddress as usual, we get hit before entrypoint .. image:: 4q3.png and here it is preparing imports for the packed malware .. image:: 4q4.png and we can see where it is getting its data from the stack .. image:: 4q6.png Then we hit our entrypoint with pushad .. image:: 4q7.png so i set hardware breakpoint on that unusual memory in the stack when it is popped .. image:: 4q8.png we get a hit .. image:: 4q9.png Stepping over we see our tail jump .. image:: 4q10.png Trying scylla here with the jump address but fail .. image:: 4q11.png Viewing it in memory (we could dump it from here) .. image:: 4q13.png Stepping over the retn so we go to our tail jump then try scylla .. image:: 4q14.png dumped, we see the same exe as Lab09-01.exe .. image:: 4q15.png Lab 18-5 -------- DIE shows it is packed with UPACK .. image:: 5q1.png PStudio shows zero imports .. image:: 5q2.png We hit the entrypoint with a few pushes .. image:: 5q3.png adding hardware breakpoint at those stack addresses (waiting for pop for the unpacking stub to finish) .. image:: 5q4.png .. image:: 5q5.png we hit one of breakpoints .. image:: 5q6.png Stepping over we see Something interesting pushing ebx then calling ebp .. image:: 5q7.png Looking at ebx .. image:: 5q8.png calling scylla on that address .. image:: 5q9.png but we get incomplete exe so returning to x32 for next breakpoint .. image:: 5q10.png calling scylla for that memory address .. image:: 5q11.png it is the same as Lab07-01.exe .. image:: 5q12.png