If you see the process creating a copy of itself it's possible process hollowing is occurring
Use "API Monitor" freeware
set it to watch
- CreateProcess
- WriteVirtualMemory
- ResumeThread
Run, find the WriteVirtualMemory api call that seemed to contain an EXE (MZ header)
Set breakpoint on WriteVirtualMemory "before call"
Re-run the sample
Edit Buffer
Find the starting address
Open HxD, attach to memory of running process that is currently breakpointed
Search and find that starting address
Collaspe the buffer to find the start & end address
Select Block, edit the end address
Copy contents
paste into new HxD hex editor window
save as a new EXE
now you have the unpacked program!
No comments:
Post a Comment