run malware with x64dbg
set breakpoint on Virtualalloc
BPX VirtualAlloc
once hit the break point
look in the call stack for last user code
go there, set breakpoint on next line after virtualalloc user call
Once hit breakspoint, look at EAX value (it will be the newly allocated address)
Follow EAX's value in the dump
Then F8 (step over) 1 line at a time until you see data in the dump
It could be data (like IP addresses) or it could be a full executable (MZ header)
If it's an executable (MZ Header) then right-click, "follow in memory map"
Then right-click in memory map in the address and select "dump memory to file"
open the new dumped EXE in PE Bear
If the text segment is all 0s
Then go to the Section Hdrs tab and change all Raw Addr columns to match Virtual Addr
Then go to Optional Hrd tab and change Image Base column to the address found on Memory Map screen in x64dbg
then open in pestudio and the EXE should look normal now, unpacked! with urls, ips, iocs, etc.
No comments:
Post a Comment