Monday, April 26, 2021

Using PE-SIEVE to unpack malware

Just practicing unpacking malware with this sample

http://dreamofareverseengineer.blogspot.com/2017/03/unpacking-malware-in-minutes.html?m=1

md5:dca9106dc8556f9a15d7e18b4fad5d44


What worked was using x64dbg

Attach a breakpoint on CreateProcessInternalW

if I ran a few lines past this I saw a child process spawned (svchost.exe)

And given the context and strings around this call I saw "NtResumeThread" among others

So I set a breakpoint on NtResumeThread (which appears to be ready to launch code in the child process svchost.exe)


Then open a new 2nd instance of x64dbg

"Attach" to svchost.exe , which really isn't doing much right now

Go to the threads tab and you'll see 2 of them!

1 of them is in the "suspended" state


Click into that suspended state and set a breakpoint on the 1st line of code in there

Then click "run" in svchost.exe just to get it so you're not stuck on any breakpoints anymore


Then return to the original x64dbg and click "detach" to allow it to proceed and start the "svchost.exe" process

In the x64dbg on svchost you should now hit it's breakpoint

Now you're inside the 2nd state of the malware but the malicious code hasn't been unpacked so there are still no good strings yet.


Set a breakpoint on VirtualAlloc's ret 10 statement.

Run, then check strings.  If you see nothing, run again, and check strings.

Proceed until you notice the good strings ... (like URLs, etc.)


Then one easy way to get the executable out of memory is to just run 

pe-sieve64.exe /pid ??? 


it will dump the unpacked executable for you

6 comments:

  1. Are you in need of finance? we give out guarantee cash at 3% interest rate. Contact us on any kind of finance now: financialserviceoffer876@gmail.com whatsapp Number +918929509036 Dr James Eric Finance Pvt Ltd

    ReplyDelete
  2. I was thrown out of my own house was sleeping in a hotel for weeks she also took possession of my son could only see him once a week then I found out she was in love with my accountant all these while so I went online and I came across a Russian private investigator who help me get all my properties and my accounts back even my company back how he did these I don’t know but I gave all the information he asked for and followed all his instructions and now I’m happy my life’s better now.
    Thanks to HACKINTECHNOLOGY@CYBERSERVICES.COM
    I just said I should share my own story here
    Thank you

    ReplyDelete
  3. I know of a group of private investigators who can help you with they are also hackers but prefer to be called private investigators They can help with your bitcoin issues and your clients will be happy doing business with you,they can also help yo with your bad credit score,hacking into phones,binary recovery,wiping criminal records,increase school score, stolen files in your office or school,blank atm etc. Just name it and you will live a better life
    Contact +1(407) 777-4240
    Premiumhackservices@gmail.com

    ReplyDelete
  4. He is the best out there,I tested him and he delivered a good job,he helped me settle bank loans,he also helped my son upgrade his scores at high school final year which made him graduate successfully and he gave my son free scholarship into the college,all I had to do was to settle the bills for the tools on the job,I used $500 to get a job of $50000 done all thanks to Robertson he saved me from all my troubles,sharing this is how I can show gratitude in return for all he has done for me and my family

    Contact premiumhackservices@gmail.com

    Text/call ‪+1 (984) 733‑3673‬

    WhatsApp ‪+1 (984) 733‑3673‬

    Telegram ‪+1 (984) 733‑3673‬

    ReplyDelete
  5. Wynn Las Vegas Announces Return Of $15M
    Wynn Las Vegas Announces Return Of 세종특별자치 출장샵 $15 경산 출장안마 Million Wynn Resorts announced last week that it 정읍 출장안마 will close its doors on the Strip beginning 양주 출장안마 June 1, 고양 출장안마

    ReplyDelete

  6. Hire the most Efficient and Reliable Crypto/Btc Recovery Masters.

    Ever been a scam victim and after being swindled you are left in Dilemma of what will be the next step to take. I had lost considerable sum of money in a Fake online investment scheme.,Early last month.I had invested A sum of $149520 worth of btc and loosing my funds was the last thing in my mind as I made that investment.Special thanks to this expertise Recovery Masters who came through my aid and were able to recover my lost Btc.Their services are highly professional.Submit to them your report incase you have happened to be a victim also.Email them through (Recoverymasters@email.cz)..

    ReplyDelete