Phasip Posted December 7, 2010 Posted December 7, 2010 (edited) Hello!I recently started doing some malware reversing and the second application I meet is an app called ohhai.exeAs all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode,looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code.The problem is that there does not seem to be much information on how to unpack these, I found two/>http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html/>http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.htmlwhich both have easy steps but I don't seem to be able to follow these.If I run it and then attach to it ollydbg runs in the address 77A50000 + 13BFFE, trying to dump this using ollydump i get a crashedollydbg.If I run it with ollydbg2 and have the debug child option enabled I get a debugging session with a modified executable that starts at00401394, but this seems to be a runpe too. I tried to dump this to the disk but I'm not able to rebuild the exe so it is runnable.Could anyone point me in the right direction or explain how I should unpack thisHere is the link to the virus (AFAIK original link):---EDIT-- See Attatched File, Password: tuts4youHere's a link to a ThreatExperts report/>http://www.threatexpert.com/report.aspx?md5=3e7126c600eb3d73c9b470aa98f2a416Thanks for your help, Phasip.dirtypics.zip Edited December 7, 2010 by Phasip
kao Posted December 7, 2010 Posted December 7, 2010 Well, steps outlined in 2nd of your tutorials should work just fine:Use OllyDbgBreakpoint on ZwWriteVirtualMemoryWhen breakpoint is hit for first time, dump entire buffer (0x4A000 bytes)You have valid exeCheers,kao.
Phasip Posted December 7, 2010 Author Posted December 7, 2010 (edited) I am so sorry!I had tried this multiple times in different variations, but I guess I had done something wrong each time.I was just going to try it again to be able to say: i tried that a million times and it doesn't work...Problem is that it works like a charm!Thanks alot! Edited December 7, 2010 by Phasip
Jhonjhon_123 Posted January 22, 2012 Posted January 22, 2012 Hello!as I can get a dump of the new process created?regards
jamesxx Posted October 15, 2012 Posted October 15, 2012 BreakPoint on SetThreadContext ... As it have to Set Eax to Point to OEP ...Look in context Structre .. Eax is at B0 offet from begining of context structre ..note it downNow change first two bytes at OEP (EAX value )of Newly CreateProcess using any hex editor ..and Now RUn the Process.Newly Created Process Will trapped in Infine Loop ...and now u can eaisly dump it with any dumping tool ,change first two bytes at oep to orginal one's ...and Now u have fully working PEAnyway Hooking ZwWriteVirtualMemory is more easier .
Aguila Posted October 15, 2012 Posted October 15, 2012 (edited) There is some runpe malware which doesn't use NtWriteVirtualMemory. There is some other way to get the same results. The most reliable hook is still NtResumeThread. Edited October 15, 2012 by Aguila
icarusdc Posted July 14, 2015 Posted July 14, 2015 Hi, sorry for bumping this thread. I'm having trouble with unpacking RunPE. I have a UnpackMe created by my friend. He told me to unpack this. I already tried to unpack it with ScylaHide plugin and it succeed. But I want to understand how to unpack it manually. I tried put breakpoint at ZwWriteVirtualMemory but I don't know what next step I should take. sorry for this newbie question. Here is the unpackme : here Salam
Aguila Posted July 14, 2015 Posted July 14, 2015 @icarusdc Like I said. You set a breakpoint to NtResumeThread and dump the newly created process. Look with a good process explorer like http://processhacker.sourceforge.net/
icarusdc Posted July 14, 2015 Posted July 14, 2015 Hi @Aguila, Is NtResumeThread and ResumeThread same? So I put a software breakpoint at ResumeThread and run the UnpackMe. It breaks at breakpoint. I look at Process Hacker to see the PID and convert it to hex with Calculator. I Dump Full the UnpackMe with PE Tools. First I was so happy because it created a Dumped.exe with Delphi icon project. But when I clicked on it, the error message appeared. Is my step to dump the newly created process true? Salam
Aguila Posted July 15, 2015 Posted July 15, 2015 Yes it is the same. In this case you have to do a raw dump... (the exe is unpacked and fully functional in the new process) so you could dump it with Process Hacker. 1:1 copy from RAM.
icarusdc Posted July 15, 2015 Posted July 15, 2015 Hi, I find "create a dump file" option in Process Hacker but I guess it is wrong because the result is quite strange, size of dumped file is 30MB+ !
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now