Jump to content
Tuts 4 You

Unpacking RunPe Malware


Phasip

Recommended Posts

Hello!

I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe

As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode,

looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code.

The problem is that there does not seem to be much information on how to unpack these, I found two
/>http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html
/>http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.html

which both have easy steps but I don't seem to be able to follow these.

If I run it and then attach to it ollydbg runs in the address 77A50000 + 13BFFE, trying to dump this using ollydump i get a crashed

ollydbg.

If I run it with ollydbg2 and have the debug child option enabled I get a debugging session with a modified executable that starts at

00401394, but this seems to be a runpe too. I tried to dump this to the disk but I'm not able to rebuild the exe so it is runnable.

Could anyone point me in the right direction or explain how I should unpack this

Here is the link to the virus (AFAIK original link):

---EDIT-- See Attatched File, Password: tuts4you

Here's a link to a ThreatExperts report
/>http://www.threatexpert.com/report.aspx?md5=3e7126c600eb3d73c9b470aa98f2a416

Thanks for your help, Phasip.

dirtypics.zip

Edited by Phasip
Link to comment

Well, steps outlined in 2nd of your tutorials should work just fine:

  • Use OllyDbg
  • Breakpoint on ZwWriteVirtualMemory
  • When breakpoint is hit for first time, dump entire buffer (0x4A000 bytes)
  • You have valid exe

Cheers,

kao.

Link to comment

I am so sorry!

I had tried this multiple times in different variations, but I guess I had done something wrong each time.

I was just going to try it again to be able to say: i tried that a million times and it doesn't work...

Problem is that it works like a charm!

Thanks alot!

Edited by Phasip
Link to comment
  • 1 year later...
  • 8 months later...

BreakPoint on SetThreadContext ... As it have to Set Eax to Point to OEP ...Look in context Structre .. Eax is at B0 offet from begining of context structre ..note it down

Now change first two bytes at OEP (EAX value )of Newly CreateProcess using any hex editor ..and Now RUn the Process.

Newly Created Process Will trapped in Infine Loop ...and now u can eaisly dump it with any dumping tool ,change first two bytes at oep to orginal one's ...and Now u have fully working PE

Anyway Hooking ZwWriteVirtualMemory is more easier .

Link to comment

There is some runpe malware which doesn't use NtWriteVirtualMemory. There is some other way to get the same results. The most reliable hook is still NtResumeThread.

Edited by Aguila
Link to comment
  • 2 years later...

Hi,


 


sorry for bumping this thread. I'm having trouble with unpacking RunPE.


 


I have a UnpackMe created by my friend. He told me to unpack this. I already tried to unpack it with ScylaHide plugin and it succeed. But I want to understand how to unpack it manually. I tried put breakpoint at ZwWriteVirtualMemory but I don't know what next step I should take.


 


sorry for this newbie question.


 


Here is the unpackme : here


 


Salam


Link to comment

Hi @Aguila,


 


Is NtResumeThread and ResumeThread same?


 


So I put a software breakpoint at ResumeThread and run the UnpackMe. It breaks at breakpoint.


 


I look at Process Hacker to see the PID and convert it to hex with Calculator.


 


I Dump Full the UnpackMe with PE Tools. First I was so happy because it created a Dumped.exe with Delphi icon project. But when I clicked on it, the error message appeared.


 


Is my step to dump the newly created process true?


 


Salam


Link to comment

Yes it is the same. In this case you have to do a raw dump... (the exe is unpacked and fully functional in the new process) so you could dump it with Process Hacker. 1:1 copy from RAM.


Link to comment

Hi,


 


I find "create a dump file" option in Process Hacker but I guess it is wrong because the result is quite strange, size of dumped file is 30MB+ !


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...