Jump to content
Tuts 4 You

can i post a virus here(VMProtect 2.07 xx)?


aj3423

Recommended Posts

Hi,


 


I'm new to tuts4you, I found all other posts are UnpackMe, and I want to analyze a virus to see what it does but I don't know unpack it. It's packed with VMProtect 2.07.


 


Anyone could shed some light on this? A tutorial would be great:)


 


again, it a virus, don't run it directly.


 


the virus deletes itself after running, so the unpacking would be successful if it's disappeared when executed.


 


Thanks.


virus.rar

Link to comment

If you want to get a high-level overview, put a breakpoint on CreateProcessA and dump the file from memory. Many functions will still be protected by VMProtect virtual machine, but the strings are in the clear and you'll be able to get an idea how it's supposed to work. ProcMon should work too.

HalDispatchTable

hal.dll

cmd /c taskkill /f /pid %d && ping 127.0.0.1 -n 5 > nul && del /f /q "%s" > nul

*/tj.aspx

www.asp0202.com

XP-SP%d-%d

2K3-SP%d-%d

VISTA-SP%d-%d

WIN7-SP%d-%d

WIN8-SP%d-%d

a=%s&b=%s&c=%s&d=%d&e=%s&f=%d&g=%c&h=%d

%s?u=%s

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDPI

FontSize

FontSize

MmGetSystemRoutineAddress

RtlAnsiStringToUnicodeString

RtlFreeUnicodeString

ExAllocatePoolWithTag

ExFreePool

sbiedll.dll

%s\drivers\%s.sys

%s.sys

\\.\npkcrypt

%s\%s.sys

%s.sys

\\.\slPWACP

smss.exe

csrss.exe

GET %s HTTP/1.1

Host: %d.%d.%d.%d

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Connection: Keep-Alive

//./%s

%allusersprofile%\NTUSER.DAT

%SystemRoot%\System32\ntdll.dll

If you want to de-virtualize each and every function, search the board, I think there were tools and tutorials dealing with VMProtect VM.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...