Unpack unknown malware packed using Safengine Shielden v2.3.9.0

[Etor Madiv]

I found a malware sample (1) that is packed using Safengine Shielden v2.3.9.0, I'm not able to debug it because it is detecting that it is under debugging, after that I tried ScyllaHide plugin for Olly2 but it is still detected.

The packer reads the files: KernelBase.dll, kernel32.dll, user32.dll, msvcrt.dll, ... and puts them in a random Memory locations, replaces some addresses, so it will be able to use its own copy of those DLL files instead of the original ones, and make debugging more harder (no symbols will be availabe to identify system functions).

Dynamically running the file, I'm able to identify that the file drops a .bat in a randomly created folder in %temp%, and I created a tool (2) to deobfuscated similar .bat files.

How this sample can be unpacked ?

Is there any useful method to approach this kind of packers ?

(1) Malware sample

(2) SimpleBatchDeobfuscator.zip

[crystalboy]

@Sound did a walkthrough to manual unpack version 2.x.x.x so maybe he is the best to answer your questions.

It is a bit in english and a bit in chinese, so you need Google translate to understand it fully.

You can find it in attach.

Hope it helps

Manual.Unpacking.Safengine_Shielden-Licensor 2.xx.By.Sound.pdf

[BugMan]

if you want to debugger it,you need to use strongod plugin.