Was recently trying to debug some malware that someone gave me. The malware was extracting itself into memory and working from there. It is possible to debug the malware from memory itself but its a bit painful, since we have to debug the entire memory each time, let the memory get populated with the malicious code and then try and understand what the code is doing. This is a waste of time - and if we can avoid it, we should.
As it turns out, its possible to dump contents from memory. This is specially useful if its a PE file that's unpacked into memory. Coz.. you could dump it and reverse it separately without all that running of the original malware that unpacked it.
I always knew this was possible but for many reasons (a laziness to learn being foremost ;)) I never did it. This time, I was determined to figure out how to do it. Turns out it is fairly straightforward. All credit for me learning this goes to this blog - http://www.joestewart.org/morphine-dll/
That blog should be self explanatory really, but here were my steps.
I tried some plugins like OllyDumpEx but they did not work for me. They probably are fine - just that I mostly made a mistake while using it. I will try some nice plugins soon and update this post when I am done.
Hope this post helps someone easily unpack malware from memory manually. Its fairly easy and you do not need a plugin to do this :)
As it turns out, its possible to dump contents from memory. This is specially useful if its a PE file that's unpacked into memory. Coz.. you could dump it and reverse it separately without all that running of the original malware that unpacked it.
I always knew this was possible but for many reasons (a laziness to learn being foremost ;)) I never did it. This time, I was determined to figure out how to do it. Turns out it is fairly straightforward. All credit for me learning this goes to this blog - http://www.joestewart.org/morphine-dll/
That blog should be self explanatory really, but here were my steps.
- Load process in Olly and debug it as usual.
- Once the process has loaded in memory, locate it in the Dump section of Olly.
- Right click inside the dump. Backup - Save data to file to an EXE file on disk.
- Launch a PE Editor (I use LordPE). Locate the last section. Add the RawSize and RawOffset. Record the number.
- Open the hex editor and go to this number (offset) inside. Delete all content after this number. Usually this is all zeros.
Now go to the start of the file. Delete all content inside the file upto the start of the header (4D 5A). Save the file. - Open the file in Olly...and there you go.. a normal EXE file.
I tried some plugins like OllyDumpEx but they did not work for me. They probably are fine - just that I mostly made a mistake while using it. I will try some nice plugins soon and update this post when I am done.
Hope this post helps someone easily unpack malware from memory manually. Its fairly easy and you do not need a plugin to do this :)
No comments:
Post a Comment