This repository has been archived by the owner on May 14, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathREADME.TXT
executable file
·70 lines (52 loc) · 3.09 KB
/
README.TXT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
SIMPLE UNPACKER
PoC Tool by Oleksiuk Dmytro (aka Cr4sh), Esage Lab
http://d-olex.blogspot.com/
mailto:[email protected]
=================================
This tool designed for semi-automation unpacking of malware samples, by the following way:
1) Creates malware process with CreateProcess() and PROCESS_DEBUG flag.
2) Dispatching debug events, and setting breakpoints on some APIs, that calls somewhere in unpacked malware body.
3) When breakpoint occurs -- tool performs dumping of unpacked malware executable image.
Of course, to use it you must know what exactly API calls in unpacked malware body, to set breakpoint (unpacking marker) on them.
USAGE:
> SimpleUnpacker.exe <input_file> --bp <module>!<function>
For setting breakpoints on many functions, you can use multipile --bp keys in command line options.
Unpacked binary will be saved in dumped.exe, you can load it into the IDA Pro, or into yor own process (with LoadLibraryEx() + DONT_RESOLVE_DLL_REFERENCES) for further researching.
Exampe of unpacking SpyEye trojan dropper:
-------------------------------------------------------------------
C:\> SimpleUnpacker.exe dropper.exe --bp kernel32.dll! CreateToolhelp32Snapshot
[+] Breakpoint: kernel32.dll!CreateToolhelp32Snapshot()
[+] Process command line: "dropper.exe"
CREATE_PROCESS: ImageBase=0x00400000, StartAddress=0x00420090
DLL_LOAD: 0x7c900000 "ntdll.dll"
DLL_LOAD: 0x7c800000 "C:\WINDOWS\system32\kernel32.dll"
[+] Breakpoint on kernel32.dll!CreateToolhelp32Snapshot() has been set: 0x7c865b1f
DLL_LOAD: 0x7e410000 "C:\WINDOWS\system32\USER32.dll"
DLL_LOAD: 0x77f10000 "C:\WINDOWS\system32\GDI32.dll"
DLL_LOAD: 0x73000000 "C:\WINDOWS\system32\WINSPOOL.DRV"
DLL_LOAD: 0x77dd0000 "C:\WINDOWS\system32\ADVAPI32.dll"
DLL_LOAD: 0x77e70000 "C:\WINDOWS\system32\RPCRT4.dll"
DLL_LOAD: 0x77fe0000 "C:\WINDOWS\system32\Secur32.dll"
DLL_LOAD: 0x77c10000 "C:\WINDOWS\system32\msvcrt.dll"
DLL_LOAD: 0x3d930000 "C:\WINDOWS\system32\WININET.dll"
DLL_LOAD: 0x77f60000 "C:\WINDOWS\system32\SHLWAPI.dll"
DLL_LOAD: 0x78130000 "C:\WINDOWS\system32\urlmon.dll"
DLL_LOAD: 0x774e0000 "C:\WINDOWS\system32\ole32.dll"
DLL_LOAD: 0x77120000 "C:\WINDOWS\system32\OLEAUT32.dll"
DLL_LOAD: 0x3dfd0000 "C:\WINDOWS\system32\iertutil.dll"
EXCEPTION_BREAKPOINT at 0x7c90120e
CREATE_THREAD: StartAddress=0x00000000
DLL_LOAD: 0x76390000 "C:\WINDOWS\system32\IMM32.DLL"
DLL_LOAD: 0x773d0000 "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_65
95b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll"
CREATE_THREAD: StartAddress=0x7c8106e9
EXCEPTION_BREAKPOINT at 0x7c865b1f
[+] Breakpoint occurs: kernel32.dll!CreateToolhelp32Snapshot
[+] Dumping image 0x00400000 Size=0x0007d000
Fixing FileAlignment 0x00000200 -> 0x00001000
Fixing section raw address 0x00000400 -> 0x00001000
Fixing section raw address 0x00000400 -> 0x00040000
Fixing section raw address 0x00021600 -> 0x00062000
[+] Image dumped to "dumped.exe"
DONE
-------------------------------------------------------------------