Vulnerability Development mailing list archives
Re: unpacking UPX or PE-packed binaries
From: "Doc" <doc () empius net>
Date: Sat, 8 May 2004 10:02:06 +1000
I personally prefer to use the following stuff. runas procdump idapro By creating a guest account on the host pc you mitigate any risk of further destructive processes. After studying the many bots available on the internet they all seem to have a wait process while trying to write to the system32 directory. Using this to our advantage the executable has already been decompressed by the pe header and is running in memory. Open procdump ( http://www.fortunecity.com/millenium/firemansam/962/html/procdump.html ) select the process right click on it and dump it to either an unpacked exe or a dmp file. some times procdump gets stuffed up by address space an application occupies and crashes, so just specify a range and work back until you get a large enough chunk. steps: runas /env /user:limited <virus name.exe> enter the password for the limited account load procdump, dump the file switch over to task manager and terminate the process running as the limited user open idapro and drag the dump file into it, most times it works fine, just remember to tick the load resources check box sit back and let it disassemble it. hope this helped some people Doc.
Current thread:
- Re: unpacking UPX or PE-packed binaries Doc (May 07)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (May 10)