Re: unpacking UPX or PE-packed binaries

["Doc" <doc () empius net>]

I personally prefer to use the following stuff.

runas
procdump
idapro

By creating a guest account on the host pc you mitigate any risk of further
destructive processes.
After studying the many bots available on the internet they all seem to have
a wait process while trying to write to the system32 directory.
Using this to our advantage the executable has already been decompressed by
the pe header and is running in memory.
Open procdump (
http://www.fortunecity.com/millenium/firemansam/962/html/procdump.html )
select the process right click on it and dump it to either an unpacked exe
or a dmp file. some times procdump gets stuffed up by address space an
application occupies and crashes, so just specify a range and work back
until you get a large enough chunk.

steps:

runas /env /user:limited <virus name.exe>
enter the password for the limited account
load procdump, dump the file
switch over to task manager and terminate the process running as the limited
user
open idapro and drag the dump file into it, most times it works fine, just
remember to tick the load resources check box
sit back and let it disassemble it.

hope this helped some people

Doc.