Vulnerability Development mailing list archives
RE: unpacking UPX or PE-packed binaries
From: "Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>
Date: Mon, 10 May 2004 09:43:17 +0100
The problem with that process is that you're leaving yourself open to self-modifying code. For example, if UPX stub unpacks the rest of the worm, then the first call is to some self- modifying/polymorphic code, you're at the worm's mercy. You're also dumping a point-in-time image of the exe, not the original code. This is true for *any* app. To be sure you have the exe in a virgin (bet that triggers spam filters) state, you need to trace the code and stop execution at the OEP (original entry point). Doing this with UPX is trivial, the code pretty much looks like a call followed by a jmp. With other packers/protectors it can get more difficult. Once you find the OEP, you need to put the code in a loop (softice: a eip; jmp eip). Once you've done that you can dump the process with procdump safely. All that's left then is to fix the IAT (if necessary, just use revirgin or imprec, or if you're bored, do it manually) and change the opcodes at the start of the dumped exe back to push ebp (although you might not want to do that in case you run it by accident). The PE will also need fixing with the RVA of the OEP, because the dumped exe will still have the EP of the UPX'd version in the PE. If that didn't confuse you.... -Ian
-----Original Message----- From: Doc [mailto:doc () empius net] Sent: 08 May 2004 01:02 To: vuln-dev () securityfocus com Subject: Re: unpacking UPX or PE-packed binaries I personally prefer to use the following stuff. runas procdump idapro By creating a guest account on the host pc you mitigate any risk of further destructive processes. After studying the many bots available on the internet they all seem to have a wait process while trying to write to the system32 directory. Using this to our advantage the executable has already been decompressed by the pe header and is running in memory. Open procdump ( http://www.fortunecity.com/millenium/firemansam/962/html/procd
ump.html ) select the process right click on it and dump it to either an unpacked exe or a dmp file. some times procdump gets stuffed up by address space an application occupies and crashes, so just specify a range and work back until you get a large enough chunk. steps: runas /env /user:limited <virus name.exe> enter the password for the limited account load procdump, dump the file switch over to task manager and terminate the process running as the limited user open idapro and drag the dump file into it, most times it works fine, just remember to tick the load resources check box sit back and let it disassemble it. hope this helped some people Doc. ******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
Current thread:
- Re: unpacking UPX or PE-packed binaries Doc (May 07)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (May 10)