RE: unpacking UPX or PE-packed binaries

["Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>]

The problem with that process is that you're leaving yourself
open to self-modifying code. For example, if UPX stub unpacks
the rest of the worm, then the first call is to some self-
modifying/polymorphic code, you're at the worm's mercy. You're
also dumping a point-in-time image of the exe, not the
original code. This is true for *any* app.

To be sure you have the exe in a virgin (bet that triggers
spam filters) state, you need to trace the code and stop
execution at the OEP (original entry point). Doing this with
UPX is trivial, the code pretty much looks like a call
followed by a jmp. With other packers/protectors it can get
more difficult. Once you find the OEP, you need to put the
code in a loop (softice: a eip; jmp eip). Once you've done
that you can dump the process with procdump safely. All that's
left then is to fix the IAT (if necessary, just use revirgin
or imprec, or if you're bored, do it manually) and change the
opcodes at the start of the dumped exe back to push ebp
(although you might not want to do that in case you run it
by accident). The PE will also need fixing with the RVA of the
OEP, because the dumped exe will still have the EP of the
UPX'd version in the PE.

If that didn't confuse you....

-Ian

> -----Original Message-----
> From: Doc [mailto:doc () empius net]
> Sent: 08 May 2004 01:02
> To: vuln-dev () securityfocus com
> Subject: Re: unpacking UPX or PE-packed binaries
>
>
> I personally prefer to use the following stuff.
>
> runas
> procdump
> idapro
>
> By creating a guest account on the host pc you mitigate any 
> risk of further
> destructive processes.
> After studying the many bots available on the internet they 
> all seem to have
> a wait process while trying to write to the system32 directory.
> Using this to our advantage the executable has already been 
> decompressed by
> the pe header and is running in memory.
> Open procdump (
> http://www.fortunecity.com/millenium/firemansam/962/html/procd
ump.html )
select the process right click on it and dump it to either an unpacked exe
or a dmp file. some times procdump gets stuffed up by address space an
application occupies and crashes, so just specify a range and work back
until you get a large enough chunk.

steps:

runas /env /user:limited <virus name.exe>
enter the password for the limited account
load procdump, dump the file
switch over to task manager and terminate the process running as the limited
user
open idapro and drag the dump file into it, most times it works fine, just
remember to tick the load resources check box
sit back and let it disassemble it.

hope this helped some people

Doc.




******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************