You already know that the malware developers create packed executables in order to try to thwart the security analyst job and make a lighter file easier to download... If the executable is packed we cannot examine the original program which obstructs us from employing a static analysis to know what the malware does...
In this post we have a malware sample called DEMO.exe which we will work with.
If we open the file with PEiD we can check that it has been compressed with UPX. You already know that it is a common compression...
The majority of times we are able to unpack this type of compression automatically with the UPX program. But this time, we haven't been lucky...
If we want to make a static analysis, first we need to unpack the file. To achieve this purpose, we need to follow the next steps:
- To unpack the original file into memory.
- To resolve all of the imports of the original file.
- To find and transfer execution to the original entry point (OEP).
The key to this technique is to run the packed file until it is decompressed by itself, setting a breakpoint, dumping it and setting the OEP and rebuilding their imports.
The first thing we need to do is to load the executable in OllyDbg. We can see that an advertisement appears telling us what we already know: "...reports that its code section is either compressed, encrypted ,or contains large amount of embedded data..."
Ok, let's go. Just loaded the file we can see the program stop at PUSHAD. Press F7 or click on the button to Step into.
Right click at the ESP value and select Follow in Dump...
... select the first four characters and set a Breakpoint.
Press the play button and wait until the program stops at the breakpoint. Now we can see the tail jump at 00ACD7BD. The tail jump is the last instruction of the uncompressing action and in this type of compression is usually followed by a lot of 0x00 bytes. These 0x00 bytes are filling to ensure that the section is properly byte-aligned. Notice that function jumps to a site which is very far away, 004090E8. Just in that instruction, the original program will start.
We resume the program again and it is stopped at the tail jump. We need to press F7 or click on the Step Into bottom.
Now we are in the OEP. Right-clik on this line and click on Dump debugged process in order to dump the process to a disk.
Notice that the OEP (004090E8) is the same that the last address in the "Modify" field, 90E8 . You can press the "Get EIP as OEP". Untick the "Rebuild import" because the import will be rebuilt using Import REConstructor. It is a good idea to copy the value "90E8" for the future...
Save the dump where you want. I have saved the file as "Dumped.exe". Notice if you want to run the program it will fail because it doesn't have the imports. To fix that, just open Import REConstructor and select the file which is being debugged with OllyDbg. In this case "demo.exe"
The next window will appear.
Just paste the value which was copied before in the OPE section and click on IAT AutoSearch.
Click on the Get Imports first and then click on the Fix Dump buttom.
Just pressed "Fix Dump" select the file which was dumped.
Now, we have two files, the first one which was dumped with OllyDbg and the last one, Dumped_.exe which has the imports rebuilt.
If you look at the strings in OllyDbg you can see the differences. In the picture below you can see on the left the strings detected in the packed file and on the right, you can see the strings of the unpacked file.
With VB Decompiler we could try to decompiler it...