Manual Unpacking of Malware Samples
This article presents information on manual unpacking of protected malicious Windows executables using the OllyDbg debugger. It also involve in fully rebuild the import table so the file can be restored to its original state and executed. Many anti-virus vendors categorized UPX, NsPack, ASpack and many other PE packers as malicious software.
A 'Packer' is a compression routine that squeezes an executable file. These programs created to reduce disk space and make downloads faster. It makes difficult to understand the original file and make it tricky to match the file signature of a compressed file. Packers initially send PE internal structures and then it identifies PE header, Export table, and import table in new structures & attaches code segment before OEP, called as STUB .i.e. the compressed executable is shifted to data section of newly created file. PE header & section header is no more useful since data is compressed means packer added the stub function.
Manual Unpacking using Olly
Here we deal about unpacking Nspack compressed executables using Olly. Extra care should be taken while unpacking malware samples in Olly .i.e. creating isolated host (VMware or sun virtualBox or non-networked system) for all these experiments on malware samples.
Before we start unpacking, we need to configure Olly & environment:
Get OllyDbg program along with OllyDump plug-in, this is very common plug & very easy to find. Extract ‘OllyDump.dll’ (OllyDump plug-in) in the plug-in directory, for example: C:\Olly\Plug-in… when you execute Olly & check it should be something similar to below figure.
So having this done we move on to load Nspack in Olly. While loading we get an alert, something similarly to this:
Click ‘OK’ to dump and manually analyze to unpack the sample. Most of the applications are not packed & Olly’s ability to analysis is limited even it is packed. Again Olly is warning us, saying that application is compressed:
Say ‘Yes’ to continue further. To go through the packed sample we run the program by steps & decompress the original, so go through the program step by step ‘F8’ function key. With subsequent hit of F8 we can see the changes in Registers values. We can watch these value changes help in system memory as the program executes.
The registers value keep changing as the program is steeped through, (F8). In Olly these register values keep changing with the orginal load on the left side, along with the sunsequest F8 hits on right side.
The ESP register is 32 bit stack pointer & it has the current position in the stack. The values are pushed below the address & ESP points to the current top of stack.
PUSH subtracts 4 from the SP & copies 32 bit value on top of stack, POP copies 32 bit value on top of stack, added 4 to SP. Let’s move on to find the Original Entry Point (OEP) & rebuild the unpacked sample. To find OEP, we trace the stack and dump executable section. The ‘follow in dump’ function provides a dump of executable section to follow to find OEP.
The highlighted 4 byte value, dump contains the address of the ESP register. Using this value we set a hardware breakpoint. Hardware breakpoint let us to go along the execution of the program to this point and then to stop (or interrupt) the execution of the program.
With this breakpoint set, run the executable (F9 function key) until it hits the breakpoint. It leads to ‘JUMP’ command.
Move further StepOver (F8) …unpacker executed, the code was written to these memory locations, now the code readable.
Next step is to Dump the Process. Now we need OllyDump plug-in installed.
When process is Dumped:
have a good looks on Section part: .nsp0,.nsp1, .nsp2.
Unselect the ‘Rebuild Import’ option, observe that sections are marked as Nspack packed executable with few obfuscation options. Select ‘Dump’ & save this file (xxx.exe). So now we use PEid & RDG packet detector to check weather its packed or not:
So now we use PEid detector to check weather its packed or not:
So include the running process in ImpRec & check OEP :
Here OEP is not correct value (000655A4). We get correct value (4EEC0) from OllyDump:
CopyOEP from Ollydump to ImpREC & select ‘IAT AutoSearch’ option. When ImpREC finds the value it pops up a massage:
Click ‘OK’ & ‘Get Imports’. Observer all the Imports are successfully found
ImpRec has correctly founds these values, we need to fix the dump. Click on ‘Fix Dump’ & select the dumped executable file to save repaired & unpacked executable file. And finally the executable will run !!!.