This article presents information on manual unpacking of protected malicious Windows executables using the OllyDbg debugger. It also involve in fully rebuild the import table so the file can be restored to its original state and executed. Many anti-virus vendors are categorized UPX, NsPack, ASpack and many other PE packers as malicious software.
UPX, NsPack, ASpack are the most common packers, here I will concentrate more in NSpack 3.7. For this analysis we need good knowledge on few topics: PE file format, Basic on Win32 API and few tools are required like OllyDebug 1.10 , OllyScript Plug-in, OllyDump plug-in, Import ReConstructor.
Packers ???
A 'Packer' is a compression routine that squeezes an executable file. These programs created to reduce disk space and make downloads faster. It makes difficult to understand the original file and make it tricky to match the file signature of a compressed file.
Packers initially send PE internal structures and then it identifies PE header, Export table, and import table in new structures & attaches code segment before OEP, called as STUB .i.e. the compressed executable is shifted to data section of newly created file. PE header & section header is no more useful since data is compressed means packer added the stub function.
Manual Unpacking using Olly
Here we deal about unpacking Nspack compressed executables using Olly. Extra care should be taken while unpacking malware samples in Olly .i.e. creating isolated host (VMware or sun virtualBox or non-networked system) for all these experiments on malware samples. To create a isolated safe environment, you will find lot of supporting documents by GÖÖGLING & very important is to be a good friend of Google.
Before we start unpacking, we need to configure Olly & environment:
Get OllyDbg program along with OllyDump plug-in, this is very common plug & very easy to find. Extract ‘OllyDump.dll’ (OllyDump plug-in) in the plug-in directory, for example: C:\Olly\Plug-in… when you execute Olly & check it should be something similar to below figure.
So having this done we move on to load Nspack in Olly. While loading we get an alert, something similarly to this:
UPX, NsPack, ASpack are the most common packers, here I will concentrate more in NSpack 3.7. For this analysis we need good knowledge on few topics: PE file format, Basic on Win32 API and few tools are required like OllyDebug 1.10 , OllyScript Plug-in, OllyDump plug-in, Import ReConstructor.
Packers ???
A 'Packer' is a compression routine that squeezes an executable file. These programs created to reduce disk space and make downloads faster. It makes difficult to understand the original file and make it tricky to match the file signature of a compressed file.
Packers initially send PE internal structures and then it identifies PE header, Export table, and import table in new structures & attaches code segment before OEP, called as STUB .i.e. the compressed executable is shifted to data section of newly created file. PE header & section header is no more useful since data is compressed means packer added the stub function.
Manual Unpacking using Olly
Here we deal about unpacking Nspack compressed executables using Olly. Extra care should be taken while unpacking malware samples in Olly .i.e. creating isolated host (VMware or sun virtualBox or non-networked system) for all these experiments on malware samples. To create a isolated safe environment, you will find lot of supporting documents by GÖÖGLING & very important is to be a good friend of Google.
Before we start unpacking, we need to configure Olly & environment:
Get OllyDbg program along with OllyDump plug-in, this is very common plug & very easy to find. Extract ‘OllyDump.dll’ (OllyDump plug-in) in the plug-in directory, for example: C:\Olly\Plug-in… when you execute Olly & check it should be something similar to below figure.
 |
| OllyDump Plug-in |
So having this done we move on to load Nspack in Olly. While loading we get an alert, something similarly to this:
 |
| Entry Point Alert
Click ‘OK’ to dump and manually analyze to unpack the sample.
Most of the applications are not packed & Olly’s ability to analysis is
limited even it is packed. Again Olly is warning us, saying that application is
compressed:
 Say ‘Yes’ to continue further. To go through the packed sample we run the program by steps & decompress the original, so go through the program step by step ‘F8’ function key. With subsequent hit of F8 we can see the changes in Registers values. We can watch these value changes help in system memory as the program executes. The registers value keep changing as the program is steeped through, (F8). In Olly these register values keep changing with the original load on the left side, along with the subsequent F8 hits on right side. 
The ESP register is 32 bit stack pointer & it has the
current position in the stack. The values are pushed below the address &
ESP points to the current top of stack.
 PUSH subtracts 4 from the SP & copies 32 bit value on top of stack, POP copies 32 bit value on top of stack, added 4 to SP.
Let’s move on to find
the Original Entry Point (OEP) & rebuild the unpacked sample.
To find OEP, we trace the stack and dump executable section.
The ‘follow in dump’ function provides a dump of executable section to follow
to find OEP.
The highlighted 4 byte value, dump contains the address of
the ESP register.
Using this value we set a hardware breakpoint. Hardware breakpoint let us to go along the execution of the program to this point and then to stop (or interrupt) the execution of the program.
With this breakpoint
set, run the executable (F9 function key) until it hits the breakpoint. It
leads to‘JUMP’ command.
Move further StepOver
(F8) … unpacker executed, the code was
written to these memory locations, now the code readable.
When process is Dumped:
Unselect the ‘Rebuild
Import’ option, observe that sections are marked as Nspack packed executable
with few obfuscation options. Select
‘Dump’ & save this file (xxx.exe).
So now we use PEid &
RDG packet detector to check weather its packed or not:
 
Now we see that file is
no packed any more.
The Sample will not
execute until Import Address Table (IAT) is fixed. ImpRec tool is used to fix IAT.
So include the running
process in ImpRec & check OEP :
Here OEP is not right
value (000655A4). We get correct value (4EEC0) from OllyDump:
 Copy OEP from Ollydump, past in ImpREC & select ‘IAT AutoSearch’ option. When ImpREC finds the value it pops up a massage: 
Click ‘OK’ & ‘Get
Imports’. And Observer all the Imports are
successfully found.
ImpRec has correctly founds
these values, we need to fix the dump. Click on ‘Fix Dump’ & select the
dumped executable file to save repaired & unpacked executable file.
Now the unpacked executable is will
run !!!
|
No comments:
Post a Comment