Malware Unpacking Notes
Table of Contents
- Different types of packers
- Detecting Packed Malware
- Common Packer Functionality
- To fix the mapped executable after unpacking
- Some APIs to focus
Different types of packers
- Free - easiest: UPX, nPack, MEW, PolyCryptor, MPRESS, PE Protector
- Regular: Warzone/Yakuza/Atilla/Spartan Crypter, AspireCrypt, Emotet, Dridex, ISFB, Trickbot
- Commercial - not regular: VMProtect, Themida, Obsidium, Armadillo, ASPack, PELock
Detecting Packed Malware
- Signatures: Use tools like PEID, YaraScan to detect based on rules.
- Strings: A lacks of strings could be an indicator.
- Imports: A lacks of imports could be an indicator.
- Section names: Packers commonly use extra sections.
- Entropy: The high entropy could be an indicator.
- Raw/Virtual Sizes: Noticeable differences between the two could be an indicator.
Common Packer Functionality
Packing
Unpacking
To fix the mapped executable after unpacking
- Set the address of raw to be the same as virtual address, also set for the size. (PE Bear)
- Fix the image base based on the process memory when dumping out the mapped executable. (SystemInformer + PE Bear)
Some APIs to focus
- CreateProcessInternalW( )
- VirtualAlloc() / VirtualAllocEx()
- VirtualProtect() / ZwProtectVirtualMemory()
- WriteProcessMemory() / NtWriteProcessMemory()
- ResumeThread() / NtResumeThread()
- CryptDecrypt() / RtlDecompressBuffer()
- NtCreateSection() + MapViewOfSection() / ZwMapViewOfSection()
- UnmapViewOfSection() / ZwUnmapViewOfSection()
- NtWriteVirtualMemory()
- NtReadVirtualMemory()
- CreateProcessInternalW()