A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #24515  by EP_X0FF
 Wed Dec 03, 2014 4:52 pm
rever_ser wrote:excuse me sir!
can you guide me what are the base knowledge about unpacking that I should be learn ?
because as I said I am junior in malware analysis. I want to know Which kind of practices should I do ?
I am very interesting to become an expert malware Unpacker.
thanks for your attention.
http://www.kernelmode.info/forum/viewto ... ?f=13&t=31
 #24548  by rever_ser
 Mon Dec 08, 2014 12:05 pm
Thanks for reply me.
I take more time on the Zeus sample and find out this is not packed at all !
i explain more reason bellow:

well.. that file isnt packed at all.. entrypoint is pretty typical too from an old compiler

═Number Name VirtSize RVA PhysSize Offset Flag══
1 .text 00006C7F 00001000 00007000 00001000 60000020
2 .rdata 00001450 00008000 00002000 00008000 40000040
3 .data 00000898 0000A000 00001000 0000A000 C0000040
4 .rsrc 000197E4 0000B000 0001A000 0000B000 40000040

notice how the virtual size is close to or the same as the physical size (section and file alignment play a part here)
if it was packed, they would be quite different indeed...

also the entrypoint is in the first section, which usually indicates its not packed

[Entrypoint Section Entropy] : 6.20 (section #0) ".text " | Size : 0x6C7F (27775) byte(s)

the closer to 8 this is, the higher the chance its packed.. this ones not really that close.

AS you said in previous post that "Set bp on CreateProcess. This crapware uses CreateProcess for cmd.exe to stop certain Windows services. Once you are on the breakpoint, inspect dropper virtual memory for huge RWE region that contain decrypted malware body" i couldn't access to virtual memory for inspect!

thanks in advance
 #24549  by EP_X0FF
 Mon Dec 08, 2014 1:46 pm
Packed data is outside PE in overlay. You didn't read what I told you. I don't know how you access virtual memory of this process. Show screenshot.
 #24624  by rever_ser
 Tue Dec 16, 2014 8:14 am
as you said in last post "This crapware(zeus) uses CreateProcess for cmd.exe to stop certain Windows services"

could you say witch services stop by this malware? and why?
 #24628  by EP_X0FF
 Tue Dec 16, 2014 10:18 am
rever_ser wrote:as you said in last post "This crapware(zeus) uses CreateProcess for cmd.exe to stop certain Windows services"

could you say witch services stop by this malware? and why?
Do you seriously cannot figure it yourself?

Image
 #24637  by Foxxy
 Wed Dec 17, 2014 1:54 am
EP_X0FF wrote:
rever_ser wrote:as you said in last post "This crapware(zeus) uses CreateProcess for cmd.exe to stop certain Windows services"

could you say witch services stop by this malware? and why?
Do you seriously cannot figure it yourself?

Image
Unrelated, but what is the font and color scheme you are using? I like it a lot!
 #24639  by EP_X0FF
 Wed Dec 17, 2014 7:48 am
Code: Select all
[Appearance]
CPU scheme=0
CPU Disassembler=1,4,0,0,2
CPU Dump=1,4,1,0,4353,0
CPU Stack=1,7,1,0
CPU Info=1,0,0,0
CPU Registers=1,7,1,0
Patches=1,0,1,0,0
Call stack=1,0,1,0,0
References=1,0,1,0,0
Memory map=1,0,1,0,0
Executable modules=1,0,1,0,0
Log data=1,0,1,0,0
Windows=1,0,1,0,0
Threads=1,0,1,0,0
Run trace=1,0,1,0,0
Breakpoints=1,0,1,0,0
Handles=1,0,1,0,0
Call tree=1,0,1,0,0
Script Log Window=1,0,1,0,0
Script Execution=1,0,1,0,0
Source=1,0,0,0,0
Source files=1,0,1,0,0

[Columns]
CPU Disassembler=54,102,240,1536
CPU Dump=54,288,102
CPU Stack=54,60,1536
Patches=54,30,48,192,192,1536
Call stack=54,54,216,168,54
References=54,240,1536
Memory map=54,54,54,54,72,30,48,48,1536
Executable modules=54,54,54,54,96,1536
Log data=54,1536
Windows=78,192,54,54,54,54,54,54,54,1536
Threads=54,54,66,108,60,54,72,72
Run trace=54,54,54,54,192,1536
Breakpoints=54,54,150,216,1536
Handles=54,90,36,54,18,72,1536
Call tree=192,192,192,192
Script Log Window=54,780
Script Execution=30,410,90,54,600
Source=48,1536
Source files=54,96,1536

[Colours]
Scheme[0]=0,12,8,18,7,8,7,13
Scheme name[0]=Black on white
Scheme[1]=14,12,7,1,3,7,3,13
Scheme name[1]=Yellow on blue
Scheme[2]=1,12,3,11,14,2,7,13
Scheme name[2]=Marine
Scheme[3]=15,12,7,0,8,11,7,13
Scheme name[3]=Mostly black
Scheme[4]=1,15,0,7,8,4,1,15
Scheme name[4]=Scheme 4
Scheme[5]=14,12,7,1,3,7,3,13
Scheme name[5]=Scheme 5
Scheme[6]=1,12,3,11,14,2,7,13
Scheme name[6]=Scheme 6
Scheme[7]=15,14,7,0,8,11,7,13
Scheme name[7]=Scheme 7

[Fonts]
Font[0]=12,8,400,0,0,0,255,2,49,0
Face name[0]=Terminal
Font name[0]=OEM fixed font
Font[1]=9,6,700,0,0,0,255,0,48,4
Face name[1]=Terminal
Font name[1]=Terminal 6
Font[2]=15,8,400,0,0,0,178,2,49,0
Face name[2]=Fixedsys
Font name[2]=System fixed font
Font[3]=14,0,400,0,0,0,1,2,5,0
Face name[3]=Courier New
Font name[3]=Courier (UNICODE)
Font[4]=10,6,400,0,0,0,1,2,5,0
Face name[4]=Lucida Console
Font name[4]=Lucida (UNICODE)
Font[5]=9,6,700,0,0,0,255,0,48,0
Face name[5]=Terminal
Font name[5]=Font 5
Font[6]=15,8,400,0,0,0,178,2,49,0
Face name[6]=Fixedsys
Font name[6]=Font 6
Font[7]=14,0,400,0,0,0,1,2,5,0
Face name[7]=Courier New
Font name[7]=Font 7

[Syntax]
Commands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[0]=No highlighting
Commands[1]=0,4,124,112,9,64,64,13,111,8,12,0,0,0
Operands[1]=1,0,4,13,65,1,112,6,0,0,0,0,0,0
Scheme name[1]=Christmas tree
Commands[2]=1,0,124,112,9,64,80,13,12,1,15,0,0,0
Operands[2]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[2]=Jumps'n'calls
Commands[3]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[3]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[3]=Hilite 3
Commands[4]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[4]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[4]=Hilite 4