Hi!
im having a hard time unpacking a malware which is using process hollowing as a injection technique.
The malware spawns a new iexplorer.exe process and then calls WriteProcessMemory twice. The first time a buffer containing a PE file is written to the process. I tried to dump this buffer directly from memory but the result seems to have misaligned sections and won't run (Not a valid Win32 application). The second WriteProcessMemory call patches the PEB of the newly created process. After that the ThreadContext is altered using SetThreadContext.
As a next try I attached my debugger to the newly created iexplorer.exe after the ThreadContext was set but before the Process was resumed. I switched the thread and set a breakpoint on EAX which from my understanding should contain the OEP of the unpacked malware(?). I resumed iexplorer and the BP was hit. After that I tried to dump the process using Syclla but again the result was not a runnable executable. Am I missing something or can I try something else?
Sample: https://www.virustotal.com/#/file/bf600 ... /detection
im having a hard time unpacking a malware which is using process hollowing as a injection technique.
The malware spawns a new iexplorer.exe process and then calls WriteProcessMemory twice. The first time a buffer containing a PE file is written to the process. I tried to dump this buffer directly from memory but the result seems to have misaligned sections and won't run (Not a valid Win32 application). The second WriteProcessMemory call patches the PEB of the newly created process. After that the ThreadContext is altered using SetThreadContext.
As a next try I attached my debugger to the newly created iexplorer.exe after the ThreadContext was set but before the Process was resumed. I switched the thread and set a breakpoint on EAX which from my understanding should contain the OEP of the unpacked malware(?). I resumed iexplorer and the BP was hit. After that I tried to dump the process using Syclla but again the result was not a runnable executable. Am I missing something or can I try something else?
Sample: https://www.virustotal.com/#/file/bf600 ... /detection
