AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Cpu Unpacker4/20/2021
The ToF camera includes high-performance advanced analytics as a standard feature, improving measurement accuracy and performance when compared to the current generation of RGB and stereoscopic cameras.
Cpu Unpacker Code Readable AgainInvalid and wrongly disassembled instructions (Click to enlarge; Image: G DATA) Our objective is therefore to make the code readable again.![]() Cpu Unpacker How To Unpack MalwareIn our latest TechBlog article we will take a look at how packers work and how to unpack malware without running it. Packers are commonly used by malware authors to hide the contents of a binary. What is Ldpinch Ldpinch is an old info-stealer malware, which tries to steal credentials for different applications from a victims PC. The malware runs on Windows Systems with 32bit support and is a regular Portable Executable (PE). Why unpacking Like most malware, Ldpinch is packed to make reverse-engineering and manual analysis more difficult. In a packed file, the assembly instructions which describe the behavior of the program are not directly available in the binary on disk. Instead, when the malware is loaded into memory, an unpacker decrypts the encrypted instructions to enable the CPU to execute them. If a malware analyst wants to reverse-engineer the malware, they first have to unpack it. Otherwise any disassembler will only display meaningless gibberish. How to unpack Ldpinch In this section we will see how Ldpinch can be statically unpacked in such a way that all assembly instructions become visible in a disassembler. The SHA256 of the malware sample used is: cc65200e7c748e095f65a8d22ecf8618257cc1b2163e1f9df407a0a47ae17b79 We will use Cutter to reverse-engineer the malware samples. Cpu Unpacker Free And OpenCutter is a free and open-source disassembler and reverse-engineering tool, based on the radare2 reverse-engineering suite. First impression Custom entry point and writable CODE section (Click to enlarge; Image: G DATA) After opening the sample in Cutter, two things immediately stand out: First, usually a PE file has the entry point somewhere in the NTDLL, which runs some initialization code. After that, it is handed over to the entry point of the application itself. In the case of Ldpinch, the entry point is a custom entry point appended right after the CODE section of the PE file. The second unusual property of the binary is that the CODE section has the write attribute. This means that it is possible to overwrite code, while the sample is executed. For security reasons, the CODE section is usually read and execute only. These two properties are a strong indicator for a packed malware sample. The malware needs to overwrite the packed code with unpacked code, which is the reason for the writable CODE section. The unpacker itself needs to be somewhere, so the malware authors just appended it to the CODE section. To verify our assumption, we take a jump to the CODE section by double clicking on it in the comments window. Right after the jumps, the code for the application should start, but instead there are a lot of assembly instructions which make no sense in this order and even a few invalid instructions. The disassembler tries its best to disassemble the machine code to human readable assembly instructions, but in this case the output is either invalid or simply wrong.
0 Comments
Read More
Leave a Reply. |