Today we look at how to generically unpack ransomware utilizing memory and hardware breakpoints on specific WinAPI functions as well as key memory locations.
Video Walkthrough
Notes
While analyzing this particular ransomware we see indicators of it being packed by UPX, however, upon closer inspection the .UPX sections of the PE are false indicators which leads us to generically unpack the file using memory breakpoints on VirtualProtect and VirtualAlloc.
These allow us to see most generic memory operations and inspect the resulting memory space. We can also utilize hardware breakpoints on these memory locations to pinpoint key deobfuscation routines which often lead to unpacked files or position independent shellcode.
A General Approach To Deal With Packers
Identify the packer
The first step in reverse engineering a packed binary is to identify the packer that was used. Common techniques include:
- Check the file header: Many packers add their own signature (e.g., UPX adds "UPX!").
- Packer identification tools: Use specialized tools such as PEiD or Detect It Easy (DiE).
- Debugger analysis: If the packer is not immediately identifiable, analyze the entry point in a debugger like x64dbg to find signature features.
Analyze the packer
Once identified, you must analyze the packer's behavior. Key elements to look for include:
- Decompression routine: The code used to decompress the binary into memory.
- Anti-debugging measures: Strategies used to prevent analysis, which must be bypassed.
- Dumping the binary: Setting breakpoints on the decompression routine to dump the unpacked code from memory once it is fully expanded.
Analyze the unpacked binary
Once the packed binary has been dumped from memory, you can analyze the unpacked binary itself. This involves disassembling the binary to understand its structure, debugging to observe behavior, or running it in a sandbox to observe final effects.
Depending on the purpose, it may be necessary to patch the binary to remove any remaining anti-tampering measures added by the packer. This requires a deep understanding of the binary's structure and functionality.
Conclusion
Manually unpacking a binary is a technical process that requires significant expertise in reverse engineering and debugging. However, with the right tools and strategies, it is possible to bypass these protections and gain a deeper understanding of the malware's core functionality.