Open Analysis Live! In this tutorial we show how to unpack a Themida 2.x 64bit PE file.... kind of : ) Instead of attacking the Themida protection directly we will demonstrate how a bad architecture decision to use process injection (runpe) made it easy to dump the unpacked PE. This video is a re-post of a video we made last week. In this video we use a sample that we built ourselves to mimic a common malware technique for demonstration purposes.
The demo code was from is great demo repository maintained by @hasherezade https://github.com/hasherezade/demos. We build the sample using CMAKE and Visual Studio Express 2015 x64 compiler.
More information about the commercial packer Themida and WinLicense can be found on the Oreans website here: https://www.oreans.com/themida.php
The x64dbg debugger with Scylla can be downloaded here: https://x64dbg.com/#start
PE-bear is one of our favorite PE manipulation tools (also from @hasherezade). It is no longer supported but you can still download a copy here https://hshrzd.wordpress.com/pe-bear/
Die - Detect it easy can be downloaded here: http://ntinfo.biz/index.html
Feedback, questions, and suggestions are always welcome : )
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
Thank you so much for sharing this with us i didn't understand some parts but it's okay.
I really wanna get into the world of malware analysis and reverse engineering in general but unfortunately i don't know from where to start. would you kindly help me with some book recommendations , advices or a place where i can start anything ,anything will be appreciated.
Hey for sure! I think I've posted a response to this sort of question before but it's worth repeating. So technical books aren't really my go-to for learning new skills, I find them to be a good reference but in terms of actually learning new RE skills I personally prefer videos or blog posts with lots of instructional photos (just a personal preference). Probably the best guides I have seen for getting started are Hasherezade's post here https://hshrzd.wordpress.com/how-to-start/ and Todd's list of resources here: https://malwareanalysisforums.com/topic/7/malware-analysis-resources-noobs-read-first. I also really like the Dr. Fu tutorial series (a bit dated but it covers the basics very well) http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html. This should get you started : )
Thanks so much! This is what I always had in mind, and I'm glad someone had actually figured out such approach
Question, is it ever realistically possible to dump the process memory, and then manually cherrypick the original EXE and then restore the appropriate header, VA+RVA, OEP and so on, manually by hand?
First, let me say: thanks for the videos! Your quick editing style actually make this one of the most, dare I say, PACKED packer-related resources I've found online.
That said, there's a piece of software I had already reversed in the past that was "protected" via Thinstall (VM ThinApp 2.X). I knew it had created a second process, so I wanted to revisit it and try your method here, just out of curiosity/learning.
Interestingly, all steps worked fine (including dumping out the second process, locating its entry point, etc). Executing it didn't work, however, and popping it into x32dbg shows me there it's doing direct, hard-coded comparisons against memory regions that aren't in bounds. That is to say: if .text is 0x00401000 and has a size of 0x65000, the maximum address is 0x00465FFF, the next (protected) region begins at 0x004F0000; meanwhile, hard-coded memory addresseses reference, for example:
cmp dword ptr ds:[0x0047628C], esi
As you can see, 0x0047628C is out of bounds (> 0x00465FFF, < 0x004F0000), and so I'm getting a C5 EXCEPTION_ACCESS_VIOLATION.
Are you familiar with this issue in post-dumped processes? Is this a scenario where I can just increase the "Size of Code" segment in PE-bear, or do you have experience that indicates I'm barking up a wrong tree?
I see! I hadn't realized that the goal was static analysis in IDA! I thought the method was not working for me because I was trying to perform dynamic analysis on the new PE. Whoops :)
In my particular case, I cannot attach x32dbg to the secondary (created) process while it is running. If I try, I immediately get a "[Terminated] Debugger stopped!" red message in the bottom-left corner of the debugger. This happens regardless of whether I attempt to attach to the process with the already-opened x32dbg or whether I attempt to connect to it with a secondary x32dbg; it also happens whether I attempt to connect to it IMMEDIATELY after the "NtCreateUserPRocess" is called by kernel32 or whether I wait for the "NtResumeThread" to happen first. I'm unsure why it happens, and it's what stops me from being able to perform dynamic analysis on the inner packed file directly.
I hate to ask, but do you have links for those videos where you mentioned reconstructing injected code? I've seen several for dumping it, but none yet for reconstructing it! In fact, I hadn't even realized that there'd be so much involved with reconstructing code before, but I suppose it makes sense that I'd need to find and frankenstein together all of the old sections.
Interesting! So usually when we are unpacking software it is with the goal of being able to load it in IDA and start reverse engineering it statically. Because of this we rarely take the time to fix up the unpacked PE to the point where it can actually be run as a stand-alone exe. In this tutorial we didn't cover fixing the IAT or direct memory dumping (without scylla) because it was just supposed to be a simple example. I can however suggest three things to check that might help in your case;
1) Instead of using scylla to dump the second process PE attache to it with a debugger and dump each PE section to a file on disk (you may notice that these sections are much larger and include the references you are missing). Combine these sections with a hex editor to make one large PE "blob". Don't exit the process, just keep it paused with the debugger attached as you will need it for the next few steps.
2) Load the PE blob in peBear and update the PE base address to match the start address of the first section you dumped (address of the MZ in memory). Also in peBear edit the section table so that the raw section addresses and sizes are the same as the virtual ones. Save this fixed PE to disk.
3) Check the IAT and make sure it has properly defined. If they aren't you can use Scylla to fix them. Attach Scylla to the running process and change the OEP to the one from your dumped file. Then use the auto-locate to find the IAT. Then use the fix-dump feature in Scylla to add the IAT to your fixed PE file.
These steps have been covered in some of our other videos where we discuss different ways to dump and reconstruct injected code.
If this still doesn't give you a working PE file you may have run into a case where the injected code isn't a full PE and you may have to build the PE by hand, or the injected code is still packed in some way. These are both more advanced topics that we may cover in future videos.
Glad you enjoyed the tutorial : )
New to unpacking, does this work on all process injection or just process hollow? And which API call could we breakpoint on to check if this will work if you dont mind? Thank you in advance. Really good lesson.
Yes this will work for any scenario where unprotected code is injected into another process. If the code that is injected is not protected then you can dump it. You can check out some of our other videos on different injection techniques to see which APIs to set breakpoints on, it varies depending on the scenario : )
nice video bro i am goner have to try this 100% , what about encrypted rar - zips anyone of exploits or public bugs - i dont think brute force will cut it with what i want to crack , i will add that its not privet software its a rar of malware which i wish to study
I'm assuming you are talking about a self-extracting rar in which case it runs just like a normal PE file so these techniques might work... if the rar runs and it creates a sub-process then you may be in luck. We are attacking the fact that this is doing injection into a second process not the actual protection of the PE so the same technique will work with any protection that uses the same injection techniques. Good luck!
If it's unpacking Themida I think you are out of luck : )
Feel free to contact us though, we are always happy to answer questions and help analyze malware. As usual you will find our contact info on the website http://www.openanalysis.net/#contact
10:24 - I'm analyzing a target which is protected by Themida, it's a DLL module, and that is being injected into an unprotected process, will the same technique work? I could also just check it for myself, but better get feedback from the pros before I get my hands dirty and maybe try it and fail cuz I'm doing something wrong :D
It depends on how the DLL was protected... if the developers made the mistake of injecting their code outside of the Themida protector then this technique may work but the fact that they protected the DLL itself suggests that they used Themida correctly and this probably won't work. The best way to find out is to just give it a try : )
hi, thanks for the video!
I have some questions, the first one is : since scylla and x32dbg are targeting the same process how it comes that the header dumped by the first one is different from the one seen in the second one
the second question is about PE-Bear, for the same purpose I usually use CFF explorer and it's perfect with both native and .net, so do you advice PE-Bear over CFF and why?
Thanks in advance
OALabs so if the reason of the difference is caused by scylla "trying to do some fancy stuff" I think that it's because of "get EIP as OEP", I'm not sure of this and didn't check it, it's just a guess because we have this option in OllyDump.
Hey that's a great question about the header difference, I actually don't know what caused it! Scylla does try to do some fancy stuff once in a while and I'm not familiar enough with the tool to actually know what's going on under the hood. My guess is that it tried to automatically re-calculate the OEP but I really don't know... since Scylla is OSS I'm going to add this to my rainy day reading list, and I'll follow up once I figure it out : ) In the mean time if anyone else has any suggestions leave a comment, I'm super curious! As for CFF vs. PE-Bear there is no advantage of PE-Bear over CFF, in-fact CFF is more powerful in many ways, and I definitely take advantage of its built in UPX extractor when I need to. It just comes down to personal preference, I like the layout of PE-Bear better, it feels easier to navigate. It's funny, they are almost identical and yet a bit of colour and some rearranged buttons makes all the difference... Sadly PE-Bear isn't in development anymore : ((
look at the diagram in 2:00, the brown round rectangle represents themida, now let's represent vmprotect and since you say that it has more protections just replace the brown with a more aggressive color and add spikes, we still see that the protection remains only in the injector while the injected code is left without protection
Hmm there could be a lot of things going on... Scylla chokes on lots of stuff but the most common thing to check for is to make sure that if the process is running with elevated privileges you run Scylla with elevated privileges. Also check to make sure that Scylla is not trying to read a PE file that is protected or write to a directory that is protected... If that doesn't help then there is probably some more troubleshooting required : (
Whoa nice! I knew about ScyllaHide but not about TitanHide. I'll definitely check it out. I'm not as well versed with the kernel level cloaking in general, certainly something I want to learn more about. Thanks!
Thanks for the great videos always. I got a request: Can you guys do a video about decrypting and decoding encrypted data inside of malware/binaries? For example, often we see some resource or data in memory which has been encrypted or encoded and we have to find the data first, then figure out the algorithm and/or locate the place in memory where the data is exposed etc.... This can be tricky. Thank you.
That's a great idea. I think the next sample that we will use to demonstrate some analysis techniques is the emotet one that you submitted to our last video. I think it has some data that will allow us to demonstrate this technique. If not, we will definitely find a sample that does.
Facilities for business continuity may include alternate workspace equipped for continuation of business operations. Alternate facilities may be owned or contracted including office space, data center, manufacturing and distribution.
Systems for emergency response may include detection, alarm, warning, communications, suppression and pollution control systems. Protection of critical equipment within a data center may include sensors monitoring heat, humidity and attempts to penetrate computer firewalls.
Every building has exit routes so people can evacuate if there is a hazard within the building. These exit routes should be designed and maintained in accordance with applicable regulations.
Business continuity resources may include spare or redundant systems that serve as a backup in case primary systems fail. Systems for crisis communications may include existing voice and data technology for communicating with customers, employees and others.
Equipment includes the means for teams to communicate. Radios, smartphones, wired telephone and pagers may be required to alert team members to respond, to notify public agencies or contractors and to communicate with other team members to manage an incident.
Many tools may be required to prepare a facility for a forecast event such as a hurricane, flooding or severe winter storm.
Materials and Supplies.
Materials and supplies are needed to support members of emergency response, business continuity and crisis communications teams. Food and water are basic provisions.
Systems and equipment needed to support the preparedness program require fuel. Emergency generators and diesel engine driven fire pumps should have a fuel supply that meets national standards or local regulatory requirements. That means not allowing the fuel supply to run low because replenishment may not be possible during an emergency. Spare batteries for portable radios and chargers for smartphones and other communications devices should be available.