Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

Welcome to Packers Part 4. In this module, we'll demonstrate an example to unpack a malware code. We'll use UPX Packed Regshot and take a look at the strings, before and after the packing. We'll also explain how to manually unpack UPX, dump the process, and reconstruct the Import Address Table (IAT).

Video Transcription

00:04
And now we're going to Ah, do, ah, unpacking demonstration where I'll use u P x two packed red shop. Ah, tool that we demoed earlier because it's a simple execute herbal. Uh, we're gonna look at the strings as we have before, before and after packing
00:22
and show how we can unpack with the U. P X toole itself.
00:27
And then, uh, that's quite unique.
00:30
With most packers. They don't offer unpacking
00:35
tool built in. Some reverse engineers may make their own unpack. Er are unpacking scripts to help, and every once in a while, someone in academia or some someone and
00:48
and the industry will say they have a universal unpack, er, but it's it's usually not what they say it is
00:55
or they're being very misleading or they're just being very general because
01:00
there are some
01:02
more advanced packers out there that that is really not possible, and I will talk about that in a little bit. But for now I will show you how to manually unpack
01:12
U P x and um,
01:15
and this technique will work with many other packers and ah,
01:21
and then we can
01:22
just dump the process and then reconstruct an important
01:26
uh,
01:26
data structure called the I e t. The import address table. And that is very useful because we can actually see what executed Bols.
01:38
Uh, what the dependencies are for the execute herbal.
01:42
So here of reverted the VM back to its, uh, ready to be infected state. Um,
01:53
and I will just drag over a few tools we're gonna use.
01:57
The first is on Lee debug 1.1, because if we open an excusable, it's packed with U P X with all the 2.0, it will automatically unpack it for us. And that kind of defeats the point of doing it manually so we can figure out exactly what's going on.
02:15
Another one is important, constructor, which I will demonstrate here in a bit to help us rebuild the i E t u P x 391 This one I demonstrated earlier and p i d
02:31
drank. He's over here.
02:36
As I mentioned before, we're gonna take Greg shot, copied over the desktop and execute just to make sure it works. It does.
02:44
Now, we're going to, uh, run p I d on it to see if we get any detections.
03:00
Nothing found and Sometimes we have to Ah, do more deep scan to see if it finds anything
03:07
it hasn't.
03:09
So now we can go ahead and pack. Ah,
03:15
wreck shot. Here. Copy this over to the desktop
03:19
type in CMGI that only works with 1 to 7
03:23
to control our CMD on CD to the desktop and then do you p x e x e
03:31
and do you read shot
03:36
file? Because you didn't actually do it?
03:40
Look,
03:47
Greg shot x 86.
03:51
Ah, that's trying to go after the shortcut.
03:58
So we compressed it. Ah,
04:00
by 60%. That's quite impressive. We can run again just to show that it does work. And if we look at the strings for, um
04:10
the original
04:17
and the strings after it's been packed,
04:20
you can see there's a lot of stuff beforehand
04:26
and next to nothing
04:29
after,
04:36
yeah,
04:40
strings in both. But there's more in the unpacked version
04:44
in the non impact version so we can drag Ric shot again
04:47
overto p i. D. And immediately detects that, uh, it is u P x. There are other indicators, such as the section names are all renamed U P x zero u P x one et cetera, And ah,
05:03
p I, d
05:05
uh, okay,
05:08
p i d ah can actually allow for ah, a lot more customization and its signature detection like user DVD dot t x t
05:20
can be modified, and you can put in ah, name of Packer
05:26
and, um,
05:28
give it a signature of a series of bites it should look for and that is youthful. And if you just Google around online, people have made huge databases of signatures for packers, and I suggest that you grab one of those. I've seen Sands put out one. I took
05:46
30 seconds to download it, and
05:48
I found that they messed up something coding and it didn't really work. I'm sure I could figure out, but I saw that other people have released other large databases as well. And, uh, I haven't ever
06:01
had ah, problem with PG and E, but I'm sure more signatures can't hurt.
06:08
There's a lot of false positives out there. Sometimes I found, um, but,
06:13
uh, it was helps to just give ah 32nd scan
06:16
for something.
06:17
So
06:19
if we knew something was packed with u P X, we can simply run u P X.
06:27
We can simply run u P x dash d
06:31
and give it the name of the executed ble, and it will do its best. Unpack it itself, and we can see that this ex Kyul works again, and D p x is just unpacked it. And that works pretty well a lot of the times
06:48
because the bad guys just wanna pack it tough. You skip the strings or just changed the hash or or whatever else.
06:55
Um, so sometimes that does work. But I think there was a vulnerability in the er
07:03
unpacking portion of U P X. And so if people ran ups u p x dash d on ah on the specially crafted execute herbal, it would actually in turn remotely execute code on. So if someone wasn't running this in a V M, they would be infected. So be careful and I like to keep
07:23
all the tools inside. The V M is
07:25
best. It's possible. Um,
07:28
and sometimes a minor change,
07:30
uh, would make it
07:32
so that u p x could not just automatically unpack it like the section names. Um,
07:43
see if we have a P E Explorer.
07:46
Not really.
07:48
Uh, I usually have one installed But
07:51
if we look at the section names, um
07:57
see if we have ah, binary template. Uh, we do not,
08:01
but I can look pretty easily here and see the section names not taxed our data.
08:09
If we do
08:11
u p x
08:13
just repack it.
08:16
Surprise Didn't complain that the vowels altered.
08:20
So here Ah, it's packed And the section names have been changed to u P x zero u p x one, uh
08:28
dot resource. So if we were to change this section, name it, it doesn't actually matter Thio
08:35
Or just you know u P x X
08:39
and save it and tried to unpack it
08:43
Ah,
08:48
it would do its best, and sometimes it would work. But if we
09:05
changes again
09:09
and save it
09:11
and then, uh,
09:15
not packed by u p X,
09:16
I think we corrupted it. Uh, let's
09:22
delete it and start again. Ah, right. Shot.
09:28
Plus it over here.
09:31
64 but 60 x 86.
09:39
Okay,
09:41
the packet will look at this section names which are
09:48
change one of the section names. Save it.
09:52
It's so runs just fine. Let's see a few PX still recognizes it when we try to unpack it. No,
10:00
So just by simply a team
10:03
a small bit of the file you PX can no longer
10:07
uh,
10:07
just unpack it by itself because it uses some of those indicators to unpack it properly because it knows it's It's the Packer that built
10:16
Executed. Well, so unpacking, uh, automatically won't always work.
10:24
And we can see here that we still got that signature. Um,
10:28
we can do a deep scan,
10:31
hard core scan, and it's showing the wrong version for that, uh,
10:37
Packer was showing the wrong version for U. P X and we're actually using a different version on. Maybe if we downloaded, um,
10:48
a new database file.
10:50
It would catch that,
10:52
but maybe not. So
10:56
someone even might have taken the source code.
10:58
I mean that it doesn't help that p i. D is no longer developed. You can get off the Internet, but it's It's no longer maintained. So if there's a bug, there's a bug. You can't fix it. But, um,
11:11
if
11:13
if someone has a bad signature out there or whatever someone took Gup X source code on DDE
11:22
modified it more than we have to unpack it manually.
11:26
If we want to get at the decrypted strings and other resources in the file. So here I've taken an original,
11:33
you know, Old Onley debug 1.1
11:39
saying, Ah, a newer version of the deal. L, uh
11:45
course when the system director did leave the old library. Yes, I want to use the news library.
11:50
So I'm gonna add a plug in to help us. Um,
11:58
it looks like the plug ins or just dropped in here, and the plug in is all the dump.
12:03
I'll tell you about why this is gonna be useful later.
12:07
Restart, Ali.
12:11
Drag
12:13
wreck shot into us.
12:13
It says,
12:16
Hey, look, it has a high amount of entropy. Ah, it's probably packed. Are you sure you want to continue? Because it knows that there might be some funkiness going on.
12:24
We can't even execute it, and it'll still work. But there is a process being executed.
12:28
Bye, Onley debug.
12:31
So the first thing is really important.
12:35
Is this push 80 instruction on? Let me see if I can
12:39
make Thea appearance a bit more friendly.
12:45
Terminal six.
12:54
Okay,
12:56
so push a d is ah, instruction that pushes all the registers onto the stack. And that's unusual because compilers don't usually admit this instructions a bit slow, but it's frequently used by packers because it easily saves kind of the environment
13:16
on so they can do a pop a t at the end of whatever they're doing, whatever. Witchcraft.
13:22
And, uh,
13:24
they can ensure that the same options were there for the regular program, as as they were there for the Packer
13:31
or the unpacking stub that's got to be on the program. So we know that the Richard problems going to use whatever is pushed onto the stack. So we're gonna do, ah, step over. So we're gonna let all these values get pushed onto the stack right down here,
13:48
and, uh,
13:50
we're just gonna let it unpack the whole excusable. So E S P is
13:56
the extended stack pointer and is pointing at the top of the stack. So that's where all these values just got pushed onto the stack. I'm gonna say, following dump
14:07
experiments
14:09
and we can see over here, uh,
14:13
you know, these are the values that are over here. There have been pushed onto the dump or push on to the stack, and I'm gonna just put a hardware break point right on access D word. So that's 32 bits a k four bites. And I'm just going to hit, run and let the whole on Packer unpack the original code
14:33
and we can see that it accesses the values that pushed on
14:39
right here. Does a pop 80 and, uh,
14:43
put everything back in its registers. I can see here that's gonna do it jump. And that's probably gonna be the jump into the original code.
14:52
So I'm gonna say, Okay, let's start walking through this. But there's this little loop here, and the only way to get out of it
15:00
is for this condition to allow this jump, not toe happen. So I know this is gonna happen eventually I'm gonna hit a break point, have to for soft breakpoint don't care if it's hard or soft. Just got hit, Play the hard point hit again
15:15
But I'm just gonna play again and it's now reached this break point gonna remove it by pressing F too.
15:20
And I know this is gonna jump into the original code.
15:24
So I'm gonna say, uh, follow into.
15:30
And here is the original code that's now been unpacked. That's fantastic. Now I can scan for strings and do all this other stuff, but I really kind of want it back into a file form. Or it can just transfer to somebody or do some more stack analysis off Ida.
15:46
So I'm gonna dump the program. I'm gonna dump
15:50
what? I haven't member right here into a file.
15:52
And I can do that with that Ali dump program at Plug in that I mentioned earlier. So I'm gonna say, dumped dumped depot process
16:06
and
16:07
I'm going to get theirs are section A that we edited. I'm gonna get yapias o e p. Now, this means that I'm gonna say this current area that is about to be executed right now that is the original entry point, the O e p.
16:27
I'm gonna copy that value to control C. And this is important because the file on disk that's packed says that the beginning entry point
16:41
is actually in the Packer stuff. The thing that does the unpacking, the decrypting and we don't want that to be true anymore. We want theory, journal unpacked code to just begin executing.
16:55
And this is Kevin old plug in Ali, Dump on. That's okay. And it tries to rebuild the import table for us, and that could be a little tricky. And I've used Method one and Method to, and they've always kind of work for me, unless it was a
17:12
unless it wasn't a really simple program.
17:15
So in general, I turn this off and let another program help me out with that.
17:21
So I'm gonna dump this two disc, and I usually say,
17:26
you know, whatever it is,
17:27
can you score
17:30
unpacked? Save it?
17:34
This is still executing the memory, even though the window hasn't popped up for
17:40
nothing else has been initialized is just unpacked the code, and I'm going to use my import reconstruct er program. Now, what this does
17:52
is, uh oh, Before I launch into that, I just want to say that there are other dumping programs that we can use. And so this plug in for Ali, there's like, Lord P E. A program that we have here
18:07
I introduced early on,
18:08
um,
18:11
Aiken demoted real quick.
18:18
More. I'm I can select which thing which process running. I want, uh, right here.
18:27
And I can say,
18:29
uh, dump
18:32
and
18:33
full down partial dump. You know that it's a it's a dumper. So it has a lot more options to it, and we'll even help you rebuild things and the p E. But for simplicity sick, uh,
18:45
I'm not gonna be showing that off. And there's even a new, newer Ali Plugin dumper. But the old one works just fine
18:53
for a lot of my purposes. So and that one's called on Lee debug P e
19:00
dumper
19:00
R p e dumper. Yeah, So here I'm moving on to the next phase, which is rebuilding. Ah, the import address table.
19:12
And there's there's a lot of options to this. And then I suggest that you take a look at him. But for right now, I'm just going to rebuild this excusable as fast I can, because currently will not work. If we double clicked on it,
19:26
it would say, Hey, the windows loader says, I can't find which dependencies this excusable needs and then tries to execute the code. And the code doesn't quite work, but it's already been loaded up in the memory and still currently running, even though it's been halted by debunker. Uh,
19:45
and we can use important constructor
19:48
just to look at our process in memory and find the, uh,
19:53
proper import address table because the Packer has already done this work for us. We don't need to do it again. We could just take a look at what it's done.
20:02
So I'm gonna go here to the Opie and pace that value in that I had earlier
20:07
and say OK, I want you to make this the original entry point I want when this file is executed. I wanted to jump straight to the unpacked code, skipped the whole unpacking stub that U P X added in.
20:19
Now I'm gonna hit find her the I 80 auto search. I'm saying Break into this process and look through its memory and find what looks to be a n'importe address table
20:33
and says It's found one.
20:36
It looks about right, but hit and get imports. And we do. And there are several deal owes loaded. We're just like Okay, that looks good. Ah, that looks about what ah, this program would probably use and a good method to verify that is show invalid
20:53
as they go through that and look to see which ones are not real, that are messed up or something. And then you can get an idea for where exactly the import address table really is. And if you wanted to, you could with Ali find that import address table.
21:14
Um,
21:15
all you have to do would be to find the inner module calls, which were you showed beforehand and find a table.
21:23
Um,
21:25
where?
21:26
I'm sure if we look through the memory enough, we would find a new easy table where it would show. This is, you know,
21:37
the
21:38
let's find a way to get filed time function and the find clothes function in the fine next file
21:47
a function on so on and so forth.
21:49
So, like I said, we could find the the import address table manually in Ali, and there's playing tutorials out there to find it efficiently.
21:57
Unfortunately, the man who made this, um,
22:03
match t ah
22:06
made some clever algorithms to find it for us. So now we have what looks to be the i e t. And we have the deal l dependencies that are
22:15
that we need to make a functioning p excusable. So here, I'm going to say fix the dump. And so the guy who made this was pretty smart, and he was saying, Okay,
22:27
you know, they've probably already have a dump of the file and here with my program, I can repair it. Aiken, build the eye a tea table toe. How what it looks like on memory,
22:40
and so we can select the unpacked
22:41
Ah,
22:42
nonfunctioning
22:45
executed well that we have here.
22:47
And
22:48
boom, it creates another execute ble copies. Everything over
22:52
Addison underscored to the end of that file and inserts and i a t that looks just like this one that looks like the one that found in memory.
23:00
So if we execute this one now,
23:03
it completely bypasses the unpacking coach straight to
23:08
the unpacked code.
23:11
And that's how you, uh,
23:14
manually,
23:15
uh,
23:15
pack a file or not Pack a file, but unpack a file
23:22
if you don't have the luxury of using u p x dash D. So the same technique of using
23:27
the push 80 and pop 80 instructions as indicators for when to,
23:37
uh,
23:37
follow Ah, jump into the original entry point, dump the code and then,
23:42
ah, use import reconstruction program like, uh,
23:48
import we constructor.
23:51
This will work with a lot of packers out there, such as S Pack and a few other common ones. And there are many tutorials on their tux. For you is a great website for finding tutorials on reverse engineering packers. And there's a lot of automated scripts that people have made for Ali to
24:10
help you
24:11
fine certain data structures or help you just unpack things. In fact,
24:17
when I go around
24:18
a few minutes ago, I found someone made a unpack er for Ali, and it did almost exactly what we did here, which was Find the push 80 instruction and find the poppy instruction.
24:30
You know, Chris plus place a breakpoint, dump it and then reconstructed with the import actress table.
24:37
So but it's good to know what's going on underneath the hood.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor