Unpacking Malware Using IDA Pro Extensions

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Unpacking malicious software using IDA Pro extensions

A paper by Dennis Elser

In almost all cases of today's malicious software, executable packers or -crypters are used in order to obfuscate code and data. In some cases unpackers and dumpers are a ailable. In ery few cases t!ey actually work on packed malware executables due to modifications of internal structures suc! as t!e P" !eader. In t!e following example an unknown binary is loaded into IDA Pro#. $!e code at t!e entry point of t!e executable looks like t!is%

&ig. # A segment named 'UP(#), an in alid import address table and an empty list of strings are an indicator for a packed file. UP(* !owe er, can not unpack t!e file because internal structures !a e been modified. $!is tec!ni+ue often is used by malware aut!ors to make unpacking and re erse engineering !arder. $!e first step now is to obtain a readable representation of t!e packed executable. A good and +uick start in ac!ie ing t!is is to run t!e executable and dump t!e pre iously packed segment,s-, once t!ey !a e been unpacked. Preferably, t!e dump s!ould be made rig!t after t!e executable !as been completely unpacked in memory. $!is often is t!e case after t!e original entry point ,."P- !as been reac!ed. &inding t!e ."P isn't always tri ial and can be a time consuming process because you need to single step t!roug! t!e code. Using t!e IDA Pro /D0, a plugin named "P&1 ,"ntry Point &inder- !as been created, aimed towards automating t!e process of finding t!e original entry point. An isolated en ironment ,a irtual mac!ine for example- is used to carefully

&ig. * run t!e executable in IDA Pro's debugger. &igure * s!ows t!e extended instruction

pointer ,"IP- pointing to a 'pus!a) mnemonic. $!is statement is used as t!e first instruction to 'back up) t!e content of all standard registers. 2any executable compressors use a 'popa) instruction at t!e end of t!eir code to restore t!e pre iously sa ed state. $!is be!a ior can be exploited by t!e "P& plugin3 t!e plugin offers an option to let t!e IDA Pro debugger trace code until a specific mnemonic is reac!ed.

&ig. 1 After t!e "P& plugin !as been started and configured, t!e process can be resumed ,be careful, don't run malware on your !ost system4-. After a few seconds, t!e process is paused and "P& turned off. $!e following message appears%

&ig. 5

$!e code at "IP points to a 'popa) mnemonic followed by a 6ump and t!e end of

&ig. 7

t!e 'start) procedure. /ingle stepping o er t!e 6ump leads to t!e following message box%

&ig. 8 9!oosing ':es) creates an instruction at "IP and IDA Pro begins to analy;e control flow.

&ig. < "IP now points to a segment labeled 'UP(=). $!is is ery likely t!e original entry point. It is reasonable to make a dump of t!e segment now. $!e Dump/eg5 plugin can list and dump all segments a ailable.

&ig. >

$!e dumped segment can t!en be reloaded and analy;ed by IDA Pro.

References
#.- IDA Pro, Date?escue ,!ttp%@@www.datarescue.com@idabase*.- UP(, 2arkus &.(.A. .ber!umer B Cas;lo 2olnar 1.- "P&, Dennis "lser ,!ttp%@@www.backtrace.de5.- Dump/eg, Dennis "lser ,!ttp%@@www.backtrace.de-

You might also like