Generically Unpacking Ransomware With Memory Breakpoints

malware analysis ransomware
Today we look at how to generically unpack ransomware utilizing memory and hardware breakpoints on specific WinAPI functions as well as key memory locations.
Filename
None
MD5
None
Sample
None
Video

Notes:

While analyzing this particular ransomware we see indicators of it being packed by UPX, however, upon closer inspection the .UPX sections of the PE are false indicators which leads us to generically unpack the file using memory breakpoints on VirtualProtect and VirtualAlloc. These allow us to see most generic memory operations and inspect the resulting memory space. We can also utilize hardware breakpoints on these memory locations to pinpoint key deobfuscation routines which often lead to unpacked files or position independent shellcode.

A General Approach To Deal With Packers

Identify the packer

The first step in reverse engineering a packed binary is to identify the packer that was used to pack the binary. There are several tools and techniques that can be used to do this, including:
  • Check the file header: Many packers add their own signature to the file header of the packed binary, which can be used to identify the packer. For example, UPX adds the signature "UPX!" to the file header.
  • Use a packer identification tool: There are several tools available, such as PEiD or DiE, that can be used to identify the packer used to pack the binary.
  • Analyze the binary using a debugger: If the packer is not immediately identifiable, it may be necessary to analyze the binary using a debugger such as OllyDbg or Immunity Debugger to identify the packer's signature or other identifying features.

Analyze the packer

Once the packer has been identified, the next step is to analyze the packer itself. This may involve analyzing the packer's code or configuration files, or executing the packer and observing its behavior. Some key things to look for when analyzing the packer include:
  • The packer's decompression routine: This is the code that the packer uses to decompress the packed binary. It's important to understand how this routine works, as it will be necessary to replicate it in order to manually unpack the binary.
  • Anti-debugging or anti-tampering measures: Some packers may include measures to prevent the packed binary from being analyzed or modified, such as anti-debugging or anti-tampering measures. It's important to understand these measures and develop strategies to bypass them.
  • Dump the packed binary
  • Once the packer has been analyzed, the next step is to dump the packed binary from memory. This can be done using a debugger such as OllyDbg or Immunity Debugger. The process typically involves setting breakpoints on the packer's decompression routine, running the packed binary, and then dumping the unpacked binary from memory.

Analyze the unpacked binary

Once the packed binary has been dumped from memory, the next step is to analyze the unpacked binary itself. This may involve disassembling the binary to understand its structure and functionality, debugging the binary to observe its behavior, or running the binary in a sandbox or virtual environment to observe its effects.

Patch the binary

Depending on the purpose of the unpacking, it may be necessary to patch the binary in order to remove any anti-debugging or anti-tampering measures that were added by the packer. This can be a complex process that requires a deep understanding of the binary's structure and functionality, as well as the packer's behavior and techniques.

Conclusion

Overall, reverse engineering and manually unpacking a binary that has been packed by a packer is a complex and technical process that requires a significant amount of expertise and experience in reverse engineering and debugging. However, with the right tools, techniques, and strategies, it's possible to successfully unpack a packed binary and gain a deeper understanding of its structure and functionality.