Caught this in my honeypot and wanted to analyze it and C&C functionality. All packer detectors are picking it up as PeLock. I wanted to try unpack it manually and I'm having some difficulty.

Anti-debugging techniques are blocking my path obviously and SEHs are used. There also seems to be a number of hardware breakpoints that I can simply F9 past. I can get to a point where a number of commands are decrypted and a few layers in I see some C&C text. Tracing mostly involves F9ing until exception and passing the exception to Olly with SHIFT+F9.

However, I have been stumped by Olly throwing an unable to process exception error related to a ring0 SYSENTER call. Any assistance on manually unpacking or pointers related to this, would be much appreciated. From research, a ring0 debugger that can handle the call seems to be the way to go, but I would rather bypass this with Olly.

ATTENTION MALWARE ATTACHTED !!!!!
PASSWORD: infected

Hello,

http://www.pelock.com/products/pelock



A friend of mine wrote an article and made an unpacker for PELock but it's all in french..
Maybe if nobody helps you much it could at least point you to the right direction.
hXXp://fat.next-touch.com/data/patte-pelu.html

hiho's to FAT

Hey Silk,

Thanks for that. Yep there seems to be a lot going on and the images that he provides look vaguely familiar! I will see how others respond before proceeding with unpackers etc. I just want to understand how it works, as my unpacking skills are not so ninja.. Merci

I have met the same situation with you ,even the debug conditions,debuged bot are the same. last night,I resolved it .
I got a odbscript which been writed by loveboom for PElock 1.0x ,that's not enough,
I added two line to the ***.vmx ,please reference t-13168.html
to resolve the bot don't work in vmware,then the script work .
I got the result I want. If you have some problems ,welcome to chat with me ,I'm a newbie in this field.
my email :cyndy.li2009@gmail.com