Log in

View Full Version : Unpacking Dynamically Allocated Code


disavowed
October 29th, 2012, 12:35
Cute idea of hooking VirtualAlloc to unpack into a new section: http://blog.crowdstrike.com/2012/10/unpacking-dynamically-allocated-code.html

OHPen
October 30th, 2012, 03:24
Hey,

cute is the right word ;D

Iirc, we are talking here about one single allocation...not directly rocket science right ?

I my opinion it is the light version of "Writing a virtual memory manager for target memory redirection", done for many protections like securom, themida, etc.

Nevertheless, nicely wrapped into a story, hehe!

Regards,
OHPen

Kayaker
October 30th, 2012, 17:35
It is a good example, easy to understand. What is "cute" however is the unrelated packer mentioned in passing, MEW. It seems to use the bytes in the 2nd, non-ascii, section name somewhere in its decryption. If you change the section name, at offset 0x12C, the packed program will crash. Can be traced with a break-on-access of the PE Header section.

Not too many self respecting malwares would bother with a trick like that, but as the documention says, it was coded by a 17 year old kid for fun. Cute

deroko
November 2nd, 2012, 03:53
We used that stuff with custom memory manager But just a quick question, as my memory is a little bit hazy, since when ASProtect uses virtual memory to unpack and execute unpacked code? Unless it's talking about a few bytes stolen from oep


btw. Do you have sample?