Cute idea of hooking VirtualAlloc to unpack into a new section: http://blog.crowdstrike.com/2012/10/unpacking-dynamically-allocated-code.html
OHPen
October 30th, 2012, 03:24
Hey,
cute is the right word ;D
Iirc, we are talking here about one single allocation...not directly rocket science right ?
I my opinion it is the light version of "Writing a virtual memory manager for target memory redirection", done for many protections like securom, themida, etc.
Nevertheless, nicely wrapped into a story, hehe!
Regards,
OHPen
Kayaker
October 30th, 2012, 17:35
It is a good example, easy to understand. What is "cute" however is the unrelated packer mentioned in passing, MEW. It seems to use the bytes in the 2nd, non-ascii, section name somewhere in its decryption. If you change the section name, at offset 0x12C, the packed program will crash. Can be traced with a break-on-access of the PE Header section.
Not too many self respecting malwares would bother with a trick like that, but as the documention says, it was coded by a 17 year old kid for fun. Cute
deroko
November 2nd, 2012, 03:53
We used that stuff with custom memory manager But just a quick question, as my memory is a little bit hazy, since when ASProtect uses virtual memory to unpack and execute unpacked code? Unless it's talking about a few bytes stolen from oep