Unpacking Zeus MALWARE
1) Zeus ntdll.RtlDecompressBuffer
Unpacking Zeus (amdeu_exe) with Immunity Debugger 1.73
This version of Zeus (amdeu_exe) used ntdll.RtlDecompressBuffer to decompress itself into memory allocated using VirtualAlloc. Below are the steps to take to manually unpack the exe. The end result was found by
setting breakpoints on VirtualAlloc calls and the corresponding memory addresses that were allocated.
12) You can now open the dumped file in IDA.
1) Zeus ntdll.RtlDecompressBuffer
Unpacking Zeus (amdeu_exe) with Immunity Debugger 1.73
This version of Zeus (amdeu_exe) used ntdll.RtlDecompressBuffer to decompress itself into memory allocated using VirtualAlloc. Below are the steps to take to manually unpack the exe. The end result was found by
setting breakpoints on VirtualAlloc calls and the corresponding memory addresses that were allocated.
(Zeus unpacked)
A Hardware Breakpoint would be set on Write to the allocated address and the memory was monitored for changes. Here are instructions to manually unpack this sample quickly.
2) Load the executable and you should be dropped at address:
7C90120F C3 RETN
7C90120F C3 RETN
3) Press Alt + F9 to Execute until User Code. Which should take you to the location: 00401500
Set a soft breakpoint by pressing F2 at address 00401655
4) In the command line type !hidedebug All_Debug and press Enter
Do the same for:
!hidedebug All_Process !hidedebug All_Window
5) Press Play to execute the sample to 00401655. Once the soft BP has been hit, press F7 to step Into the address which should bring you to 00401007
!hidedebug All_Process !hidedebug All_Window
5) Press Play to execute the sample to 00401655. Once the soft BP has been hit, press F7 to step Into the address which should bring you to 00401007
6) Set a Soft BP by pressing F2 at address 0040111A which is the bottom of a loop and click Play
7) When 0040111A is hit, press F7 to step into the address. This should bring us to address 0050100
8) ntdll.RtlDecompressBuffer is our target call which is at address 005012E0. Set a software BP at this address.
If you get a warning, just press Ok or Yes to continue when setting this BP and select Play
9) Once our target address has been hit as shown below.
Look in the call stack
The address 011A0000(shown above) will be our dump address. This address was allocated using VirtualAlloc. Right Click on this address and select "Follow In Dump"
10) Press F8 once and Zeus will decompress into the address 011A0000
11) Select "m" at the top of the screen and highlight the target address 011A0000
Right click on the address and select "Dump"
Right click inside the Dump windows, Select "Backup" and select "Save data to file", appened .exe to the name and you're done for the most part.
12) You can now open the dumped file in IDA.
13) You can also used CFF Explorer to rebuild the EXE if it has trouble executing. I used the Rebuild PE Header, Bind Import Table and Update Checksum options to rebuild the exe
that was dumped.
Hi,
ReplyDeleteCould you please to share the sample (packed) file ? Thank you so much.
Hi VnSpl0it. If the md5 is public and in the wild I will post the link to it. If not the methods I describe above should work on Zeus packed malware.
DeleteA lot of steps can be skilled by stepping into the malware, hiding the debugger and setting a BP on the entry and return address of RTLDecompressBuffer and running the sample.
Once the return address is hit look at the call stack and notice the buffer decompression will take place in. Press play again and step over the return. In the address used for decompression you should see the Zeus exe. Hope this helps.