Three and a half ways to unpack malware using Ollydbg

Here I demonstrate to you three (and a half!) ways to unpack malware. Malware is often packed for the purpose of AntiVirus and Analysis evasion, therefore it is super useful to know how to dump malware in its unpacked form.

Here I demonstrate how to unpack using UPX (which is cheating, right!) then I show you the following three manual methods:

1. Eyeballing the tail jump
2. Using Hardware Breakpoint on the stack
3. Pre-empting the use of GetModuleHandleA

This enables us to dump the malware in its unpacked form so we can rebuild the headers using Scylla and then perform some more advanced behavioural / static analysis.

Tools used:
Ollydbg – http://www.ollydbg.de/
Scylla – https://github.com/NtQuery/Scylla
Process Hacker – http://processhacker.sourceforge.net/

MD5 of the sample analysed: 91208451ef36dfda1fa00444abc95808

Hope this is useful 🙂 Feel free to submit your comments and questions and don’t forget to subscribe to my channel and follow me here: https://twitter.com/cybercdh

Related Posts

Leave a Reply