Results 1 to 6 of 6

Thread: Can't Dump a w32 binary (malware)?

  1. #1
    Registered User
    Join Date
    Oct 2010
    Location
    CO
    Posts
    10

    Can't Dump a w32 binary (malware)?

    I'm working on MUP'ing a sality variant that was found @ offensive computing. I've found myself at the OEP which was the original module entry point but after it has been decrypted. However when I go to use Ollydump to dump this process I get Unable to read memory of debugged process (00400000..00418fff) then another msgbox with bad dos signature.

    I've done some googling and found some articles that this happens on packed dll's (pecompact) but this is an exe written in VB. Pretty sure I'm at the OEP as there is a push instruction then a call to ThunRTMain. Can someone point me in the right direction of things I can research to workaround this issue? Thank you.

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    if you can't dump some range of memory block, then it probably contains some reserved parts.
    just check that range.

  3. #3
    Registered User
    Join Date
    Oct 2010
    Location
    CO
    Posts
    10
    Quote Originally Posted by evaluator View Post
    if you can't dump some range of memory block, then it probably contains some reserved parts.
    just check that range.
    I'm going out on a limb here but VirtualAlloc is an API that protects memory but are there any other ones I should be on the lookout for that also can protect memory blocks?

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    VirtualAlloc is used to allocate a piece of memory and yes you can specify the page protection.
    But VirtualProtect is what you describe,VirtualProtectEx,NtProtectVirtualMemory is the inards.And that's about it for modding the protections on memory in user mode..
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    1. also VirtualFree can free some pages inside mem-block, thusly preventing dump.
    2. also OS can free RELOC pages after using it. (and other sections marked as Disacardable)

  6. #6
    Hi,
    before dumping to disk check the memory tab of olly and set every section of the main exe to full access (right click on section > Set Access > Full Access).

Similar Threads

  1. find encryption algorithm used in malware,binary or its config file
    By charlie in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: December 1st, 2012, 13:51
  2. Please Dump me , Please !
    By Fh_prg in forum Malware Analysis and Unpacking Forum
    Replies: 17
    Last Post: July 23rd, 2008, 07:17
  3. REQ: binary calculator
    By yaa in forum Tools of Our Trade (TOT) Messageboard
    Replies: 10
    Last Post: May 3rd, 2004, 04:33
  4. Advanced binary diff tools?
    By n3tsniper in forum The Newbie Forum
    Replies: 6
    Last Post: April 14th, 2004, 10:59
  5. reversing the binary code of .exe and .dll
    By Alawi in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: December 21st, 2001, 14:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •