Results 1 to 13 of 13

Thread: Packed Executable but with Missing DLLs

Threaded View

  1. #1
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1

    Packed Executable but with Missing DLLs

    Hi All,
    I am back with another problem . Actually I think I have solved this one but would like to know if there are any good reads about this situation. For me as a relative newbie it was an interesting problem.

    This time I was analyzing an exe which was packed with FSG 2.0 [PEID, RDG, ProtectionID]. I could successfully unpack it after following tutorials on-line. The code after unpacking too seemed unreadable though. After some troubleshooting, I found that the code was encrypted/self modified. The encryption routine ran and rewrote a lot of the code starting from the entry point itself. After this the code seemed to make sense.

    I didn't want to go through this process again; so I dumped the decrypted code and formed a new executable. Reloaded into Olly. Worked fine. Then started stepping through, till I came to a function which I am sure is one to query a registry key; but it was in the form as give below:

    00401BF6 FF15 5E144000 CALL DWORD PTR DS:[40145E]

    Stepping over this call, caused the program to crash with an 'Access violation' error. Similar behavior was found in 2 more APIs.

    So then I thought, this means that the packer (FSG) has destroyed the IAT and I have to reconstruct. However trying to do so using Imprec failed. This means I have to repair the IAT manually. Now here I tried to read many tutorials but am a little stuck. The reason is as follows:

    All the APIs which are related to kernel32.dll seem perfectly fine and Olly can analyze them. It is the other APIs that are causing a problem. Even this I can sort of understand - Maybe the packer messed up everything except Kernel32.dll. This means that I have to repair the IAT for all the other DLLs/APIs only.

    Now the problem is that the API in question RegQueryValueExA belongs to advapi32.dll, which does not even seem to be loaded by this EXE. [Ctrl + E in Olly does not show it]. However 40145E does contain DS:[0040145E]=77DDEAF4 which looks very much like an API address start point. But I cant follow this call... there is nothing at 77DDEAF4.

    So I used this tool called CFF Explorer and added the DLL from my machine into the EXE and repaired the Import Table. Reran the Exec, this time it worked and this is what I could see:

    DS:[0040145E]=77DDEAF4 (advapi32.RegCreateKeyExA)

    Repeating this process for every missing DLL helped me to fully reconstruct this EXE. Now the question is:

    a) Why would malware use this technique? Of dropping DLLs out..its bad for the malware itself..rt? As it can't run?
    b) How would one be able to solve this problem without the usage of a tool like CFF Explorer in a reliable way?

    I read tutorials to use Imprec and finding the start and end of the IAT and I think I understand that part but what about a problem like this. When the DLL itself is missing? How do you solve it manually?

    I have attached lots of screenshots and all 3 files as an attachment. Please have a look there if you don't understand or ping me.

    Thanks
    Arvind
    Attached Files Attached Files
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

Similar Threads

  1. CFF Explorer Missing Many DLLs In VAD.
    By malhuntr in forum The Newbie Forum
    Replies: 1
    Last Post: January 31st, 2014, 12:00
  2. Yoda's Cryptor v 1.2 + UPX Packed Executable
    By DeXTeR.OrBiT in forum The Newbie Forum
    Replies: 2
    Last Post: July 14th, 2012, 14:05
  3. Packed Malware - Double Packed?
    By vect0r in forum Malware Analysis and Unpacking Forum
    Replies: 26
    Last Post: August 7th, 2008, 06:13
  4. How Packed files are Packed
    By naides in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: February 11th, 2004, 23:33
  5. Missing address
    By catalis in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: October 11th, 2001, 09:21

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •