Results 1 to 4 of 4

Thread: Unpacking Dynamically Allocated Code

  1. #1
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281

    Unpacking Dynamically Allocated Code

    Cute idea of hooking VirtualAlloc to unpack into a new section: http://blog.crowdstrike.com/2012/10/unpacking-dynamically-allocated-code.html

  2. #2
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Hey,

    cute is the right word ;D

    Iirc, we are talking here about one single allocation...not directly rocket science right ?

    I my opinion it is the light version of "Writing a virtual memory manager for target memory redirection", done for many protections like securom, themida, etc.

    Nevertheless, nicely wrapped into a story, hehe!

    Regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    It is a good example, easy to understand. What is "cute" however is the unrelated packer mentioned in passing, MEW. It seems to use the bytes in the 2nd, non-ascii, section name somewhere in its decryption. If you change the section name, at offset 0x12C, the packed program will crash. Can be traced with a break-on-access of the PE Header section.

    Not too many self respecting malwares would bother with a trick like that, but as the documention says, it was coded by a 17 year old kid for fun. Cute

  4. #4
    We used that stuff with custom memory manager But just a quick question, as my memory is a little bit hazy, since when ASProtect uses virtual memory to unpack and execute unpacked code? Unless it's talking about a few bytes stolen from oep


    btw. Do you have sample?
    Last edited by deroko; November 2nd, 2012 at 07:44. Reason: req for sample

Similar Threads

  1. LINK: Grafting Compiled Code: The Ultimate in Code Reuse
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: November 10th, 2007, 03:40
  2. Dynamically insert Win32API Call
    By SKanns in forum The Newbie Forum
    Replies: 2
    Last Post: November 21st, 2005, 16:15
  3. Replies: 10
    Last Post: November 9th, 2002, 04:50
  4. Code Charge (Unpacking)
    By sharon in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: July 6th, 2001, 21:52
  5. VB P-Code
    By Acid_Cool_178 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 1st, 2001, 05:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •