On this glorious Saturday night we’re going to go over how to unpack the ‘Local-App-Wizard’ packer.
The way the packer works is by creating a suspended process of itself, hollowing it out / allocating the space with memory mapped files, and writing the contents of the unpacked version of itself to this newly created process with WriteProcessMemory, then calling ResumeThread to run the unpacked binary. Since there are no file operations involved, you can’t just run the app and save the file it copies over. Instead, we have to catch the packed app before it runs, but after it has been unpacked.
I don’t really know where this packer comes from, but one can always tell this packer is in use by the identifying string in the packed binary “Local App-Wizard-Generated Applications”.
Next, run the app (F9) and skip over any access violations (shift + F9). The first breakpoint we hit will be a createfile call to “myapp.exe” or some variation of it since the writers of the packer keep changing it up.
This newly spawned process will hold the contents of the unpacked binary.
And now, most interestingly is our WriteProcessMemory call. Thanks to bad engineering on the packer writer’s call, all we have to do is follow the address of the buffer pointed to in the API call in our dump to get the unpacked binary.
From here, it’s a simple matter of right clicking the dump and saving the output of the dump to a file. Immunity is nice enough to format the file as a binary. The program we saved is complete with section headers, alignment, IAT, and all that other stuff that’s a pain in the ass to restore.
Assuming the newly unpacked program isn’t packed again, we have 2 choices.
1) Wait for the ResumeThread call and dump the RAM for use with Voltality or Process Hacker.
2) Just work with what I have – the unpacked binary.
Maybe one day I’ll write a quick python script to do all of this for me, but for now, it takes like 30 seconds using the Immunity and my script.
You can download the malware lhere. The password is infected.