Unpacking of new TDL3 dropper
Intro
For the very first blogpost, i have decided to bring something hot. TDL crew came up with brand new and, certainly, very effective packer (polymorphic crypter is more precise term in this case) with detection rate at 0%!. I’m going to show you, how easilly unpack this packer in a few steps.
Build date of sample used for demonstration is 4.19.2010.
Finding OEP
When sample is loaded in olly, we set breakpoint to API VirtualAlloc and run the debugger.
When the breakpoint is hit, we look for return value, which is 380000h. This one isn’t interesting for us, so let’s run the application few more times, until allocation fails and zero is returned in eax.
Now we are in part of code where VirtualAlloc is called many times in a loop. In C the loop could look like this:
LPVOID ret = 0; for(int i = 0;i<0x1000;i++) { DWORD base = image_base + image_size + i * 0x1000; if(ret = VirtualAlloc(base,....)) break; } if(!ret) { ret = VirtualAlloc(0,....); }
Now you may ask, “why such a complex approach to allocate just an piece of memory?”
This code is infact anti-reversing trick making auto-unpacking of the binary a bit harder.
To pass the loop, we set breakpoint to the code executed after sucessfull allocation.
We see that rwx memory block was allocated at the address 900000h.
Original binary is going to be placed there, so we just set hardware write breakpoint to the first byte
of the new memory block and run the application. Olly stopped at the code responsible for decrypting
new PE header. So let’s wait until the whole header is decrypted by putting breakpoint at retn 4 and hitting
F9.
Examination of header will reveal that AddressOfEntryPoint is 230ah.
That information is all we need. With just a little use of simple math we can calculate address of OEP.
The formula here is: ImageBase + AddressOfEntryPoint = OEP => 900000h + 230ah = 90230ah.
We put hardware breakpoint there and run application again. When Olly stops at OEP, we can dump the image with LordPE dumper.
Fixing PE header and ImportTable
We have sucessfully dumped the original binary, but unfortunatelly , its not valid and additional
fixes are necessary to make it fully functional. Very important thing which is missing in the binary,
is ImportTable. LordPe PE rebuilder can help us with the problem. With proper configuration (figure below) ImportTable will be reconstructed automatically with just one click of the mouse.
Now it’s time to fix Image Base. We set it to base address to which original binary was loaded.
900000h in my case but that varies from one case to another.
Now the last thing is remaining to be done. To get fully working binary, all incorrect directiories
must be removed. To do that, its enough to fill the Resource, Relocation and IAT directory information with zero as the figure below shows.
Video demonstration
Conclusion
Today i have demonstrated simple approach for unpacking of new TDL dropper samples. Infact, the used approach is effective against the whole variety of polymorphic crypters used by malware authors. That’s pretty much everything for today, i wish you all happy unpacking.
