PMA 121: Unpacking with OllyDbg and pestudio (20 pts + 30 extra)
What you need
- A Windows machine, preferably the "Windows 10 with Analysis Tools" VM
Purpose
To examine how EXE files work,
and how the UPX packer modifies them.
Use the "Windows 10 with Analysis Tools" VM
You can use any Windows system, but it's easiest
to use the
"Windows 10 with Analysis Tools" machine from an
earlier project.
Getting PuTTY
We'll use this program as an example
of normal executable to work on.
Download this file, and put it on your desktop:
https://samsclass.info/127/proj/putty.exe
Unblocking the File
Right-click putty.exe and click
Properties. At the bottom,
click Unblock. Click OK.
Check the Hash
Download and install Hashcalc from:
https://www.slavasoft.com/hashcalc/
Verify that the hash
of putty.exe
matches the value shown below.
Launching PuTTY
Double-click putty.exe.
The program opens,
as shown below.
Close the PuTTY Configuration
window.
Compress the File with UPX
Open a Command prompt and execute these
commands, as shown below:
cd Desktop
upx -o puttycomp.exe putty.exe
UPX compresses the file, reducing
its size by about 50%, as shown
below.
Check the Hash
Calculate the hash of puttycomp.exe.
The hash
is different,
as shown below. (Your hash values may be different)
Launching PuTTYcomp
Double-click puttycomp.exe.
The program opens,
just as the original did.
The packed file is smaller on
the disk, but retains the
full functionality of the
original file.
Close the PuTTY Configuration
window.
pestudio
Download pestudio from
https://www.winitor.com/download/
In pestudio, open putty.exe.
Launch a second instance of
pestudio and open puttycomp.exe.
Notice these items, as shown below:
- Make sure that the top line in the left pane is selected
in both windows, as shown below.
- The hash values shown in the right pane are different, because the disk files are different.
- indicators shows the number of suspicious features in each file. These are false positives since this is a harmless program, not malware.
- virustotal shows false possitives too: one engine falsely regards putty itself as malicious, but 11 flag the packed file, apparently regarding the packing itself as suspicious.
Sections in PuTTY
In the pestudio window examining putty.exe,
in the left pane, click sections.
In the right pane, notice these items,
as shown below:
- There are the four typical sections: .text, .rdata, .data, and .rsrc.
- Comparing the "raw-size" (size on disk) and "virtual-size" (size in memory) values, they are almost equal for each section. The difference is that the raw-size is rounded up to the nearest 4K block size.
- Permissions: notice that the .text section is executable and the .data section is writable. The other sections have no permissions. This is the normal situation. No program should ever allow write and execute permissions on the same memory segment, as a basic security principle.
- entry-point: This is where execution starts. It's an address in the .text section, where it should be.
- entropy: The .text section has entropy 6.7, which is typical for assembly code which varies a lot, but is not completely random. The other sections have lower entropy, especially the .data and .rsrc sections which contain large unused sections filled with zeroes, as we will see below.
Sections in PuTTYcomp
In the pestudio window examining puttycomp.exe,
in the left pane, click sections.
In the right pane, notice these items,
as shown below:
- There are only three sections: UPX0, UPX1, and .rsrc. The absence of a .text section is very strange, since that section should have the executable code.
- The UPX0 section has a "raw-size" of zero and a large "virtual-size"--this section does not exist on the disk, and will be dynamically filled when the program runs.
- The permissions are very strange, every section is writable and most of them are also executable. These permissions clearly do not enforce any security barriers.
- entry-point: It's bold and red to indicate that it is suspicious--it's in the UPX1 section, which is not normal at all.
- entropy: The UPX0 section has no data, so no entropy. The UPX1 section has an entry near 8 (total randomness) because this data has been compressed. The .rsrc section has a normal entropy value for data storage.
Imports in PuTTY
In the pestudio window examining putty.exe,
in the left pane, click imports.
In the right pane, scroll through the list,
as shown below,
to get a feeling for the many API calls
used by even a very simple Windows application.
Some of them are blacklisted, and some even have
MITRE techniques listed, showing how they are
used by attackers.
Imports in PuTTYcomp
In the pestudio window examining puttymod.exe,
in the left pane, click imports.
In the right pane,
the list is very short,
as shown below,
because the
unpacker does only one simple job.
Get the Malware Samples
If you don't already have them,
get the malware samples here:
https://practicalmalwareanalysis.com/labs/
Getting OllyDbg
Download Odbg110.zip from
https://www.ollydbg.de/
Unzip it into its own folder,
as shown below.
http://www.openrce.org/downloads/details/108/OllyDump
Unzip the g_ollydump221b.zip file.
Move the OllyDump.dll file into the
same folder as the OllyDbg executable,
as shown below.
Examining PuTTY and PuTTYcomp with OllyDbg
In OllyDbg, open putty.exe.
Launch a second instance of
OllyDbg.
In OllyDbg, open puttycomp.exe.
A "Compressed code?" box pops up.
Click No.
Note these features, as shown below:
- putty.exe shows code starting at address
004550F0 (Your address may be different)
- putty.exe starts with a PUSH 60 command
- puttycomp.exe shows code starting at address
004860E0 (A different address than putty.exe)
- puttycomp.exe starts with a PUSHAD command
Memory Maps
In both OllyDbg windows, click
View, Memory.
Olly shows the memory map.
Find the putty sections.
Note these features,
as shown below.
- Both programs are loaded at a base
address of 400000, which is
a common address for 32-bit Windows
programs.
- putty has the usual .text, .rdata, .data, and .rsrc sections.
- puttymod has only three sections: UPX0, UPX1, and .rsrc.
Dumping Sections
In the OllyDbg windows showing putty,
right-click the .text line and click
Dump.
In the OllyDbg windows showing puttycomp,
right-click the UPX0 line and click
Dump.
As shown below, putty's .text
section contains machine code instructions,
but the UPX0 section is filled with
zeroes.
Notice how large this section is: it goes
from 00401000 to 00448FFF.
In the OllyDbg windows showing putty,
right-click the .data line and click
Dump.
In the OllyDbg windows showing puttycomp,
right-click the UPX1 line and click
Dump.
As shown below, putty's .data
section contains a few values, but
it's mostly zeroes.
The UPX0 section contains compressed
data. Olly has tried to interpret it
as assembly code, but it's nonsense,
as shown below. From the entropy value
we saw earlier, we know this data is
almost totally random.
Viewing the Unpacking Stub
In the OllyDbg window examining
puttycomp.exe,
in the top left pane,
you see code starting with the
PUSHAD instruction/
Scroll down in this pane to see
the unpacking code and find where it ends.
The last instruction is
JMP puttycom.004550F0
as shown below.
This JMP jumps into the UPX0 memory
section, which contained only
zeroes when we dumped it.
The unpacker must put code there
before this JMP, or the program would crash.
Click on the JMP instruction.
Press the F2 key to put a breakpoint
there, as shown below.
Running the Unpacking Code
Press the F9 key to run the program.
The program runs to the breakpoint.
Press the F7 key to
execute one more instruction.
The program proceeds to the
PUSH 60 instruction,
as shown below.
This code contains the instructions
for the real, unpacked,
putty text section.
OllyDbg only disassembles the first
few instructions, because it thinks
this is a data section, but the actual
bytes match the unpacked putty code.
Building an Executable from Memory
We have now unpacked the code,
so it can run in OllyDbg. But to create
an EXE file, we need to
gather the pieces together and
rebuild the PE header, including the
import table which was destroyed
by UPX.
For simple cases, we can use the automated
tool OllyDump to do that.
Using OllyDump
In the OllyDbg window examining
puttycomp.exe,
from the menu bar,
click Plugins,
OllyDump,
"Dump debugged process".
An OllyDump box pops up,
showing the sections of code,
the Entry Point, and the
method it will use to rebuild
the import table,
as shown below.
Check to see that the Start Address
plus the Modify address matches
the address you see in the upper
left pane of OllyDbg. In this case,
it does, because the file loaded
at the expected address of 400000.
Accept the default options and
click the Dump
button.
Save the file as puttydumped.exe.
Examining the Dumped File in pestudio
Open pestudio and examine puttydumped.exe.
The imports section is now largely
restored, although the process is not
perfect,
as shown below--the original putty had
312 imports but OllyDump only restored
277 of them.
PMA 121.2: Entry Point (10 pts)
Examine the sections of puttydumped.exe.
Find its entry-point. That's
the flag,
covered by a green box in the image below.
|
PMA 121.3: Strings (15 pts)
Unpack the Lab18-01.exe sample.
Examine the strings of the unpacked file
and find the URL.
That's
the flag,
covered by a green box in the image below.
|
PMA 121.4: Password (15 pts)
Download and examine this EXE:
upxflag2c1.exe
First run it in a Command Prompt.
It's a password guessing game, as shown below.
Unpack it and examine the strings
to get the flag.
Hint: check the Start Address in OllyDump
|
Sources
The Basics of Packed Malware: Manually Unpacking UPX Executables
Example malware unpacking and analysis: part 1, unpacking
Manual Unpacking Of Upx Packed Executable Using Ollydbg
and Importrec
Triaging suspicious files with pestudio
PeStudio Standard
The Study of Evasion of Packed PE from Static
Detection
MUP With OllyDbg for Really Beginner
How to prevent “upx -d” on an UPX packed executable?
UPX Anti-Unpacking Techniques in IoT Malware
Posted 9-17-2020
Updated 6-13-2021
Memory address explanation corrected 6-24-2021
Minor fix 7-14-21
Extra points enumerated 8-31-2021
FLARE-VM reference removed 9-7-2021
