A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #32223  by DCPNT
 Fri Nov 02, 2018 6:28 pm

im having a hard time unpacking a malware which is using process hollowing as a injection technique.

The malware spawns a new iexplorer.exe process and then calls WriteProcessMemory twice. The first time a buffer containing a PE file is written to the process. I tried to dump this buffer directly from memory but the result seems to have misaligned sections and won't run (Not a valid Win32 application). The second WriteProcessMemory call patches the PEB of the newly created process. After that the ThreadContext is altered using SetThreadContext.

As a next try I attached my debugger to the newly created iexplorer.exe after the ThreadContext was set but before the Process was resumed. I switched the thread and set a breakpoint on EAX which from my understanding should contain the OEP of the unpacked malware(?). I resumed iexplorer and the BP was hit. After that I tried to dump the process using Syclla but again the result was not a runnable executable. Am I missing something or can I try something else?

Sample: https://www.virustotal.com/#/file/bf600 ... /detection