LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
#include <stdio.h> | |
#include <windows.h> | |
#include "peconv.h" | |
// for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd | |
// from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1" | |
// https://www.youtube.com/watch?v=HfSQlC76_s4 | |
int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr; | |
int main(int argc, char *argv[]) | |
{ | |
if (argc < 2) { | |
std::cerr << "Args: <path to the malware>" << std::endl; | |
system("pause"); | |
return 0; | |
} | |
DWORD blob1_offset = 0xC030; | |
DWORD blob1_size = 0x11000; | |
DWORD blob2_offset = 0x1D038; | |
DWORD blob2_size = 0x50000; | |
DWORD unpack_func_offset = 0x4520; | |
size_t v_size = 0; | |
LPCSTR mal_path = argv[1]; | |
std::cout << "Reading module from: " << mal_path << std::endl; | |
BYTE *malware = peconv::load_pe_executable(mal_path, v_size); | |
if (!malware) { | |
return -1; | |
} | |
std::cout << "Loaded" << std::endl; | |
ULONGLONG func_offset = (ULONGLONG)malware + unpack_func_offset; | |
unpack_func = (int (__cdecl *) (BYTE*, DWORD, LPCSTR, char)) func_offset; | |
DWORD res1 = unpack_func((BYTE*)((ULONGLONG) malware + blob1_offset), blob1_size, "blob1_unpack.bin", 'r'); | |
std::cout << "Unpacked blob1, res:" << res1 << std::endl; | |
DWORD res2 = unpack_func((BYTE*)((ULONGLONG) malware + blob2_offset), blob2_size, "blob2_unpack.bin", 'r'); | |
std::cout << "Unpacked blob2, res:" << res2 << std::endl; | |
peconv::free_pe_buffer(malware, v_size); | |
return 0; | |
} |
This comment has been minimized.
This comment has been minimized.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Compiled version: https://drive.google.com/open?id=1ogRJvhEB_rFV5s9wSYVl7MbAEv6xcgyU
Requires original malware, available here: https://www.hybrid-analysis.com/sample/16540597e03ac70bea055aa72bf83a7dc3276cf6a64cd6cafdb09e05ebcc198b?environmentId=100