LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include "peconv.h" | |
// for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd | |
// from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1" | |
// https://www.youtube.com/watch?v=HfSQlC76_s4 | |
int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr; | |
int main(int argc, char *argv[]) | |
{ | |
if (argc < 2) { | |
std::cerr << "Args: <path to the malware>" << std::endl; | |
system("pause"); | |
return 0; | |
} | |
DWORD blob1_offset = 0xC030; | |
DWORD blob1_size = 0x11000; | |
DWORD blob2_offset = 0x1D038; | |
DWORD blob2_size = 0x50000; | |
DWORD unpack_func_offset = 0x4520; | |
size_t v_size = 0; | |
LPCSTR mal_path = argv[1]; | |
std::cout << "Reading module from: " << mal_path << std::endl; | |
BYTE *malware = peconv::load_pe_executable(mal_path, v_size); | |
if (!malware) { | |
return -1; | |
} | |
std::cout << "Loaded" << std::endl; | |
ULONGLONG func_offset = (ULONGLONG)malware + unpack_func_offset; | |
unpack_func = (int (__cdecl *) (BYTE*, DWORD, LPCSTR, char)) func_offset; | |
DWORD res1 = unpack_func((BYTE*)((ULONGLONG) malware + blob1_offset), blob1_size, "blob1_unpack.bin", 'r'); | |
std::cout << "Unpacked blob1, res:" << res1 << std::endl; | |
DWORD res2 = unpack_func((BYTE*)((ULONGLONG) malware + blob2_offset), blob2_size, "blob2_unpack.bin", 'r'); | |
std::cout << "Unpacked blob2, res:" << res2 << std::endl; | |
peconv::free_pe_buffer(malware, v_size); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Compiled version: https://drive.google.com/open?id=1ogRJvhEB_rFV5s9wSYVl7MbAEv6xcgyU
Requires original malware, available here: https://www.hybrid-analysis.com/sample/16540597e03ac70bea055aa72bf83a7dc3276cf6a64cd6cafdb09e05ebcc198b?environmentId=100