Skip to content

Instantly share code, notes, and snippets.

@stamparm
Last active November 9, 2017 02:29
Show Gist options
  • Save stamparm/e1b6abe538e9ee68285b to your computer and use it in GitHub Desktop.
Save stamparm/e1b6abe538e9ee68285b to your computer and use it in GitHub Desktop.
ODbgScript for unpacking Zeus malware (ResumeThread)
// Generic Zeus malware unpacker (ResumeThread)
// by Miroslav Stampar (@stamparm)
// http://about.me/stamparm
VAR ResumeThread
VAR msg
VAR xname
VAR xloc
VAR xsize
GPA "ResumeThread", "kernel32.dll" // Zeus malware uses ResumeThread method
MOV ResumeThread, $RESULT
GMI eip, NAME
MOV xname, $RESULT
BP ResumeThread
EOB label2
label1:
ERUN
JMP label1
label2:
BC ResumeThread
GMEMI edi, MEMORYBASE // EDI holds the memory address of unpacked malware
MOV xloc, $RESULT
GMEMI edi, MEMORYSIZE
MOV xsize, $RESULT
DM xloc, xsize, xname + "_unpacked.exe"
MOV msg, "Unpacked executable has been saved to: '" + xname + "_unpacked.exe'"
MSG msg
RET
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment