Skip to content

Instantly share code, notes, and snippets.

@sysopfb
Created May 9, 2019 01:09
Show Gist options
  • Save sysopfb/ca3fceaf398053824eb8038ac3bc4b30 to your computer and use it in GitHub Desktop.
Save sysopfb/ca3fceaf398053824eb8038ac3bc4b30 to your computer and use it in GitHub Desktop.
Some quick notes on unpacking .NET malware with windbg and sos
Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos
Talos has some stuff to get started with https://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html
Load up the .NET exe into windbg
sxe ld clr
sxe ld clrjit
g
you'll want to keep going until either clr or mscorwks is loaded depending on which version of .NET this is
Once it's loaded in the exe as a module you'll do
.loadby sos clr
or .loadby sos mscorwks
depending on the .NET version
then .load pykd
and now you can set breakpoints with
!bpmd
For unpacking I like to breakpoint kernelbase!CreateProcessA and W along with ResumeThread and WriteProcessMemory
Then you can !bpmd mscorlib.dll System.Reflection.Assembly.Load
This will break on the function commonly used to load an EXE file
then just dp esp or dp ecx depending on which version of .NET it is to see the data being loaded and .writemem it out if you want
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment