Created
May 9, 2019 01:09
-
-
Save sysopfb/ca3fceaf398053824eb8038ac3bc4b30 to your computer and use it in GitHub Desktop.
Some quick notes on unpacking .NET malware with windbg and sos
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos | |
Talos has some stuff to get started with https://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html | |
Load up the .NET exe into windbg | |
sxe ld clr | |
sxe ld clrjit | |
g | |
you'll want to keep going until either clr or mscorwks is loaded depending on which version of .NET this is | |
Once it's loaded in the exe as a module you'll do | |
.loadby sos clr | |
or .loadby sos mscorwks | |
depending on the .NET version | |
then .load pykd | |
and now you can set breakpoints with | |
!bpmd | |
For unpacking I like to breakpoint kernelbase!CreateProcessA and W along with ResumeThread and WriteProcessMemory | |
Then you can !bpmd mscorlib.dll System.Reflection.Assembly.Load | |
This will break on the function commonly used to load an EXE file | |
then just dp esp or dp ecx depending on which version of .NET it is to see the data being loaded and .writemem it out if you want |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment