In this second part, we’ll reverse the second unpacking stage of the Cerber sample, and get to the final payload. We’ll be dealing with some binary protections, custom structures, and process injection. Let’s get started !
In this post series, we are going to fully reverse the inner working of a Visual Basic packer, used at least by some Cerber ransomware sample. My whole methodology, meaning each and every step I took, will be documented here. We’ll end up with a complete view of the whole unpacking process before the actual payload is started, and I hope it will help you learn to do this on your own !
A few days back a fellow reddit user asked if a powershell command he found was malicious … I checked, and here is the result ! (spoiler alert : of course if was)
As an introduction to IDA python, we’re going to write a script that turns immediate values function parameters into enum values. It is a very common things to do, and a simple python script can handle it in most cases. So let’s make our lives easier with some python !
In this tutorial, we are going to complete our packer with some very basic obfuscation, as a demonstration of the possibilities we have.
At the end of the last part, I drawed your attention toward the fact that Mingw32 doesn’t produce movable binaries: it cannot create relocation table. You can force it to put the “Dll can move” flag, but without a relocation table, this binary would not work. We are going to change our packer to handle such non movable binaries.
We have everything ready to do the actual packing of an ASLR enabled PE32 file. We’ll turn our loader in an unpacking stub, and use python to create a packed binary.
This is the part 2 of our tutorial to write a PE packer on Windows : handling imports and relocations, to execute an ASLR enabled file.
In this first tutorial part, we are going to write a program that reads a PE file, parse its headers and maps its sections in memory.
This is a tutorial to program a PE packer : we will learn about the PE file format, headers and the inner workings of loading and packing binaries.