Unpacking Malware
Analysis
Packers compress and obfuscate executables to evade detection. Unpacking recovers the original code for analysis.
UPX Unpacking
bash
# UPX - Most common packer
# Detect UPX
file packed.exe
# Output: PE32 executable, UPX compressed
# Unpack with UPX
upx -d packed.exe -o unpacked.exe
# Manual unpacking (if modified UPX)
# 1. Find OEP (Original Entry Point)
# 2. Set breakpoint at "tail jump" (jmp to OEP)
# 3. Dump memory at OEP
# 4. Fix IAT (Import Address Table)
# Common UPX indicators:
# - Section names: UPX0, UPX1
# - Small .text section, large UPX1 section
# - Entry point in UPX1 sectionManual Unpacking Process
c
// Generic unpacking methodology
// Step 1: Identify packer
// - Check section names
// - High entropy sections
// - Small imports (only LoadLibrary, GetProcAddress)
// - PEiD, Detect It Easy (DIE)
// Step 2: Find OEP (Original Entry Point)
// - Set breakpoints on:
// - VirtualAlloc / VirtualProtect
// - After decompression loop
// - Look for tail jump pattern:
// POPAD
// JMP OEP
// Step 3: Dump at OEP
// - Use x64dbg Scylla plugin
// - Dump process memory
// - IAT Autosearch → Get Imports → Fix Dump
// Step 4: Fix PE header
// - Rebuild imports with Scylla/ImpRec
// - Fix section permissions
// - Verify with PE-bear
// Useful tools:
// - x64dbg + Scylla
// - PE-bear
// - Detect It Easy (DIE)
// - de4dot (.NET unpacker)Breakpoint Strategy
Set hardware breakpoint on the stack (esp/rsp) after PUSHAD. When POPAD executes and breakpoint
triggers, you're near the OEP jump.