March 18, 2019

Malware Analysis and Malware Reversing Trainings

Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking. sample used: sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7  md5:dca9106dc8556f9a15d7e18b4fad5d44  This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others. Fig : PE header- entry point 0x1D16 Now load the file in Ollydbg. Place a breakpoint on ExitProcess() Press F9 to execute. Allow the the sample…