Digital Tombs

Unpacking

1 min read

1 - Analyst Flow to Unpack

1.1 - Setting breakpoints

Using IDA Pro we can go to the names subview, choose relevant module, and search for the functions IDA has loaded in. From here, we can set breakpoints at specific Win API’s. We should set breakpoints on the following API calls based on which phase we should target:

  1. Decompress or Decrypt
    1. RtlDecompressBuffer
    2. CryptDecrypt
  2. Create of find target location (Not usually best to set BP on these, but they can give you an idea of which phase you’re at)
    1. OpenProcess
    2. WinExec
    3. CreateProcess
    4. CreateToolhelp32Snapshot
    5. Process32First
    6. Process32Next
  3. Prepare Location
    1. VirtualAlloc(Ex)
    2. NtAllocateVirtualMemory
    3. VirtualProtect
    4. NtProtectVirtualMemory
    5. NtMapViewOfSection
  4. Write
    1. WriteProcessMemory
    2. NtWriteVirtualMemory
    3. RtlMoveMemory
  5. Prepare Execution
    1. VirtualProtect(Ex)
    2. NtProtectVirtualMemory
    3. SetThreadContext
    4. CreateProcessInternalW
  6. Execute
    1. CreateThreadpoolWait
    2. CreateRemoteThread
    3. RtlCreateUserThread
    4. (Nt)ResumeThread
    5. SetWindowsHookEx
  7. Anti Analysis
    1. IsDebuggerPresent

Graph View

Backlinks