| Author | Message | ||
     Jim Kelly Username: macubergeek Registered: N/A |
I'm new to WinHex and I had a question about use of the ram editor. Am I correct that one can recover exe PE files out of ram using the ram editor? I do malware analysis (now as hobby) and frequently run into malware packed with various exotic packers. Gone are the days when everything was packed with UPX ;-) I known you can recover the exe out of ram using ollydbg. Can one also do this using WinHex's ram editor? | ||
| Anonymous Username: anonymous Registered: N/A |
Na Winhex Ram editor is not right tool for that. Mostly I use LordPE FX for doing a Raw Dump of certain process that is running. ~~~~~~~~~~~~~~~~~ 'Beside' topic ~~~~~~~~~~~~~~~~~~~~~~~~~ To do Rebuild/Recreate the Import Table and to make the raw dumped Exe runable 'Import REConstructor v1.6' is a great tool. However you need know the Original EntryPoint of the unpacked/dumped Exe and for that some experiences with OllyDebug is a really need. Well better than nothing; a drop on a hot stone about understanding the importtable format http://t-line.net.ua/antiwpa/src/doc/EXE-%20ImportTable.htm (Blank on Blank  and partly German) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ For malware analyses ollydebug is the best. === 1. Get it decompressed === Usually I load the target into olly Clrl+N Type: "GetProcAddress" F2 to set breakpoint there Maybe also for "LoadLibraryA" Press F9 to let the Target run and stop when it's unpacked/decrpyted and wants to loads its imports [=get out the Memory address of the WindowsApi like kernal32.ExitProcess] === 2. Stop / find the Original Entry Point === Press alt+m to open Memory Map. Set cursor on for ex. 'malware .text' and press F2 to set an Memory Breakpoint there. Press f9 to let it run now it stop right at first byte that is accessed or executed inside the 'malware .text' section. In the ideal case at that point it doesn't read or write any data inside this section so it will stop right at the original entrypoint. If not check out what happens and renew the Memorybreak in the Memory Map Window. Of course in reality it's each target has it's own 'challenges' so see this only as hints / inspiration for your strategy. This is also possible to find/stop at the original Entrypoint. I seldom use this, because some it a runtrace can take some time but well: * Debug/open&Clean Run Trace * ctrl+t -> Set EIPRange where you assume the unpacked .text-section if you're done * Press ctrl+f11 Trace into and wait... Pause if it takes to long and of of course don't forget to click on 'view\run trace' so you can go back an forward in the code that was executed. Link to Basic RE-Pack (with Olly, impREC, LordPE...): http://t-line.net.ua/peppie/myTools.exe | ||
| Jimmy Weg Username: jw Registered: 7-2006 |
You may want to check out Harlen Carvey's book, Windows Forensic Analysis, www.syngress.com. It's available in hard copy and eBook formats, and includes a DVD/downloads that contain a variety of Perl scrips/EXEs that apply to memory analysis. Check Chapter 2, whose corresponding applications include a tool to extract the image file for a given process. However, the tools are designed for Win2K. |