WEBVTT

00:00.620 --> 00:03.320
Hello and welcome to a new section.

00:03.500 --> 00:12.560
In this new section, we are going to see how to unpack a Trojan, which is protected with a commercial

00:12.560 --> 00:15.230
packer called Vmprotect.

00:15.680 --> 00:25.610
So go and download this Trojan VM bin and unzip it and put it in the folder on your desktop called Vmprotect

00:25.640 --> 00:26.360
Trojan.

00:26.360 --> 00:38.150
So we are going to first scan it with D, So open flair, go to the utilities folder and fire up detected.

00:38.180 --> 00:40.040
Easy d i.

00:43.780 --> 00:46.300
And then use detected easy.

00:46.810 --> 00:50.950
Click on the three dots here to open the Trojan.

00:55.030 --> 00:56.830
Call the bin.

00:56.860 --> 00:58.000
Click on Open.

01:00.920 --> 01:05.720
According to the report, you will see the protector is protected.

01:06.320 --> 01:18.350
And this is written in Delphi so that now we know this Trojan is a Delphi Trojan and protected by a

01:18.350 --> 01:21.230
commercial packer called Vmprotect.

01:22.010 --> 01:27.320
So we can now close, detect it easy and we shall try to unpack it.

01:27.860 --> 01:38.600
So fire up your Xdebug X32 DBG since it's a 32 bit Trojan under options preferences, uncheck system,

01:38.600 --> 01:48.740
breakpoint and callbacks, and you can also go to the tab section, click on ignore range and clean

01:48.740 --> 01:52.670
all zeros, eight zeros and and on eight F's.

01:52.700 --> 01:57.650
That means you don't want the thing to break when you have an exception.

01:59.060 --> 02:09.920
So now we open the Trojan, go to the folder and here you click on the dropdown, select all files,

02:09.920 --> 02:12.650
and then select the Trojan to open it.

02:13.430 --> 02:18.650
So now you are the entry point and we are going to put three breakpoints.

02:18.680 --> 02:21.980
The first breakpoint is virtualalloc.

02:25.150 --> 02:30.760
He enter the second breakpoint is Virtualprotect.

02:33.670 --> 02:39.130
Hit enter and the third breakpoint is getprocaddress.

02:40.300 --> 02:46.360
Get proc address which stands for get process address.

02:46.720 --> 02:47.500
Get process.

02:47.500 --> 02:54.130
Address is where the Trojan tries to identify the address where certain libraries are found.

02:54.370 --> 03:01.120
And this is quite common commonly used by Trojans when they are trying to call external functions.

03:01.600 --> 03:02.740
So hit enter.

03:03.220 --> 03:09.640
Now go to the breakpoints tab and confirm that all three breakpoints have been set.

03:12.110 --> 03:15.020
Okay, now we can run to the first breakpoint.

03:18.390 --> 03:19.980
And it has hit our virtual.

03:20.760 --> 03:30.120
So let's press F8 or you can click on this one to step over, jump to Virtualprotect.

03:31.060 --> 03:32.500
Jump to virtual product.

03:35.280 --> 03:41.070
Now he's pushing the five parameters to the stack and about to call Virtualprotect.

03:41.310 --> 03:45.570
So we go to the stack and examine the second parameter.

03:46.230 --> 03:54.540
So this is the location in memory which it is trying to change the permission for zero one followed

03:54.540 --> 03:55.830
by 4000.

03:56.490 --> 04:00.000
So we can go to memory map and see where it is.

04:00.000 --> 04:06.870
401 followed by four zeros is the executable session dot next section.

04:08.070 --> 04:13.530
So at the moment it is only executable and readable.

04:13.650 --> 04:15.270
It is not writable.

04:16.300 --> 04:17.490
There is no W.

04:19.330 --> 04:21.940
So come back here and here.

04:21.940 --> 04:23.500
We can now step over.

04:24.590 --> 04:26.950
But if you want to follow this in, you can.

04:26.960 --> 04:28.700
But I don't think it's necessary.

04:29.030 --> 04:35.900
So let's start over because it is not likely that it is going to unpack it inside and overwrite its

04:35.900 --> 04:36.410
own code.

04:37.400 --> 04:44.330
So let's step over and now we go back to memory map and see there is a W there.

04:45.670 --> 04:47.710
It means is now changed to writable.

04:49.570 --> 04:57.550
So now we run all the way F9 or click on this button and it hits Virtualprotect for the second time

04:58.210 --> 05:00.490
and we continue to step over it.

05:01.630 --> 05:08.200
Jump to virtual protect, jump again and push the five parameters to the stack.

05:08.650 --> 05:11.380
And now it is about to call virtual protect.

05:11.410 --> 05:14.260
This time at this address.

05:14.440 --> 05:21.130
So it is going to change the permission for this memory region so we can follow this in down number

05:21.130 --> 05:21.400
two.

05:21.430 --> 05:23.170
So we select dam number two.

05:23.170 --> 05:26.740
And then right click on this address, follow the word.

05:27.840 --> 05:30.840
Follow the word in current dam, which is dam number two.

05:31.530 --> 05:32.850
So now it is empty.

05:33.120 --> 05:35.490
It hasn't unpacked anything here yet.

05:35.550 --> 05:42.030
So notice the address region is different from the normal region.

05:42.180 --> 05:49.290
The normal region address starts at 004, followed by five zeros.

05:49.470 --> 05:52.690
But this region is 012.

05:52.710 --> 05:55.890
So most likely it is going to unpack in this region.

05:56.400 --> 05:59.700
So we continue to run and see what happens.

05:59.790 --> 06:06.420
Currently, this region 01287 followed by three zeros.

06:06.450 --> 06:09.480
If we look in the memory map, it is over here.

06:09.960 --> 06:13.920
It is currently executable and readable only.

06:13.950 --> 06:15.780
It is not writable.

06:16.260 --> 06:22.830
So when we now step over this and come back and examine the memory map.

06:23.750 --> 06:26.330
It is now writable, as you can see.

06:26.370 --> 06:29.480
W That means it's going to write something here.

06:29.660 --> 06:31.640
It's going to unpack some code here.

06:32.690 --> 06:34.580
So let's continue to run.

06:35.840 --> 06:37.980
And it hits virtualprotect again.

06:38.000 --> 06:46.880
The third time now we step over, jump to virtual project, Jump again, Step Over is pushing the five

06:46.880 --> 06:48.260
parameters to the stack.

06:48.480 --> 06:55.040
Now it's going to call Virtualprotect at this memory address 012F, followed by three zeros.

06:55.520 --> 06:59.030
So 012F is also the same.

07:00.570 --> 07:06.660
Region of memory at 012 range 012F is over here.

07:07.020 --> 07:09.780
This part here currently is readable only.

07:09.810 --> 07:11.250
It is not writable yet.

07:12.420 --> 07:15.390
So if we step over now and come back.

07:16.270 --> 07:19.240
And now you can see it becomes writable as well.

07:20.560 --> 07:21.880
So we can.

07:23.860 --> 07:31.300
You don't have to follow that one because I've done this before and I know that this previous value

07:31.330 --> 07:37.210
here for Virtualprotect is not the one where it is going to dump.

07:37.210 --> 07:44.980
But anyway, if you want, you can we put dump three and then here, right click and follow the word

07:44.980 --> 07:45.910
in calling dump.

07:46.900 --> 07:49.120
What we are interested in is this one.

07:49.120 --> 07:53.680
Because I've done it before and I know that it's going to unpack the code here.

07:53.980 --> 07:58.000
Here is also going to unpack something, but not not the main code.

07:58.570 --> 07:59.560
This is the one.

08:00.400 --> 08:04.750
So anyway, let's run to the next breakpoint.

08:05.660 --> 08:07.550
And hit that again.

08:07.880 --> 08:08.900
Step over.

08:11.050 --> 08:13.180
Jump to Virtualprotect.

08:13.480 --> 08:18.580
Jump again and let it push the five parameters to the stack.

08:19.270 --> 08:24.670
Now it is going to change the permission bit for 1 to 6000.

08:25.440 --> 08:26.970
1 to 6000.

08:28.870 --> 08:30.790
So we can follow in here.

08:30.790 --> 08:32.920
Right click, follow the word random.

08:34.060 --> 08:39.100
Once you have 6000 and we look at memory map 1 to 5, 6000 is here.

08:39.100 --> 08:43.420
Currently it's readable, but let us step over and see what happens.

08:44.220 --> 08:48.000
So now if you look here, it becomes readable as well.

08:49.680 --> 08:51.510
So let's continue to run.

08:53.810 --> 09:00.980
So even the running state now and finally it has populated something in the in the dump.

09:01.760 --> 09:07.130
So this part is also being populated now, as you can see here as well.

09:08.300 --> 09:11.420
At this memory address and here as well.

09:11.720 --> 09:14.990
And here you can see Embarcadero string.

09:15.680 --> 09:25.040
That means it's a Delphi Delphi session that is going to execute 1 to 6000 is also in the same region

09:25.040 --> 09:28.790
as 1 to 8 just further down the the address.

09:30.240 --> 09:30.540
Okay.

09:30.540 --> 09:32.280
So now we can continue to run.

09:37.610 --> 09:40.280
Okay, Now it's going to call Getprocaddress.

09:40.310 --> 09:43.820
It's hit this, hit this breakpoint.

09:43.820 --> 09:50.420
And instead of looking down here, the other alternative is to look for the parameters is on the right

09:50.420 --> 09:51.290
hand side here.

09:51.830 --> 09:59.690
So if you want to know more about Getprocaddress, you can go and look it up at the mSDN.

09:59.960 --> 10:08.930
The second parameter is the name of the API that you are looking for and it returns the address where

10:08.930 --> 10:10.100
this API is found.

10:10.730 --> 10:13.040
You can read about it here if you want.

10:13.550 --> 10:18.400
So in this case here, the address, the address that is returned will be in X.

10:19.710 --> 10:28.590
But we are not interested to follow the whatever APIs this malware is trying to find because we are

10:28.590 --> 10:31.320
just interested in finding where is dumping.

10:31.560 --> 10:37.320
But the reason why we put a breakpoint and get address is we want to know when is the correct time to

10:37.320 --> 10:37.650
dump.

10:37.950 --> 10:44.880
So the correct time to dump is when the gate address is looking for some string which shows that it

10:44.880 --> 10:46.530
has finished dumping.

10:46.860 --> 10:49.810
So that's why we put a breakpoint and get probe address.

10:49.920 --> 10:58.230
So currently if we look at the second parameter port address, it is this API that is trying to get

10:58.240 --> 11:03.330
address for we continue to run and we hit getprocaddress.

11:03.360 --> 11:09.120
This time it's looking for a different API called set value run again.

11:10.330 --> 11:14.980
He will get again this time is looking for phase three.

11:16.270 --> 11:19.900
We run again and now it hits Getprocaddress.

11:19.900 --> 11:21.580
This time is encode pointer.

11:22.730 --> 11:24.970
Run again.

11:24.980 --> 11:27.020
Getprocaddress and good pointer.

11:27.700 --> 11:29.030
Run again.

11:29.030 --> 11:31.220
Getprocaddress and good pointer.

11:31.880 --> 11:33.710
Run again.

11:34.070 --> 11:35.380
Address and code pointer.

11:35.390 --> 11:43.880
So keep on clicking F9 or this button and you can see it keeps calling the getprocaddress to get the

11:43.880 --> 11:46.100
API address for this functions.

11:46.250 --> 11:49.400
So probably this is how Vmprotect works.

11:49.550 --> 11:54.140
It's trying to do something with the pointer to get the address.

11:55.040 --> 11:56.390
Keep on F9.

11:56.600 --> 11:57.620
F9 again.

11:57.650 --> 12:06.800
This time it's decode pointer Getprocaddress for decode pointer click F9 again still same get address

12:06.920 --> 12:07.730
decode pointer.

12:07.730 --> 12:16.940
So it is trying to decode all the APIs, the function names function addresses for for running the malware

12:17.210 --> 12:19.790
and to unpack it into memory.

12:20.000 --> 12:26.700
So click on pressing F9 or this button now encode pointer again.

12:27.270 --> 12:32.980
So this is how Vmprotect seems to be working again.

12:33.000 --> 12:36.720
All right, so now we are moisture protect back on protect.

12:36.900 --> 12:43.780
And now we will continue with the analysis in the next video.

12:43.800 --> 12:45.240
Thank you for watching.