WEBVTT 00:00.200 --> 00:00.760 Welcome back. 00:00.770 --> 00:08.750 In the previous video, we have dumped this dump file from the using process hacker because it was a 00:08.750 --> 00:10.370 self-injecting Trojan. 00:10.940 --> 00:16.250 So we open flair now and we are going to use pebbair to unmap this file. 00:16.790 --> 00:21.140 So let's go to utilities and open pebbair. 00:28.490 --> 00:33.770 Then we can now drag this into VBA. 00:36.950 --> 00:48.110 And then if you take a look at the imports, it is all screwed up because of the of the section headers, 00:48.110 --> 00:50.330 which is not aligned properly. 00:50.360 --> 00:51.890 It has not been unmapped yet. 00:52.670 --> 00:54.630 So we need to unmap it. 00:54.650 --> 00:55.880 Go to session headers. 00:56.030 --> 01:02.270 First step is to change all the raw address to become the same as the virtual address. 01:02.480 --> 01:04.970 So this first one will become 1000. 01:05.000 --> 01:07.190 This one will become 22,000. 01:07.220 --> 01:10.880 This one will become 20,000 and this one will become 29,000. 01:31.770 --> 01:33.960 Rate once you have done that. 01:34.080 --> 01:40.590 Next thing is to calculate the raw size based on the on the raw address. 01:40.590 --> 01:46.560 So for the first one is 22,000 -1000, that gives us 21,000. 01:48.750 --> 01:52.410 This one is 28,000, -22,000. 01:52.530 --> 01:55.050 So it is 6000, which is already correct. 01:55.200 --> 01:58.290 This one should be 29,000 -28,000. 01:58.470 --> 02:00.270 So that gives you 1000. 02:02.160 --> 02:02.460 Okay. 02:02.460 --> 02:03.210 So that's done. 02:04.140 --> 02:13.950 And then now over here for this, if we wanted to, we can fix it so that it fills up the entire block 02:13.950 --> 02:17.820 here so we can change this to 8000, for example. 02:19.140 --> 02:19.680 Not enough. 02:19.680 --> 02:24.300 So maybe 9000 not enough. 02:24.900 --> 02:26.910 So maybe a 02:29.910 --> 02:32.580 nine, maybe B, 02:35.340 --> 02:40.170 almost C, Yes. 02:40.170 --> 02:40.920 So it's filled up. 02:41.190 --> 02:45.360 So the virtual size, we can leave it not necessary. 02:45.360 --> 02:48.090 And then now we can go and check the imports. 02:48.090 --> 02:50.910 And we see that imports are now okay. 02:52.080 --> 02:54.180 That means we have correctly unmapped it. 02:54.480 --> 02:57.750 Next thing is to fix the base address. 02:57.750 --> 02:59.580 So that is called rebasing. 02:59.580 --> 03:04.170 So click optional header and look for the image base. 03:05.000 --> 03:11.750 So the image base needs to be the address where we dump this from, which is one followed by seven zeros. 03:12.590 --> 03:13.640 As you recall. 03:13.910 --> 03:16.130 So it's one followed by seven zeros. 03:17.990 --> 03:18.170 Hit. 03:18.170 --> 03:18.620 Enter. 03:19.100 --> 03:20.450 Okay, that's it. 03:22.100 --> 03:30.530 Now we can check the exports and you can see the name is loaded, the Eldrick, which is the name for 03:30.530 --> 03:34.250 the loader for tracks and imports, has been fixed. 03:34.280 --> 03:36.230 Okay, so now we can dump this. 03:36.440 --> 03:42.110 Right click on this name here and save the executable as. 03:42.620 --> 03:51.170 And we can now call it dump unmap and click save. 03:53.290 --> 03:53.460 Okay. 03:53.470 --> 03:54.010 Okay. 03:54.010 --> 03:58.930 And now you can test it with either by opening, either 04:02.440 --> 04:09.280 click new and then select the new unmapped region. 04:10.300 --> 04:11.590 The new unmapped one. 04:12.100 --> 04:12.790 Click open. 04:14.200 --> 04:14.500 Click. 04:14.500 --> 04:15.100 Okay. 04:17.350 --> 04:19.380 He is no more error. 04:20.130 --> 04:22.170 That means it has probably been unmapped. 04:22.770 --> 04:27.930 And now you can go ahead and you can see so many functions. 04:29.130 --> 04:30.570 Inputs are there as well. 04:34.470 --> 04:35.370 Open Subviews. 04:35.400 --> 04:36.450 Look at strings. 04:38.410 --> 04:41.320 And you also have strings, although it's encrypted. 04:43.150 --> 04:45.310 We have had the objectives of this session. 04:45.310 --> 04:48.190 We have successfully unmapped dridex. 04:48.730 --> 04:50.620 Thank you for watching.