Extract Payload from Memory

Hi Guys

Today, I am going to share about the basic or simple technique for the malware analyst to extract payload or binary from the dynamic allocated memory.

As we know that malware sometimes use dynamic loading payload or binary in order to evade its malcious code from the detection of EDR or AV. It will allocate memory space during runtime and extract the encrypted or packed payload and then store it in memory space. We are as the malware analyst need to extract this in order to understand

I have created a simple application that read another application binary and put it in the memory. So We will do some steps to extract the binary it loaded from the memory.

#include<windows.h>
#include <stdarg.h>

int main() {

    static const size_t BufferSize = 48000;
    
    FILE* ptr1;
    unsigned char buffer2[BufferSize];

    ptr1 = fopen("C:\\Temp\\HelloWorld.exe", "rb");
    const size_t fileSize = fread(buffer2, sizeof(unsigned char), BufferSize, ptr1);
    void *ptr = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(ptr, buffer2, BufferSize);
    printf("Finish");
    VirtualFree(ptr, 0, MEM_RELEASE); //releasing memory

    return 0;
}

Every malware will use VirtualAlloc in order to provide space in memory. So this become our target API call during our analysis to get the initial memory address space

So we need to put break point on VirtualAlloc call to get the memory address from the eax.

Before allocated

We can see that EAX is still not pointing to any memory address

After Allocated

We can see now that EAX is pointing to an address 000A0000, this is the first memory address

Now we can check the memory space around the 000A0000 is still empty. You can do syncronize with EAX in the hex view to show the memory content

You can also view the memory space using process hacker.

You can find the memory address from the EAX in the process hacker and double click on it then it will show you the content in that memory spaces

Now lets continue the debugger so that we will come into memcpy

if you want to re read the memory content on that address then you need to press re-read

It will result that the application will re-read the memory content start from that memory space

Now we can see that that memory space now are filled with content that we are not sure yet what it is. But we know that it start with MZ which is the indication of binary files and followed by This program cannot be run in DOS

Extract the Payload

After we have identified the memory location and find the content, now lets start dumping it into binary file. I will use process explorer to save it.

Change the file name into anyfile *.exe and press save

Now you can do further check of the binary file or you can try to run it if you wish

Or you can look for the details using PE Studio. We can see that the binary file is fully extracted

OK that is all the steps. So whenever you see a malware that packed their payload or load it dynamically then the most common practice is to find the memory address by assigning breakpoint at VirtualAlloc and steps the malware and keep checking the content from sorrounded memory address.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s