Extract Payload from Memory

Malware Leave a comment

Hi Guys

Today, I am going to share about the basic or simple technique for the malware analyst to extract payload or binary from the dynamic allocated memory.

As we know, malware sometimes uses dynamic loading payload or binary to evade malicious code from EDR or AV detection. It will allocate memory space during runtime and extract the encrypted or packed payload and store it in memory space. We are the malware analyst need to extract this to understand

I have created a simple application that read another application binary and put it in the memory. So We will do some steps to extract the binary it loaded from memory.

#include<windows.h>
#include <stdarg.h>

int main() {

    static const size_t BufferSize = 48000;
    
    FILE* ptr1;
    unsigned char buffer2[BufferSize];

    ptr1 = fopen("C:\\Temp\\HelloWorld.exe", "rb");
    const size_t fileSize = fread(buffer2, sizeof(unsigned char), BufferSize, ptr1);
    void *ptr = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(ptr, buffer2, BufferSize);
    printf("Finish");
    VirtualFree(ptr, 0, MEM_RELEASE); //releasing memory

    return 0;
}

Every malware will use VirtualAlloc to provide space in memory. So this becomes our target API call during our analysis to get the initial memory address space

So we need to put break point on VirtualAlloc call to get the memory address from the eax.

Before allocated

We can see that EAX is still not pointing to any memory address

After Allocated

We can see now that EAX is pointing to an address 000A0000, this is the first memory address

Now we can check the memory space around the 000A0000 is still empty. You can do syncronize with EAX in the hex view to show the memory content

You can also view the memory space using process hacker.

You can find the memory address from the EAX in the process hacker and double click on it then it will show you the content in that memory spaces

Now lets continue the debugger so that we will come into memcpy

if you want to re read the memory content on that address then you need to press re-read

It will result that the application will re-read the memory content start from that memory space

Now we can see that that memory space now are filled with content that we are not sure yet what it is. But we know that it starts with MZ, which is the indication of binary files and followed by This program cannot be run in DOS

Extract the Payload

After identifying the memory location and finding the content, let’s start dumping it into binary file. I will use process explorer to save it.

Change the file name into anyfile *.exe and press save

Now you can do further check of the binary file or you can try to run it if you wish

Or you can look for the details using PE Studio. We can see that the binary file is fully extracted

OK, that is all the steps. So whenever you see a malware that packed their payload or loads it dynamically, the most common practice is finding the memory address by assigning breakpoint at VirtualAlloc and debugging steps the malware and checking the content from surrounded memory address.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s