Hi Friends,
I am creating a very simple tutorial to extract malware from the memory. I made two simple applications where the first one will load the second application binary from a text file which is encoded with based64
Below is the code of the first application that will decode the base64 above into a PE file and load them into memory
#include <stdio.h>
#include <string.h>
#include <Windows.h>
const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int b64invs[] = { 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58,
59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28,
29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
43, 44, 45, 46, 47, 48, 49, 50, 51 };
size_t b64_decoded_size(const char* in)
{
size_t len;
size_t ret;
size_t i;
if (in == NULL)
return 0;
len = strlen(in);
ret = len / 4 * 3;
for (i = len; i-- > 0; ) {
if (in[i] == '=') {
ret--;
}
else {
break;
}
}
return ret;
}
int b64_isvalidchar(char c)
{
if (c >= '0' && c <= '9')
return 1;
if (c >= 'A' && c <= 'Z')
return 1;
if (c >= 'a' && c <= 'z')
return 1;
if (c == '+' || c == '/' || c == '=')
return 1;
return 0;
}
int b64_decode(const char* in, unsigned char* out, size_t outlen)
{
size_t len;
size_t i;
size_t j;
int v;
if (in == NULL || out == NULL)
return 0;
len = strlen(in);
if (outlen < b64_decoded_size(in) || len % 4 != 0)
return 0;
for (i = 0; i < len; i++) {
if (!b64_isvalidchar(in[i])) {
return 0;
}
}
for (i = 0, j = 0; i < len; i += 4, j += 3) {
v = b64invs[in[i] - 43];
v = (v << 6) | b64invs[in[i + 1] - 43];
v = in[i + 2] == '=' ? v << 6 : (v << 6) | b64invs[in[i + 2] - 43];
v = in[i + 3] == '=' ? v << 6 : (v << 6) | b64invs[in[i + 3] - 43];
out[j] = (v >> 16) & 0xFF;
if (in[i + 2] != '=')
out[j + 1] = (v >> 8) & 0xFF;
if (in[i + 3] != '=')
out[j + 2] = v & 0xFF;
}
return 1;
}
int main()
{
char str1[20];
FILE* fp;
char buff[70317];
fp = fopen("C:\\Temp\\payload.txt", "r");
fscanf(fp, "%s", buff);
fclose(fp);
printf("64Base Payload Loaded\n");
char* out;
size_t out_len;
out_len = b64_decoded_size(buff) + 1;
out = (char*)malloc(out_len);
printf("Decoding ...\n");
b64_decode(buff, (unsigned char*)out, out_len);
printf("Preparinig RWX Memory Space ...\n");
SIZE_T shellSize = sizeof(buff);
LPVOID shellAddress = VirtualAlloc(NULL, out_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf("Ready to Decrypt Payload \n");
scanf("%19s", str1);
WriteProcessMemory(GetCurrentProcess(), shellAddress, out, out_len, NULL);
printf("PE Payload Loaded Pause \n");
scanf("%19s", str1);
}
Running the first application as up untill it is ready to load the payload into the memory
Lets open Process Hacker to find out where the payload will be copied to. The tips is to find the memory region with protection RWX. Lets open process hacker and find the process
Right click on the process and suspend it to prevent the malware to run further. Please note that you should not run the malware in your main operating system.
Double click on the MalWrapper.exe and go to the memory tab and find the memory address with RWX. Why RWX because the memory region must allow the payload to be executed from that memory region.
Before the payload is loaded
We can see that the memory range with the RWX protection is now empty because we stop just right before the payload is copied to the memory space
Press Yes on the application and it will continue to copy the PE to new allocated memory region. After the payload is loaded. We can see that a PE is loaded into the memory
Now, Once the payload is fully copied to the memory space then we can save it or dump it into a file. Click on the save button
Opening the output file in IDA. You can directly load the file that you just saved using IDA.
You need to rebase the IDA hence the starting of the application will be the same with the binary that we just dumpled. From the process hacker, right click on the memory region where the payload is copied into and click on “Copy Base Address”
Once you copied then put as the segment rebase in IDA
below is the code of the application, now we can see the payload is unpacked and we can do static analysis
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 
Nice write up. Very clear to understand. Maybe you can do a tutorial on DeathSleep or SleepMask if your up to it. These are for Red Team beacons that periodically encode memory to hide the memory region contents