IDCDumpFix

IDCDumpFix is a quick tool that implements a reverse-engineering shortcut for working with arbitrarily packed PE files.

The premise is that for malcode analysis, you don't really need a cleanly unpacked, runnable image like a software cracker would — you just need a quick reliable way to get a clean, readable disassembly of the packed program.

Procedure

1. Run your target sample.
2. Attach Olly (or any debugger) to the running process — it will be unpacked in memory now.
3. Use LordPE or a similar tool to dump the image from memory.
4. (Optional) Locate the probable OEP through common startup APIs and reset EP in the PE header of the dump file.
5. Disassemble the memory-dump file in IDA.
6. In Olly: make sure you're in the main exe memory segment, right-click the disasm window, and search for all intermodular calls. Right-click on the resulting table and copy the whole table to clipboard.
7. Start IDCDumpFix and paste in the call table from Olly. Click Generate IDC to parse it into IDC file format.
8. Scan through the IDC file and remove any entries where Olly couldn't apply an API name to an address. Save the IDC file and apply it to your IDA database of the memory dump.

You now have a quick-to-produce, readable disasm of your target to search/view as you work in your debugger on the running target.

Limitations

• Olly cannot always find all intermodular calls this way (IAT redirection, etc).
• Since we don't rebuild the dumped image, it is not runnable, so we cannot make persistent patches to alter its behavior. This is rarely needed for analysis.
• If the application doesn't stay running long enough to attach the debugger, you may have to step through the unpacker manually or use API-hooking tricks to stall it for dumping.