IDCDumpFix is a quick tool that allows you to implement a RE shortcut for quickly working with arbitrarily packed files.
The precept behind this technique is that for malcode analysis, we don’t really need a cleanly unpacked and runnable image such as software crackers do.
What we do need is a quick reliable way to get in and get a clean readable disassembly of the packed program.
Procedure:
- run your target sample
- attach olly to the running process (will be unpacked in memory now)
- use LordPE or similar tool to dump the image from memory
- optional - locate probable oep through common startup apis and
reset ep in pe header of dump file
- disassemble the memory dump file in IDA
- in olly: make sure you are in the main exe memory segment,
right click on the disasm window and search for all
intermodular calls. Right click on this table and copy
whole table to clipboard.
- start up IDCDumpfix and paste in the call table from olly, hit
Generate IDC button to parse it into IDC file format.
- scan through the IDC file and remove any entries where olly could not
apply API name to address. Save IDC file and then apply it
to your IDA database of the memory dump.
Limitations:
- olly cannot always find all intermodular calls this way (IAT redirection etc)
- since we don’t rebuild the dumped image and its not runnable, we cannot make
persistent patchs to alter its behavior (not needed very often for analysis)
- if the application does not stay running long enough to attach the debugger
then you may have to go through a manual process of stepping through
the unpacker in a debugger or use API hooking tricks to stall it for dumping.
- make sure that Olly debugging option "Show Symbolic Addresses" is turned off
otherwise the pointer location will not be present in intermodular call
table. (Options -> Debugging Options -> Disasm -> Show Symbolic Addresses)
Also make sure olly disasm format is either MASM or IDEAL and not lowercase.