Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    futex
    @futex
    i saw this packer behavior lot of time in dotnet malware
    the loaded module is the malware unpacked
    (or sometime it's packed with other packer like confuserex)
    but i want to automate the first stage unpacking
    Layle | Luca
    @ioncodes
    ok
    Simonas G
    @SlowLogicBoy

    Note: It is unsafe to load malware in memory first of all so I assume you are using VM.
    Solutions:

    1. You can use dnSpy's dnDbg library to do what you want, however it is not documented at all, and you will need to figure it out yourself
    2. You can copy unpacking code from malware .exe and reuse it in your app. <- thats usually my solution.

    Still both ways are not reusable in other malwares, because they are packed differently so I see no point in writing tool like this when there is dnSpy

    Layle | Luca
    @ioncodes
    I don't really see the point of automating that step since it wont work with wellprotected files. Also it can be hidden very easily. Also what you're doing is not unpacking. You're simply dumping a file. Unpacking it would be if you decrypt the file without dumping it.
    exactly
    that's what I'm saying. I'd do number 2 from @SlowLogicBoy
    But it'd be possible to do it via dndbg, but I do really not recommend it
    futex
    @futex
    i'm on vm of course ^^ i reverse a lot of malware :)
    Simonas G
    @SlowLogicBoy
    also since most malware are using ConfuserEx you could use https://github.com/CodeShark-Dev/NoFuserEx, however I don't think it supports unpacking
    futex
    @futex
    ok i will take a look at dndbg
    Layle | Luca
    @ioncodes
    It wont even mean that it's really automated cause the signature could be different for all modules and as long as the malware has more than 1 file loaded, user interaction will be needed
    futex
    @futex
    without doc it can be boring ^^
    Layle | Luca
    @ioncodes
    yeah
    Simonas G
    @SlowLogicBoy
    well dnSpy has debugger plugin which uses dnDbg so that might help
    Layle | Luca
    @ioncodes
    if you dont care about the security you could just get a Process.Modules list
    yeah
    also, you can hide stuff if a debugger is a attached
    Simonas G
    @SlowLogicBoy
    also @0xd4d is rewriting some debugging stuff so you could take a look at https://github.com/0xd4d/dnSpy/tree/dbg
    Layle | Luca
    @ioncodes
    I'd personally just unpack it via c# and maybe with help of dnpatch
    futex
    @futex
    ok thank you
    yeah but how you can do it only with c#?
    Simonas G
    @SlowLogicBoy
    which part?
    futex
    @futex
    how you can break a assembly execution when it load a new modules
    Layle | Luca
    @ioncodes
    you would need to write a wrapper such as dndbg
    Andrew Shulgin
    @andrew-shulgin
    Hello! I am trying to get an integer operand value with GetOperand, but I'm getting an error:
    System.NullReferenceException: 'Object reference not set to an instance of an object.'
    on
    return method.Body.Instructions[target.Index].Operand.ToString();.
    I understand that it's because the operand is "optimezed" in terms of dnSpy.
    In dnSpy I'd click "Simplify All Instructions" and the value would be revealed.
    How can I do the same thing using dnPatch?
    Thank you for your help!
    Andrew Shulgin
    @andrew-shulgin
    Solved! :smile:
    I've added a GetLdcI4Operand function to dnPatch, it uses GetLdcI4Value of Instruction.
    Pull request coming!
    Andrew Shulgin
    @andrew-shulgin
    Pull request delivered
    Thank you for dnPatch!
    Layle | Luca
    @ioncodes
    Thanks for the PR!
    GaryNg
    @garyng
    Hi!
    May I know how to get the constructor of a class?
    Layle | Luca
    @ioncodes
    its name is always .ctor
    GaryNg
    @garyng
    Ahwwwwww
    Thanks!
    I thought it has the same name as the class nameπŸ˜…πŸ˜…
    Layle | Luca
    @ioncodes
    Nope :p
    GaryNg
    @garyng
    Thanks!😁
    Layle | Luca
    @ioncodes
    np :h
    • :)
    Layle | Luca
    @ioncodes
    Holidays started for me so I got time to look into dnpatch again :D
    Layle | Luca
    @ioncodes
    For the people that wanted to use BuildMemberRef: It has been fixed and renamed to BuildCall
    dividereis
    @dividereis
    Thanks, Luca
    Layle | Luca
    @ioncodes
    np :)
    dividereis
    @dividereis
    I'll test it out now
    Layle | Luca
    @ioncodes
    Let me know :D
    dividereis
    @dividereis
    What's that 'cool story' btw? You never said it