Can't access process memory when dumping

Question

I'm trying to analyse a piece of malware and after finding the OEP I'm having trouble dumping the process.

Using LordPE (and IDA) I get an error saying "Couldn't grab process memory", I searched for this and resolved it by using the intellidump engine in LordPE. Although this produces an exe, the file doesn't have an icon. I also tried using OllyDump and get the error: "Unable to read memory of debugged process...". I tried to fix this by modifying memory segments in Olly, setting their access to 'full access' however I'm still getting the same error.

When I try to use ImpREC on the dump from LordPE, I get sometimes get another error with similar gist.

I'm guessing there's some kind of memory protection going on here but really have no idea what to do next. Any help would be much appreciated.

score 5 · Answer 1 · answered Apr 17 '13 at 19:54

5

Try IczDump -- it works by injecting itself as a DLL into the target process and dumping the target process's memory from within the process itself.

answered Apr 17 '13 at 19:54

Jason Geffner

20,681
1
36
75

IczDump seems to run the program but when the malware deletes itself it also quits – James Apr 17 '13 at 20:13
Is there a branch it takes to delete itself that you could patch out? – amccormack Apr 18 '13 at 03:13
1

You can try to hook the deletion part yourself, or use a ready-made tool for that, such as Flypaper – Ange Apr 18 '13 at 09:04

score 4 · Answer 2 · answered Apr 19 '13 at 16:14

4

I'm not sure how much trouble you'd be willing to go through, but I'd suggest taking a full memory dump with something like DumpIt and use Volatitlitys' "procmemdump" command to pull the running process.

answered Apr 19 '13 at 16:14

Brandon Young

131
6

score 3 · Answer 3 · answered Apr 17 '13 at 19:55

3

the lack of icon is merely due to the unpacked executable not having a correct resource DataDirectory.

does the dumped executable actually run (under a debugger)?

You might want to try QuickUnpack or Deroko's Dream of every reverser.

answered Apr 17 '13 at 19:55

Ange

6,694
3
28
62

It does run, and it definitely looks unpacked (in IDA) however it seems to exit very quickly. Is there any way to fix the icon (just out of curiousity)? – James Apr 17 '13 at 20:05
The above may be somewhat unclear. It runs in IDA but will exit before actually doing much. When running the original exe, the malware installs itself etc and starts running. – James Apr 17 '13 at 20:14
It's possible that it detects that's it's unpacked, then exists. Fixing the icon is a matter of finding the resource DataDirectory (if it's still present in memory) and fix it in the PE Header. – Ange Apr 18 '13 at 09:03
hmm, looking at the graph in IDA, it seems that the split between exiting and executing the rest of it comes from a compare of BL. The problem is that ebx is zeroed earlier and I can't see anything that sets it to something other than 0. Could it be set in an interrupt or something? – James Apr 18 '13 at 13:33
It looks like on EntryPoint, EBX always points to some valid address like 7EFXX000. So, if the packer was changing that, it's an easy way for the packed code to check if it has been unpacked or not. – Ange Apr 18 '13 at 13:42
That's a good idea, EBX is zeroed after the entry point though – James Apr 18 '13 at 14:36
In any case, the line is test bl,2 so give that the last byte is always 0 I think I'm missing something else – James Apr 18 '13 at 14:45
@James did you solve the BL mystery by now ? – Ange Apr 24 '13 at 10:07

Can't access process memory when dumping

3 Answers3