Extracting PE files from memory

Was recently trying to debug some malware that someone gave me. The malware was extracting itself into memory and working from there. It is possible to debug the malware from memory itself but its a bit painful, since we have to debug the entire memory each time, let the memory get populated with the malicious code and then try and understand what the code is doing. This is a waste of time - and if we can avoid it, we should.

As it turns out, its possible to dump contents from memory. This is specially useful if its a PE file that's unpacked into memory. Coz.. you could dump it and reverse it separately without all that running of the original malware that unpacked it.

I always knew this was possible but for many reasons (a laziness to learn being foremost ;)) I never did it. This time, I was determined to figure out how to do it. Turns out it is fairly straightforward. All credit for me learning this goes to this blog - http://www.joestewart.org/morphine-dll/

That blog should be self explanatory really, but here were my steps.

• Load process in Olly and debug it as usual.
• Once the process has loaded in memory, locate it in the Dump section of Olly.
• Right click inside the dump. Backup - Save data to file to an EXE file on disk.
• Launch a PE Editor (I use LordPE). Locate the last section. Add the RawSize and RawOffset. Record the number.
• Open the hex editor and go to this number (offset) inside. Delete all content after this number. Usually this is all zeros.
  Now go to the start of the file. Delete all content inside the file upto the start of the header (4D 5A). Save the file.
• Open the file in Olly...and there you go.. a normal EXE file.

I tried some plugins like OllyDumpEx but they did not work for me. They probably are fine - just that I mostly made a mistake while using it. I will try some nice plugins soon and update this post when I am done.

Hope this post helps someone easily unpack malware from memory manually. Its fairly easy and you do not need a plugin to do this :)

Securely Delete files - Ubuntu

So recently there was a lot of talk at work about keeping our customer data secure. Each of us was fully responsible for the customer data that we had on disk.

I use Ubuntu 12.04 with a ton of Virtual machines. Here's what I ended up doing to do my bit to keep all our customer data safe.

a) Set a BIOS password - If your laptop gets stolen and someone wants to boot off a USB, this makes it harder. Obviously though, they can just take your hard disk out and plug it into another laptop..

b) Full Disk Encryption - Sure ..they can plug your disk into another machine. If all your data is encrypted (Ubuntu allows you to encrypt data while installing it) and you have a reasonably strong passphrase (Greater than 10 characters + Capital letters, small letters, digits and special characters) it's going to be really hard to try and crack.

c) Do not store any customer data on your laptop - It's hard to do this, but really it's the best way. Let customer data be stored on secure servers inside a server room or datacenter, where it can't be stolen that easily. Some customer data storage though might be unavoidable...

d) Use Truecrypt if you must store Customer data - Whatever data there is on your laptop, encrypt that again using Truecrypt and a strong passphrase. So even if someone cracks your full disk encryption passphrase, all they will find is a Truecrypt file.

e) Securely delete content all the time - Using rm -rf or Shift + Delete is no good, as forensics tools will be able to recover data. Use the secure-delete suite of tools to delete data securely. I added an alias to my rm command so I don't ever accidentally only use 'rm' instead of 'srm'.

alias rm = 'srm -rv'

This overwrites files 38 times before deleting them by default. Each file :D. It's probably overkill. So I'd recommend doing something like srm -rfvl filename (The l does just 2 passes instead of 38) and doing an rm filename at the end of every project.

f) I also plan to read up on the other tools that the secure-delete suite offers and run those to clean up my RAM (Run sdmem -v as root)and fill (Run sfill -v MountPoint as root. You can identify your mount points either by running the mount command, or by running df -kh and looking at the Mounted On column) up all my unused space with random data. This is needed because I've been deleting insecurely for a long time now. As of now, I also plan to never delete from Nautilus because adding commands to the context menus using various guides is proving to be an utter pain.

g) Formatted all my flash drives and created a Truecrypt volume on the only flash drive that I plan to use to store customer data. So even if the flash drive gets lost, the data is still reasonably hard to get at.