Unpacking VMProtect

Sample: 76840fa18df8764afb51f1aa6da10ff65f1bdfe434dc988917380fa31fbe3a73

Introduction

Malware is often packed in a way that makes it difficult to understand the code written by the author. Actors behind the malware take the time to obfuscate it so that it is not easy for someone to quickly identify what it does and how to stop it. Depending on the skill level of the malware authors, they may use pre-existing tools such as UPX, or create their own packer. In our case, they are using VM-Protect but not configuring it correctly, which could result in easy unpacking.

My Approach

When it comes to unpacking VM-Protect or most types of malware, there are two methods available.

The first involves running the malware in a sandbox and searching for API calls. By setting a breakpoint, the packed malware can be revealed.
The second method involves suspending the process using Process Hacker and attaching a debugger while the malware is running.

First Method Using Sandbox

As I explored the sample on hybrid analysis, I noticed that the malware tries to sleep for a long time. So I decided to add a breakpoint at the sleep function call.

First, we can open our sample in x32dbg and run it until we reach the entry point. From there, we can set a breakpoint at the sleep function and continue until we hit our breakpoint, and we will have unpacked malware. Once we have completed this step, we can use VMPImportFixer tools to resolve any obfuscated API calls that may be present in the VMProtect binary.

Our file size and import dictionary have increased beyond the packed malware.

Second Method

Execute the malware normally and then suspend the process and attach the process to x32dbg

If the sample is an MSVC binary, the entry point will contain boilerplate code (fixed code) common to all MSVC binaries. Because this code is common, we can search for the Security Cookie Constant in memory and identify the entry point. This allows us to set a breakpoint on the entry point and obtain a cleaner sample dump. We cannot use this trick if this is not an MSVC binary.

1️⃣ That’s a boilerplate code you can find in any C++ binary. You can compile your hello world binary 32-bit using visual studio and get the same byte code as the picture. Open the C++ binary in IDA and get the bytecode 4E E6 40 BB

2️⃣ Go to the .text section, follow in Dump

3️⃣ After that right click choose “Find Pattern” and search for those bytecodes

4️⃣ After that set a Hardware Breakpoints on the it cause this memory doesn’t exists as it’s written at runtime

Note: we just stopped the execution somewhere; part of this program already ran, and this will miss our dump as there would be values not being necessary set, so we want to dump as close as the entry point.

5️⃣ Finally, rerun the program and will hit our hardware breakpoint. Let’s check the call stack, and we will find our main entry point. Let’s dump our malware using VMPImportFixer

Conclusion

In conclusion, unpacking malware can be a challenging task due to the various obfuscation techniques employed by malware authors. However, by employing the appropriate methods, it is possible to reveal the underlying code and understand the functionality of the malware.