DIE and RDG fail to detect Emotet’s customer packer
Dumped Emotet payload
Emotet’s Polymorphic files
Here the PE parsing tool Professional PE Explorer aka Puppy is used to display the DLL exports. Notice how each has a name, ordinal, and relative virtual address (RVA).
Notice the path of rundll32.exe as the main program to load with arguments of the dll file and ordinal number. Make sure you replace these paths with whereever your system32rundll32.exe is and your dll file.
Suspend process on initial DLL Load
In this DLL malware, we see that there are 3 function exports that we can choose to load up.
The file is in working order and successfully run. We’ve complied with the author’s request in this blog.
Clicking “Show Invalid” takes you here
Notice there are no obvious clues that this is GetProcAddress in the disassembly, however, the fact that the function is small and only contains references to apphelp funcs and also is sandwiched between two unrelated thunks in the thunk list, shows us that this is the GetProcAddress problem.
Note the two modules which have a NO next to them. We have to address these before we reconstruct the IAT.
We take the last 5 digits of the 32-bit address and place it into the OEP box in ImpREc. This is the offset of the OEP
Make sure to run ImpRec as ADMIN or else your debugged process may not appear in the dropdown. Also make sure you did not close out the process in the debugger.
The code may look like this or it could just be a series of bytes without assembly instructions listed. The final step is shown
The bytes in your program may not be the same but the difference is clear.
Set a Hardware breakpoint in dump
PUSHAD or PUSHAL will be near top of disassembly
x64Dbg’s interface is very similar to OllyDbg’s interface.