On this glorious Saturday night we’re going to go over how to unpack the ‘Local-App-Wizard’ packer.
The way the packer works is by creating a suspended process of itself, hollowing it out / allocating the space with memory mapped files, and writing the contents of the unpacked version of itself to this newly created process with WriteProcessMemory, then calling ResumeThread to run the unpacked binary. Since there are no file operations involved, you can’t just run the app and save the file it copies over. Instead, we have to catch the packed app before it runs, but after it has been unpacked.
I don’t really know where this packer comes from, but one can always tell this packer is in use by the identifying string in the packed binary “Local App-Wizard-Generated Applications”
more here............http://www.gironsec.com/blog/2014/05/unpacking-the-local-app-wizard-packer/
The way the packer works is by creating a suspended process of itself, hollowing it out / allocating the space with memory mapped files, and writing the contents of the unpacked version of itself to this newly created process with WriteProcessMemory, then calling ResumeThread to run the unpacked binary. Since there are no file operations involved, you can’t just run the app and save the file it copies over. Instead, we have to catch the packed app before it runs, but after it has been unpacked.
I don’t really know where this packer comes from, but one can always tell this packer is in use by the identifying string in the packed binary “Local App-Wizard-Generated Applications”
more here............http://www.gironsec.com/blog/2014/05/unpacking-the-local-app-wizard-packer/