Comments (4)
maddiestone
commented on July 2, 2024
I could have been more descriptive, but the "sections" mentioned aren't the PE header sections, but the sections processed when unpacking ASProtect. I believe they might be in the IAT table, but I could be misremembering.
from 0days-in-the-wild.
9293746
commented on July 2, 2024
(Sample's Sections data for reference, since I didn't realize I could upload pictures:
)
It seems unlikely that the "sections" would have referred to the IAT, since 1) there's specifically a portion of the headers called "sections" which have page-aligned sizes like were mentioned and 2) import addresses are fixed size and thus have no need for a page-sized field in the IAT. (See https://opensecuritytraining.info/LifeOfBinaries_files/2012_LifeOfBinaries2.0.pdf slide 67 and beyond).
On the off chance that you meant the RVA/Sizes e.g. pointing at the IAT section in the OptionalHeader.DataDirectory, I checked that too, and that also doesn't have the specified sizes appearing anywhere
from 0days-in-the-wild.
9293746
commented on July 2, 2024
Out of curiosity I was wondering if ASProtect had some sort of special embedded metadata it used instead of just expecting the executable loader to do its job for it, so I googled how ASProtect works, and came up with this, which shows a .aspack and .adata section within the section headers: https://martinosani.it/2020/02/aspack-manual-unpacking.html (another citation for that expectation here)
The lack of a .aspack or .adata section in the sample makes me suspicious that it's just an issue that the cited sample isn't really ASProtected? Do you think you could re-find the sample you analyzed?
from 0days-in-the-wild.
maddiestone
commented on July 2, 2024
I've confirmed that the sample (6e1e9fa0334d8f1f5d0e3a160ba65441f0656d1f1c99f8a9f1ae4b1b1bf7d788) is correct for the write-up. If you hook up a debugger to mpengine while scanning the sample, you'll see that after running CAsprotectDLLAndVersion::Unpack within CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects, the sections and sizes are [(0,0), (0,0), (0,2000), (2000,3000)]. Since the values are populated by the Unpack() function, it's probably safe to say there's something custom going on, but I didn't reverse Unpack().
from 0days-in-the-wild.
Related Issues (5)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 0days-in-the-wild.