-
-
Save spnow/65fb75c11fb006057715cb5d0321b600 to your computer and use it in GitHub Desktop.
ODbgScript for unpacking Zeus malware (ResumeThread)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Generic Zeus malware unpacker (ResumeThread) | |
| // by Miroslav Stampar (@stamparm) | |
| // http://about.me/stamparm | |
| VAR ResumeThread | |
| VAR msg | |
| VAR xname | |
| VAR xloc | |
| VAR xsize | |
| GPA "ResumeThread", "kernel32.dll" // Zeus malware uses ResumeThread method | |
| MOV ResumeThread, $RESULT | |
| GMI eip, NAME | |
| MOV xname, $RESULT | |
| BP ResumeThread | |
| EOB label2 | |
| label1: | |
| ERUN | |
| JMP label1 | |
| label2: | |
| BC ResumeThread | |
| GMEMI edi, MEMORYBASE // EDI holds the memory address of unpacked malware | |
| MOV xloc, $RESULT | |
| GMEMI edi, MEMORYSIZE | |
| MOV xsize, $RESULT | |
| DM xloc, xsize, xname + "_unpacked.exe" | |
| MOV msg, "Unpacked executable has been saved to: '" + xname + "_unpacked.exe'" | |
| MSG msg | |
| RET |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment