Last active
November 9, 2017 02:29
-
-
Save stamparm/e1b6abe538e9ee68285b to your computer and use it in GitHub Desktop.
ODbgScript for unpacking Zeus malware (ResumeThread)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Generic Zeus malware unpacker (ResumeThread) | |
| // by Miroslav Stampar (@stamparm) | |
| // http://about.me/stamparm | |
| VAR ResumeThread | |
| VAR msg | |
| VAR xname | |
| VAR xloc | |
| VAR xsize | |
| GPA "ResumeThread", "kernel32.dll" // Zeus malware uses ResumeThread method | |
| MOV ResumeThread, $RESULT | |
| GMI eip, NAME | |
| MOV xname, $RESULT | |
| BP ResumeThread | |
| EOB label2 | |
| label1: | |
| ERUN | |
| JMP label1 | |
| label2: | |
| BC ResumeThread | |
| GMEMI edi, MEMORYBASE // EDI holds the memory address of unpacked malware | |
| MOV xloc, $RESULT | |
| GMEMI edi, MEMORYSIZE | |
| MOV xsize, $RESULT | |
| DM xloc, xsize, xname + "_unpacked.exe" | |
| MOV msg, "Unpacked executable has been saved to: '" + xname + "_unpacked.exe'" | |
| MSG msg | |
| RET |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment