I'm analyzing a malware, the malware decrypt a pe file to memory, like this
I use ollydumpex for x64dbg to dump the memory,
then use IDA to analyze, but it like this
this is a dll, it will be injected to other process. so current process will not load it, so how can I to repaire it?
First thing is OEP. On the screenshot I see EntryPoint (+0x28 to the address of PE\x00\x00 signature) as zero. So, first you need to find where this entrypoint is really located.
So, if you check CreateRemoteThread description:
HANDLE CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId );
You need argument lpStartAddress. This argument can be located in the line
4015C9 lea eax, dword ptr ds:[ebx+edi]
So, your edi value is 0x3CE0000 (which is ImageBase in another process) and ebx value is 0xB159 (this is EntryPoint RVA). In OllyDumpEx you have to write this value to the EntryPoint field.
Recovering import is a long process of analyzing all calls to the libraries and re-creating IMPORT_DIRECTORY and IAT table. You can write a script for that or use any existing. Another option is patching Scylla (which is open-source project) and adding ability to change ImageBase to some specific value (0x3CE0000 in your case).
Tools like ImpREC (Import Reconstructor) and Scylla are not suitable here without patch. The real problem here is that your DLL is not loaded like normal DLL. So, you can't select it with 'Pick DLL' in the ImpREC/Scylla.
But you can make some hack. Create 2 empty project - DLL, and EXE that loads a DLL. In exe load your DLL and after that write infinite loop like this:
#include <stdio.h>
#include <Windows.h>
int main() {
HANDLE hLib = LoadLibraryA("someDll.dll");
DWORD old;
// this will make your DLL writable.
VirtualProtect((DWORD)hLib, 0x3C414, PAGE_EXECUTE_READWRITE, &old);
DWORD pid = GetProcessId(GetCurrentProcess());
char addressBuffer[64];
sprintf(addressBuffer, "ImageBase: %#x\nPID: %#x", (DWORD)hLib, pid);
MessageBoxA(NULL, addressBuffer, "Donor DLL address", MB_OK);
for (;;) Sleep(1000);
return 0;
}
I recommend you to add some big data object to your DLL. This DLL will be a donor for your malware. Just add int bigData[0x3C414]; somewhere outside of functions (functions data will be placed on the stack, but you need a big main module memory). I get 0x3C414 from EBP value as size of malware.
Now run this application and read ImageBase and PID from the messagebox. Then trace to the OpenProcess and replace third argument (dwProcessId) with PID of your application. Then trace to the line like in the screenshot, replace second argument with ImageBase and execute WriteProcessMemory. That's all! You can now restore IAT with ImpREC or Scilla. Just open your process and pick DLL someDll.dll. Type 0xB159 as EntryPoint/OEP and click IAT AutoSearch, then Get Imports and Fix dump. Good luck!
