RunPE is a method used mostly in malware to load a binary file from resources and execute it in the memory. This is used to bypass heuristics and make it harder to analyse the file. The most RunPEs in the wild work the same way.
- Create a new Process
- Unmap loaded file form memory to create space for the new one
- Write new file into memory
- GetThreadConext
- Set new entrypoint
- SetThreadContext
- ResumeThread
The easiest way to dump this is to hook the "WriteProcessMemory" API and rederict the buffer to a new file. I used a ExceptionHooklib from OpCodeZ to do this job. Improvments could be hooking "ResumeThread" to prevent the malware thread from beeing executed. Or hook Native APIs wich could be used instead of the "normal" one.
How to use this: Choose your Injector ( in my case the one wich I included from -Alex- ) and select "Load+Inject". Than choose your Target and select the "AntiMalwareHook.dll". The dumped file appears in the same dir as the Targetfile and is called "dump.exe"
Included in Download:
-Source
-Kompiled DLL
-DLL Injector by -Alex-
OriginalSite:
Homepage~Zer0Flag
