Dumping processes from memory
A packed file's data cannot be seen in plain sight, but if we let it run, everything is expected to be unpacked in its process space. What we aim to do is to produce a version of the file in its unpacked state. To do that, we need to dump the whole memory then extract the executable's process image to a file.
Memory dumping with VirtualBox
We will be using Volatility to dump the process from a suspended VirtualBox image. First of all, we need to learn how to dump a VirtualBox image:
- Enable the VirtualBox's debug menu:
- For Windows VirtualBox hosts:
- Enter a new environment variable named
VBOX_GUI_DBG_ENABLED
and set it totrue
. This is shown in the following screenshot:
- Enter a new environment variable named
- For Windows VirtualBox hosts:
- For Linux hosts:
- Edit/etc/environment as a root user
- Add a new entry
VBOX_GUI_DBG_ENABLED=true
- Execute the command:
source /etc/environment
- Restart VirtualBox if already opened
- For Linux hosts:
- Run the packed executable in the Windows guest. We are going to run
upxed.exe
from our GitHub page. - From the VBoxDbg console...