does anyone know of a good tool to unpack files that have a section .attach or ATTACH? it is used in sinowal/torpig and mebroot(that mbr rootkit).
usually I run the files and dump them. when it's a .sys -> osrloader and RootkitUnhooker is my combination. but here is my problem: the .sys from mebroot.. I didn't manage to load it in osrloader.. that's why I'm asking if there is any tool. or maybe a few tips on how to do it manually? :) TIA