Skip navigation.
Home

.attach packer

|

does anyone know of a good tool to unpack files that have a section .attach or ATTACH? it is used in sinowal/torpig and mebroot(that mbr rootkit).
usually I run the files and dump them. when it's a .sys -> osrloader and RootkitUnhooker is my combination. but here is my problem: the .sys from mebroot.. I didn't manage to load it in osrloader.. that's why I'm asking if there is any tool. or maybe a few tips on how to do it manually? :) TIA

Usually,section names can...

...pretty much be renamed at your wish,
and the pe executable will still execute just fine,
unless the 'protector' of the crap in question above,
does some weird self-checking...
Personally,I'd start with a generic unpacker,
like ap0x's RL!dePacker or alternatively Quick Unpack 2.0...