Stolen bytes, nanomites, PE header erasure, guard page anti-dumping, and the anticipatory unpacking methodology — how to reconstruct a fully functional PE when the packer fights every step of the process.
Sign in to mark this article as read and track your progress.
Standard packers (UPX, ASPack) are defeated by the ESP breakpoint technique. Commercial protectors and custom packers add defences that require more sophisticated approaches. This topic covers the defences themselves and the counter-techniques.
Unpacking defended malware is like picking a bank vault with laser grids, pressure plates, and a guard who changes the combination every hour. You need to know what defences exist before you even approach the door.
Definition: The first few instructions from the OEP are copied into the unpacking stub and executed there. The tail jump jumps past these instructions in the original code, so the dumped file is missing its prologue.
Unpacking stub executes:
PUSH EBP ← stolen from OEP (executed in stub)
MOV EBP, ESP ← stolen from OEP (executed in stub)
SUB ESP, 0x20 ← stolen from OEP (executed in stub)
JMP [actual_OEP+3instructions] ← tail jump skips the stolen bytes
Result after dump:
OEP address:
SUB ESP, 0x20 ← WRONG — first 2 instructions missing
[rest of code]
The dumped file crashes immediately because the function prologue is incomplete.
Bypass:
Definition: Conditional jump instructions in the original code are replaced with INT 3 (0xCC) opcodes. An encrypted lookup table stores the original jump information (opcode, target). At runtime, each INT 3 triggers an exception — the packer''s SEH handler looks up the entry and executes the correct jump.
Original code:
JNZ 0x004012A0 ; normal conditional jump
After nanomite application:
INT 3 ; 0xCC replaces the JNZ
; exception handler looks up: opcode=JNZ, target=0x004012A0
; and transfers control appropriately
A memory dump produces code full of 0xCC bytes instead of conditional jumps — completely unusable without the lookup table.
Bypass:
0xCC with the correct conditional jump instructionThis is time-consuming but systematic. Themida is the primary commercial packer using nanomites.
After unpacking completes, some packers zero the first 0x1000 bytes of the loaded image — destroying the DOS header and PE signature.
; After OEP transfer, packer cleanup code:
lea edi, [image_base] ; start of PE in memory
xor eax, eax
mov ecx, 0x400 ; zero 1024 DWORDs = 4096 bytes
rep stosd ; fill with zeros
Memory dumpers that rely on the PE header to reconstruct the file fail completely.
Bypass:
The packer marks the unpacked memory pages as PAGE_GUARD. Any read access by a memory dumper triggers a STATUS_GUARD_PAGE_VIOLATION exception — handled by the packer to re-encrypt the page before the dumper reads it.
Memory permissions after unpacking:
0x00400000 - 0x00450000: PAGE_EXECUTE_READ | PAGE_GUARD
Bypass:
Rather than reacting to each trick as encountered, anticipate the packer''s behaviour based on its identified family:
Step 1: IDENTIFY
→ Run DIE/PEiD → get packer name and version
Step 2: RESEARCH
→ Search "unpacking [packer] [version] tutorial"
→ Note: stolen bytes? Nanomites? Header erasure? Guard pages?
Step 3: PREPARE
→ Enable ScyllaHide (VMProtect profile)
→ Set _NO_DEBUG_HEAP=1
→ Configure exception passthrough
→ Enable Break on TLS Callback
Step 4: EXECUTE
→ Apply ESP breakpoint technique or VirtualAlloc breakpoint
→ Reach OEP
Step 5: DUMP AND FIX
→ Remove guard pages if present
→ Dump with Scylla before header erasure (if applicable)
→ Restore stolen bytes if needed
→ Fix IAT
Step 6: VALIDATE
→ Open in DIE → should show compiler, not packer
→ Open in PEStudio → entropy < 7.0, full IAT present
→ Run in x64dbg → executes without immediate crash
| Packer | Stolen Bytes | Nanomites | Header Erasure | Guard Pages |
|---|---|---|---|---|
| UPX | No | No | No | No |
| ASPack | Sometimes | No | No | No |
| Themida | Yes | Yes | Yes | Sometimes |
| VMProtect | Yes | Partial | Sometimes | No |
| Custom | Unknown | Unknown | Unknown | Unknown |
For custom packers, apply the methodology iteratively — each defence encountered is diagnosed and bypassed in sequence.
Two advanced techniques that abuse NTFS features to evade AV scanning:
Process Doppelgänging (NTFS transactions):
Process Ghosting (delete-pending state):
Detection: Both techniques are detected by Volatility malfind and pslist/psscan discrepancies. The process exists but its backing file is absent.