Challenge 36: Runtime Unpacking Evasion
Objective
Use a packer that unpacks the payload into a new memory allocation at runtime. The EDR only analyzes the initial PE on disk — it never re-scans process memory after execution starts.
Prerequisites
edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill
Scanner Behavior
Rule 9 runs once when a new process is detected. It reads the on-disk PE image:
let pe = analyzePeStructure(info.imagePath)
After the process starts running, the EDR never re-examines its memory. The unpacker stub (clean on disk) passes all checks, then decrypts and executes the real payload in memory.
Rules
- Create a stub that loads encrypted payload from its
.datasection - At runtime, allocate new memory, decrypt the payload, and jump to it
- The stub binary must have normal section names and no RWX sections on disk
- Rule 9 and Rule 6 must both not trigger
Hints
Hint 1
UseVirtualAlloc with PAGE_READWRITE, decrypt payload, then VirtualProtect to PAGE_EXECUTE_READ. The on-disk PE never has RWX.
Hint 2
The key insight: the EDR checks files, not memory. After the process is running, it canVirtualAlloc new memory, write anything there, and execute it — the EDR will never know.
MostShittyEDR