Now that we have an executable file from Volatility, running this back in our Windows guest sandbox gives us the following message:
Remember that the packed executable has its own PE header and stub and not that of the original host's. The header, stub and compressed data were directly mapped to the process space. Every API function was dynamically imported. Even with the code and data decompressed, the entry point set in the header is still of the packed executables and not of the original hosts.
Fortunately, x86dbg has a plugin known as Scylla. After reaching the original entry point, which means we are in the unpacked state, we can rebuild the process being debugged into a brand new executable file. The new executable file is already unpacked and can be executed alone.
This still requires us to debug the packed executable until we reach the original entry point (OEP). Once at the OEP, open up Scylla from the plugins' drop-down menu. This should open up the Scylla window, as shown in the following example:
The active process is already set to the upxed.exe process. The OEP is also set to where the instruction pointer is. The next thing to do is click on IAT Autosearch to make Scylla parse the process space and locate the most probable import table. This fills up the VA and Size fields in the IAT info frame with the probable import table location and size. Click on Get Imports to make Scylla scan for the imported library and API functions. This is shown in the following screenshot:
Expand one of the libraries and it will show the API functions it found. Now, under the Dump frame, click on the Dump button. This brings up a dialog that asks where to save the executable file. This simply dumps the executable file's process. We still need to apply the IAT info and imports. Click on Fix Dump and open the dumped executable file. This produces a new file with the _SCY appended to the file name, as shown in the following screenshot:
Running this new executable file should give us the same result as the original host's behavior.
In Volatility, we did not have enough information to reconstruct the executable file. Using x86dbg and Scylla, though requiring us to get past debugging the packer stub, we were able to have a reconstructed executable file.