Malwares will sometimes run shellcode directly in memory . The common method to do that is first use VirtualAlloc to allocate memory with the right permissions . Then the malware will use RtlMoveMemory to write the shellcode to the allocated space . Then it will create thread to pass the control to that location
To extract the shellcode we can use api hooks . Basically set a breakpoint at any of the API call . I will use x64dbg . You can use any other application if you want . Load the executable to x64dbg . Go to symbols . Search for VirtualAlloc . Set a breakpoint and execute till return .
VirtualAlloc will return the address of the allocated memory . It will be in the rax/eax register . This is the address where you will find the shellcode
Set a breakpoint at CreateThread function call . The third argument will be the address of the memory where we copied the shellcode
Follow the address in dump. Well thats where the shell code is
Lets compare the shellcode found in memory with the shellcode in the source . The first three bytes are DA CB BB .
Yes it matches . This method can be used to extract unpacked/decrypted executables in memory .
