Source: OST "Malware Reverse Engineering" Goal: To study and walkthrough this tutorial very diligently (and loop over this process to infinity and beyond) Background: • Packers were first created at a time when network bandwidth was expensive • UPX was a cheap way to obscure identifiable strings from Anti-Virus • As an added bonus, it increased the complexity of analysis Packing Process: • Packers progressed to Executable Protectors which use additional Anti-Analysis tricks
The Unpacking Stub: • The code and data are decoded
Detecting Packers:
Extensions:
Transformation: Original code is rewritten.
Bundler: file dropping, with API hooking (to make a multi-file program run as single file) Tools:
Automated Unpacking: Automated unpacking is possible in some cases, but such a procedure will have a fixed set of instructions and rules. As a result, automated unpacking is unlikely to work on every packer. Some heuristics that might be used to detect that a unpacking stub has completed, and the original entry point (OEP) has taken over include:
Manual Unpacking: At times automated unpacking may not succeed, OR unpacking may occur in stages interlaced with the software's core code execution. In such cases, you may have to break out your favorite Debugger and Disassembler. Unpacker Tail Transitions
Beware of self-modifying code
Dumping Unpacked Code: Manual unpacking of an executable, as performed in a debugger, leaves the analyst in a state of with the original entry point code in memory. Although further analysis could be performed in this state, the ideal case is to create a new file that can be analyzed in a disassembler. IDA Pro has a memory dump feature. Although useful, the data is stored in a format that is unusable by other tools. Ollydump is a plug-in is available for Ollydbg called Ollydump which can:
Other Tools
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |