L

LabZero

Hello everyone


It's a long time since I don't write an article in MA but I decided to explore some important concepts to analyze malware.

"Understanding packers and detecting a packed file" is a topic treated by @kram7750 in this thread :http://malwaretips.com/threads/malware-analysis-6-understanding-packers-and-detecting-a-packed-file.42356/

I will talk to unpacking


The manual unpacking is definitely the most complex to learn. Although a malware can be sometimes much more difficult by a packer, it is much easier to explain the theory behind a malware, rather than explain the operation of a packer. This is primarily due to two reasons. First, you need to have a unpacking knowledge of a wider number of arguments: it is not enough to understand the machine code and know that debugging. In addition, the term "packer" is very generic. The packer implement all sorts of anti-reversing techniques and even an entire book would suffice to explain them all in detail.

I will try to make myself understood even by those who don't have a clue what a packer. However, it is useless to deny that you have to engage, and not just to see this introduction. Do not confuse, even if there are other threads, this article represents the real end of our route. If you include the following, all the rest you'll learn without difficulty and it will update your knowledge base package. Here, we define the article on manual unpacking the culmination of knowledge. To write this introduction I had little time guys. It is a very busy period for me. However, this lack of time well fits with the type of article that I write. Given the amount of knowledge that requires unpacking, I I will provide only a general understanding and I will bring towards other articles for the individual topics.

As mentioned, the term "packer" is very generic, then give a precise definition is not very serious. In other words, for protection. executables on Windows (there are even packer for other platforms, but not many) are, for example, EXEs, DLLs and sys. executables on Windows, although they have different extensions, are all Portable Executable. The Portable Executable, or PE for short, is a file format and the 90% of reversing of packer is aware of this format. Before speaking of the PE, I tell you in two words what you mean generically the term "packer".

The term "packer" means a program that:


Compresses (and if encrypt is called "crypter") data, as the code within an executable.

Add a piece of code at the end of the executable.

Change the Entry Point in the executable to run their code on startup.



The added code from packer deals, when run, to decompress the data and then jump to the original executable code, allowing normal execution. Protection, even if using a compression algorithm, typically adds so many their data to make the protected executable much larger in size than the original.

Surely you have noticed that I have introduced the term "Entry Point". An executable format, like the PE, has to know the operating system loader the location within the executable file, which starts the code to run. This location is called note entry point, in short: EP. After running the code packer, this jumps to the entry point of the original code, which, in the terminology of reversing, it's called Original Entry Point: OEP. EP and OEP because are two fundamental terms.

The information regarding the location of the entry point is located in a structure within the PE format and it is from here that you begin.

Well, as I said this is just a brief introduction to the subject that is going to confront so more detailed in the next thread.

Regards Klipsh.:)
 
Last edited by a moderator: