|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: unpacking UPX or PE-packed binaries
From: Blue Boar (BlueBoar
thievco.com)
Date: Thu Apr 22 2004 - 23:11:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Karma wrote:
> Just interested in how AV R&D companies unpack worms with complex UPX and PE
> pack protocols.
The modified UPX packing is a pretty small change usually. Compare one
with a standard UPX header for the same version. There are a variety of
unpackers out there. Take a look at the X86emu work by Chris Eagle for an
interesting direction that unpackers might be taking:
http://ida-x86emu.sourceforge.net/
Worst case, you've always got the option to carefully step through it with
a debugger to the point where it's unpacked. You may have to deal with a
few anti-debugger tricks along the way, and once you've got a few unpacked
segments, you'll probably have to manually put the import table back
together, but it's doable. I like Ollydbg for this kind of thing:
http://home.t-online.de/home/Ollydbg/
Just take care that you're running in a sandbox of some kind, in case you
step too far, or accidentally press the "run" key.
BB
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]