You'll always find a new clever technique from time to time, but the philosophy behind it will stay the same. How to unpack software that used unknown packer?Īfter a bit of experience, you'll find that common packers are designed in the same way, and are using the same techniques. What is important is not 'can I do it manually' - the answer will only be 'yes', but 'how much time can I spend on this?' or 'is the complexity level worth my time?'. The rule is simple: if the malware is running (meaning that it is able to unpack itself at runtime and execute it's core payload), you will always have the ability to trace everything and examine its behavior. You also have some online services that are able to unpack stuff for you (Thinking about unpacme). Sometimes the packer is open-source, and contains unpacking capabilities. Sometime you'll also find automated unpacker scripts for well-known packers (standalone or compatible with your debugger or even static unpacker). If you find a sample that is packed, you generally don't have any clue on what is the malware inside this 'protection' nor what it's doing, unless you unpack it.Ī simple debugger can help you unpack the majority of packers. Try to see it like an "armor" around the malware, only here to slow down your analysis (and mess with AV product performing static detection). When a malware is packed, everything looks scrambles and messy, and you can't really see (from a static point of view) what the payload is doing. Unpacking is the action of removing the protections layers used by malware in order to reach its core payload. I'll try to answer as good as I can, but you are asking for something that is so broad, I'm afraid that I can't answer everything.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |