![]() ![]() While in Ollydbg, you can manually evaluate the code. This is another challenge to malware analysts. In packed files, the IAT information is obfuscated which makes disassembly difficult. The IAT is used by running programs to reference the functions it needs to use in order to run properly. It is how they will be able to recover the original code. Knowing the original entry point is important to any analyst trying to analyze the code. However, in packed code there are no identifiable strings.Īlso, as stated earlier, the original entry point is concealed in the packed file. One way to begin the malware analysis process is to run the strings command to analyze the strings associated with the malware. There are manual ways to analyze the malware. You can then place the unpacked malware file into a debugger like Ollydbg to perform further analysis. Running that command will unpack the packed.exe file and create a new file named unpacked.exe. A command line example is given below, based on a file named packed.exe: If the malware was packed using UPX, it is possible to use the command line within the tool to unpack the malware code and further analyze it with a reverse engineering tool. UPX is one commonly used packer tool that includes the unpacking feature. It can often identify the packer used as well. Exeinfo PE is one such tool that will analyze the code to determine if it has been packed. The best (and quickest) way to unpack packed malware is to use a tool. So if you can determine the tool used to pack the code, you may be able to use the same tool to extract the original file. ![]() The packing tool embeds the stub into the executable during the packing process. It is possible to automate the evaluation of packed code. ![]() ![]() Some malware creators use custom packers, but commercial/open-source packers are also used.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |