[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: unpacking UPX or PE-packed binaries
One of the most important unpacker resource...
Gadi Evron wrote:
Just interested in how AV R&D companies unpack worms with complex UPX
Myself I am not a reverse engineer for years now, so there are far more
knowledgeable people around who can answer you, but the basic answer
would be - depends on the packer.
Some are simple scramblers, moving the EP and "jumbling the PE binary"
in layman's terms, so you'd need to find the original EP and follow
things from there. Some use more sophisticated ways such as obfuscation,
anti-debugging code, anti-softice code, etc. That is when things get
Usually there exist unpackers, or such tools are built by the researcher
who is in need.
When one does not exist, in most (uncomplicated) cases, a memory dump
would work fine. There are many online tools to accomplish this.
A third way I can think of right now is the use of an emulator. Usually
full API emulators can be found only in AV labs for limited use. Non can
be found for commercial use as far as I know (yet).
When VX-ers pack a sample they just make the AV researcher work a bit
harder. Usually that means 2-4 more seconds of work, so if we follow the
concept of Security by Obscurity, they actually only harm their "cause"
by drawing attention to themselves rather than tackle AV researchers.
In rare cases it takes a bit longer then 4 seconds, and gaining a bit of
time before a signature is out there is all the VX-ers accomplish. That
isn't much and is actually a bad idea as I hinted above (drawing
attention to the binary).
Lately VX-ers have been using many double and triple-packing techniques.
These don't help them much but as they learned, about half of the AV
engines out there can't deal with that (or packed files, in any case,m
to begin with).
Which is why in many cases we see an exact duplicate of a sample only
re-packed with a different packer, declared as a new threat, as some of
the AV engines can't cope with it. Notable exceptions who do deal with
this issue, each to a different level are: Kaspersky, BitDefender,
DrWeb, Mcafee and Norton; among others.
Been trying to disect the recent Gaobot variants and getting no where
There are 3 to 20 new Agobots coming out every day.. which ones? :)
my generic UPX-unpacker. Since this is more and more commonly used, I
thought I would be wise to consult the Lists.
Generic UPX? "upx -d" should work fine. A few reasons why it might not
is because it is not a generic UPX packed file. Maybe some tool such as
UPXredir(ect) was used, or maybe the UPX header is broke.. You'll have
to play with it a bit.
Myself, as I already mentioned, I haven't done anything remotely similar
in years and can hardly be called an expert, but I know a couple of guys
who had too much experience in this, such as Nicolas Brulez, Rolf Rolles
and Joe Stewart. Maybe one of them, or someone else, would answer your
question more comprehensively.
For generic UPX I suppose you should have no problem using a memory dump
tool, but again - it all depends on the actual packer used.
On a final note, if I mis-understood you and a sample infected you and
you are just trying to get rid of it.. if you'd like you can
PGP/GPG/ZIP-passwd the sample to me and I'd get back to you about what
it is and how to get rid of it.