[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: unpacking UPX or PE-packed binaries

One of the most important unpacker resource...



Gadi Evron wrote:

Just interested in how AV R&D companies unpack worms with complex UPX and PE
pack protocols.

Myself I am not a reverse engineer for years now, so there are far more knowledgeable people around who can answer you, but the basic answer would be - depends on the packer.

Some are simple scramblers, moving the EP and "jumbling the PE binary" in layman's terms, so you'd need to find the original EP and follow things from there. Some use more sophisticated ways such as obfuscation, anti-debugging code, anti-softice code, etc. That is when things get tricky.

Usually there exist unpackers, or such tools are built by the researcher who is in need.

When one does not exist, in most (uncomplicated) cases, a memory dump would work fine. There are many online tools to accomplish this.

A third way I can think of right now is the use of an emulator. Usually full API emulators can be found only in AV labs for limited use. Non can be found for commercial use as far as I know (yet).

When VX-ers pack a sample they just make the AV researcher work a bit harder. Usually that means 2-4 more seconds of work, so if we follow the concept of Security by Obscurity, they actually only harm their "cause" by drawing attention to themselves rather than tackle AV researchers.

In rare cases it takes a bit longer then 4 seconds, and gaining a bit of time before a signature is out there is all the VX-ers accomplish. That isn't much and is actually a bad idea as I hinted above (drawing attention to the binary).

Lately VX-ers have been using many double and triple-packing techniques. These don't help them much but as they learned, about half of the AV engines out there can't deal with that (or packed files, in any case,m to begin with).

Which is why in many cases we see an exact duplicate of a sample only re-packed with a different packer, declared as a new threat, as some of the AV engines can't cope with it. Notable exceptions who do deal with this issue, each to a different level are: Kaspersky, BitDefender, DrWeb, Mcafee and Norton; among others.

Been trying to disect the recent Gaobot variants and getting no where with

There are 3 to 20 new Agobots coming out every day.. which ones? :)

my generic UPX-unpacker. Since this is more and more commonly used, I
thought I would be wise to consult the Lists.

Generic UPX? "upx -d" should work fine. A few reasons why it might not is because it is not a generic UPX packed file. Maybe some tool such as UPXredir(ect) was used, or maybe the UPX header is broke.. You'll have to play with it a bit.

Myself, as I already mentioned, I haven't done anything remotely similar in years and can hardly be called an expert, but I know a couple of guys who had too much experience in this, such as Nicolas Brulez, Rolf Rolles and Joe Stewart. Maybe one of them, or someone else, would answer your question more comprehensively.

For generic UPX I suppose you should have no problem using a memory dump tool, but again - it all depends on the actual packer used.

On a final note, if I mis-understood you and a sample infected you and you are just trying to get rid of it.. if you'd like you can PGP/GPG/ZIP-passwd the sample to me and I'd get back to you about what it is and how to get rid of it.

    Gadi Evron.