![]() Also, it is unlikely that you will have access to the same packer program that the malware author used. Note that real malware packers will not have convenient command-line extraction capabilities. Unpack it via upx -d fake-malware-unpacked.exe.Copy fake-malware-packed.exe to fake-malware-unpacked.exe, and then.Note that UPX will overwrite the original file with its output file! Thus, you should: Use the open-source UPX packer to unpack your fake malware. How many subroutines (functions) exist in the program code? (In IDA, View->Open Subviews->Functions) What is the name of each section, its virtual-size, its raw-size, and its entropy?įrom that observation alone, what section of the packed file likely has a payload?įrom that observation alone, where do you think the unpacked payload will go? (Not every packer will have such an obvious location). What interesting strings do you see? (Don't list them all for the original file) How many of those functions does PEStudio flag on its blacklist? How many API calls are used? (Imported functions) PESTUDIO 8. CODEWhat is the address of the program entry point, and what code section is it within? (Look under the optional-headers category). Tip: Use command pescan fake-malware-packed.exeĬompare and contrast the unpacked and packed files using information obtained from PeStudio and IDA. Tip: Use command pepack fake-malware-packed.exeĭoes the PEScan tool in Linux detect the file is packed? If so, what does it report about it? Tip: Use command trid fake-malware-packed.exeĭoes the PEPack tool in Linux detect the file is packed? If so, what does it report about it? Tip: Use command diec fake-malware-packed.exe.ĭoes the TrID tool in Linux detect the file is packed? If so, what does it report about it? (This is the command-line version of Detect It Easy for Linux, so results should be similar to Windows). ![]() PESTUDIO 8. WINDOWSTip: Drag and drop the malware onto the utility desktop shortcutĭoes the Exeinfo PE tool in Windows detect the file is packed? If so, what does it report about it?ĭoes the DIEC tool in Linux detect the file is packed? If so, what does it report about it? Note: DIE works best without resolution scaling in Windows. Questionĭoes the Detect It Easy tool in Windows detect the file is packed? If so, what does it report about it? You won't see detection results this good with malware using custom packers. Use some well-known tools to detect if your fake-malware-packed.exe file is packed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |