Reverse Engineering Packed Malware

Introduction

In this article, you’ll get a better understanding of what a packed executable is and how to analyze and unpack malware. Finally, you’ll get to know the top packers used in malware.

What are packed executables?

It’s an executable that has been compressed firstly to minimize its file size, but often to complicate the reversing process. Not to be confused with standard compressions (rar/zip). 

Packed executables are standalone files that can be executed while still compressed. A packer uses standard compression techniques (LZO, LZMA, …) on the file; of course, the OS won’t recognize these code modifications, but the packer appends an unpacking routine to the executable. When it is run, the unpacking routine unpacks the code and loads it into memory in its original state.

Figure 1: Generic example of packed executable

 

Analyzing packed malware

1. Set up the virtual environment

To analyze a malware in general, you must first isolate that malware in a virtual environment (VMware or VirtualBox) with the analyzes tools, in order not to infect your main machine. For more details, check out the following links

 

2. Analysis tools

Next, you need to have your analysis tools set up. In case you’re not sure, here’s a list:

 

Scanners/packer identifier

Disassemblers/debuggers

PE tools

Other

Once you’re done, create a snapshot of the current VM’s state.

3. Analysis

Now that everything is set up, you (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Jamal Chahir. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/jAh0x56qZLA/