Reverse Engineering Packed Malware

Introduction

In this article, you’ll get a better understanding of what a packed executable is and how to analyze and unpack malware. Finally, you’ll get to know the top packers used in malware.

What are packed executables?

It’s an executable that has been compressed firstly to minimize its file size, but often to complicate the reversing process. Not to be confused with standard compressions (rar/zip). 

Packed executables are standalone files that can be executed while still compressed. A packer uses standard compression techniques (LZO, LZMA, …) on the file; of course, the OS won’t recognize these code modifications, but the packer appends an unpacking routine to the executable. When it is run, the unpacking routine unpacks the code and loads it into memory in its original state.

Figure 1: Generic example of packed executable

Analyzing packed malware

1. Set up the virtual environment

To analyze a malware in general, you must first isolate that malware in a virtual environment (VMware or VirtualBox) with the analyzes tools, in order not to infect your main machine. For more details, check out the following links

• OALabs Malware Analysis Virtual Machine, OALabs
• How to Get and Set Up a Free Windows VM for Malware Analysis, Zeltser Security Corp.
• Malware Analysis: First Steps — Creating your lab, Medium

2. Analysis tools

Next, you need to have your analysis tools set up. In case you’re not sure, here’s a list:

Scanners/packer identifier

• DiE
• PEiD

Disassemblers/debuggers

• OllyDbg
• IDA
• Cutter

PE tools

• ImpREC
• PEBear

Other

• Process Hacker (Monitor system resources)
• Wireshark (Network protocol analyzer)
• HxD (Hex Editor)
• Resource Hacker (Extract resources from executables)
• VirusTotal (Online analysis of malware samples and URLs)

Once you’re done, create a snapshot of the current VM’s state.

3. Analysis

Now that everything is set up, you (Read more...)