Generic Unpacking of Self-mo difying, Aggressive, Packed Binary Programs

[Nytro]

Generic Unpacking of Self-mo difying, Aggressive, Packed Binary Programs

Piotr Bania

bania.piotr@gmail.com

March 2009

Abstract

Nowadays most of the malware applications are ei-

ther packed or protected. This techniques are ap-

plied esp ecially to evade signature based detectors

and also to complicate the job of reverse engineers

or security analysts. The time one must sp end

on unpacking or decrypting malware layers is of-

ten very long and in fact remains the most compli-

cated task in the overall pro cess of malware anal-

ysis. In this rep ort author prop oses MmmBop as

a relatively new concept of using dynamic binary

instrumentation techniques for unpacking and by-

passing detection by self-mo difying and highly ag-

gressive packed binary co de. MmmBop is able to

deal with most of the known and unknown pack-

ing algorithms and it is also suitable to successfully

bypass most of currently used anti-reversing tricks.

This framework do es not dep end on any other 3rd

party software and it is develop ed entirely in user

mo de (ring3). MmmBop supp orts the IA-32 archi-

tecture and it is targeted for Microsoft Windows

XP, some of the further delib erations will b e refer-

ring directly to this op erating system.

Download:

http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf