Posted by: Dan O'Connor
code packer, packed code, tools, vmware, vmware malware detection, vulnerabilities
First I have to say that I dislike having to do this. My main problem is that if you are going to take the time to pack and attempt to protect your EXE, it’s obvious that you are up to no good.
For legitimate applications there is times when you would want to do this, but if it’s some random EXE from a payload…
In my cases I try to avoid working with the source file, I will do as much as possible by running it a lab. But you can miss timed actions and other types of triggers. Also there is hardly a magic bullet to deal with these, as a start I use PEiD. After that is all about what packs that EXE and you tracking it down. If a generic tool won’t unpack it you are in for a fun day looking for something.
In other cases if the file is packed all at once, but it does not have any defense mechanisms you can dump the running EXE from memory. Sometimes you can have a file that has multiple sections packed, then you can mix in some anti-analysis tools and its not a enjoyable process.