Irregular Expressions

Aug 18 2012   12:39AM GMT

Working With Packed / Protected Executables

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

First I have to say that I dislike having to do this. My main problem is that if you are going to take the time to pack and attempt to protect your EXE, it’s obvious that you are up to no good.

For legitimate applications there is times when you would want to do this, but if it’s some random EXE from a payload…

In my cases I try to avoid working with the source file, I will do as much as possible by running it a lab. But you can miss timed actions and other types of triggers. Also there is hardly a magic bullet to deal with these, as a start I use PEiD. After that is all about what packs that EXE and you tracking it down. If a generic tool won’t unpack it you are in for a fun day looking for something.

In other cases if the file is packed all at once, but it does not have any defense mechanisms you can dump the running EXE from memory. Sometimes you can have a file that has multiple sections packed, then you can mix in some anti-analysis tools and its not a enjoyable process.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: