Dailydave mailing list archives
Unpacking & Visualisation
From: <halvar () gmx de>
Date: Wed, 23 Nov 2005 07:58:10 -0800
Hey all, first of all, for those of you visually inclined, check: http://www.sabre-security.com/files/upx_unp.avi This is some research our new employee (since last week) Ero Carrera Ventura has been creating. On the x-axis, you have a timeline. On the y-axis, you have the location of the EIP in blue and the location of memory accesses in green. A UPX-packed binary is then executed, and you can see the EIP not changing much (decrypting loop) and the memory access do a very clearly visible "sweep" over the entire executable. After a while, the memory access patterns change dramatically and the locations of EIP do so, as well. This is when the executable is unpacked. On a related note: We at SABRE are not only offering fun tools, but also people that can use them (e.g. specialized consulting). So if you end up needing someone to do 1) Security analysis of executables 2) Analysis of custom malware found on compromised boxes 3) Comparison of executables, e.g. for security patches 4) Comparison of executables for code theft detection 5) Other directly RE-related tasks (some embedded RE'ing perhabs?) feel free to drop info () sabre-security com a line. Cheers, Halvar
Current thread:
- Unpacking & Visualisation halvar (Nov 23)
- <Possible follow-ups>
- Re: Unpacking & Visualisation Piotr Bania (Nov 23)
- Re: Unpacking & Visualisation Andrew R. Reiter (Nov 23)