Vulnerability Development mailing list archives
Re: unpacking UPX or PE-packed binaries
From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 22 Apr 2004 21:11:18 -0700
Karma wrote:
Just interested in how AV R&D companies unpack worms with complex UPX and PE pack protocols.
The modified UPX packing is a pretty small change usually. Compare one with a standard UPX header for the same version. There are a variety of unpackers out there. Take a look at the X86emu work by Chris Eagle for an interesting direction that unpackers might be taking:
http://ida-x86emu.sourceforge.net/Worst case, you've always got the option to carefully step through it with a debugger to the point where it's unpacked. You may have to deal with a few anti-debugger tricks along the way, and once you've got a few unpacked segments, you'll probably have to manually put the import table back together, but it's doable. I like Ollydbg for this kind of thing:
http://home.t-online.de/home/Ollydbg/Just take care that you're running in a sandbox of some kind, in case you step too far, or accidentally press the "run" key.
BB
Current thread:
- unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Suresh Ponnusami (Apr 27)