Generic Unpacking /w Breakpoints

Discussion in 'other anti-trojan software' started by ntl, Dec 14, 2003.

Thread Status:
Not open for further replies.
  1. ntl

    ntl Guest

    If you want to unpack compressed malware you can use a static unpacking routine (like Kaspersky) or a generic emulation (like the new ewido security suite).

    Alternatively, you may consider the following possibility:

    1. Identification of the packer

    Let's assume you have created a "signature" for a known packer. For instance, the following signature would help to identify Armadillo 2.85:


    2. Analysis of the packer and determination of a breakpoint

    The packer would be analyzed and a breakpoint would be set after the end of the unpacking routine.

    3. Execution of the packed program

    The program would be executed (similar to the execution by a debugger). After the breakpoint is reached the execution would be stopped and, hopefully, the program would have unpacked itself and could be analyzed by the scan engine ...

    Do you think such technique could work for an AT scanner? If yes: Do you think such technique would be too insecure (since the potential malware is executed and there is still the possibility that the breakpoint is not correct, i.e., malicious code may be executed)?

  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Jul 19, 2002
    Perth, Oz
    Yes it would WORK, but ...
    Yes, such methods are too insecure as you are allowing actual code to execute in a relatively unguarded manner. However, it's one of the faster and easier methods to implement so it's great for "in-house" unpacking on secured test machines, but not something you can really use in scanners.

  3. Khaine

    Khaine Registered Member

    Oct 2, 2002
    Could you use that process in a kind of "Sandbox" so that none of the code is actually executed, or would that be a really complicated way ?
  4. ano2

    ano2 Guest


    Yes, that's possible.

    And yes, that's quite complicated compared to unpacking /w the help of breakpoints.

    You may want to try (beta version of an AT scanner using an emulation) to see how generic unpacking works in practice.
Thread Status:
Not open for further replies.