Generic Unpacking /w Breakpoints

If you want to unpack compressed malware you can use a static unpacking routine (like Kaspersky) or a generic emulation (like the new ewido security suite).

Alternatively, you may consider the following possibility:

1. Identification of the packer

Let's assume you have created a "signature" for a known packer. For instance, the following signature would help to identify Armadillo 2.85:

558BEC6AFF6868::::006800::::0064A10000000050648925

2. Analysis of the packer and determination of a breakpoint

The packer would be analyzed and a breakpoint would be set after the end of the unpacking routine.

3. Execution of the packed program

The program would be executed (similar to the execution by a debugger). After the breakpoint is reached the execution would be stopped and, hopefully, the program would have unpacked itself and could be analyzed by the scan engine ...


Do you think such technique could work for an AT scanner? If yes: Do you think such technique would be too insecure (since the potential malware is executed and there is still the possibility that the breakpoint is not correct, i.e., malicious code may be executed)?

Nautilus

 

Yes it would WORK, but ...

Yes, such methods are too insecure as you are allowing actual code to execute in a relatively unguarded manner. However, it's one of the faster and easier methods to implement so it's great for "in-house" unpacking on secured test machines, but not something you can really use in scanners.

Regards,
Wayne

 

Could you use that process in a kind of "Sandbox" so that none of the code is actually executed, or would that be a really complicated way ?

 

@Khaine

Yes, that's possible.

And yes, that's quite complicated compared to unpacking /w the help of breakpoints.

You may want to try www.ewido.de (beta version of an AT scanner using an emulation) to see how generic unpacking works in practice.