Runtime Packers Flashcards

1
Q

What is the primary purpose of packing for malware authors?

A

Compressed malware code is tricky to reverse and hard for AV to check

  • Compression
  • Obfuscation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Packing?

A

Taking existing code, and compressing it so it takes up less space.

  • Packers take the original file, and treat it all as data.
  • They then compress it as best as possible.
  • This then becomes the Data section of the new packed Executable.
  • The packer adds a short code section which is responsible for unpacking the data section.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In the most common type of basic packer – the final file will have 2 main PE sections.

A
  1. Packed original code
  2. Unpacker section
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dynamic Unpacking normally involves letting the file run until it is at the Original Entry Point, and then dumping memory:

  • Describe 1-2 signs you may have reached the original Entry point (1-2 lines each)
  • Dumping a process from memory will frequently break what part of the file which will need to be patched before analysis?
A
  • OEP: Jump outside main decryption loop, jump to unclear/dynamic location, code with unclear destination, WriteMemory or VirtualAlloc
  • Import Address Table (ImpRec)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the last thing a packer does?

A

The last thing the packer does is transfer control to the Original Entry Point (which you will often see referred to as OEP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can you identify a packer?

A
  • Name of the different sections
  • Code is more complex
  • Strings are not readable
  • Packers have identifiable strings
  • What import they use
  • have less imports
  • High Entropy
  • Call graphs
  • Certain code sections
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Entropy?

A

Entropy is essentially a mathematical formula to measure randomness or predictability. Packed data looks encrypted, so it has HIGH entropy. Tools to check entropy: DIE (Detect It Easy), DensityScout

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name tools to identify packers?

A
  • DIE (Detect It Easy)
  • DensityScout
  • RDG Packer Detector
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name a few common packers?

A
  • UPX
  • FSG
  • ASPACK
  • Morphine
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the main steps to unpack code?

A
  1. Identify Packer: Check PE section names, entry point code, strings, imports
  2. OSINT on packer type
  3. Static Unpacking: using packer tool
  4. Dynamic Unpacking
  5. Emulation: stepping through the code and find OEP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How does Dynamic Unpacking works?

A
  1. Open packed file in debugger
  2. Let packer stub run and unpack original program
    1. Trial and error on where to set the breakpoint
  3. Goal: Find jmp to Original Entry Point
    1. Watch out for normal Anti-debug tricks
  4. Dump process from memory
  5. Fix dump with ImpRec (IAT)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Tips to find OEP?

A
  • Look for jmp/call to a dynamic location
  • Code with unclear destination
  • Looking for spot where decryption completes
  • Function calls of WriteMemory or VirtualAlloc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name a few tools to dump memory?

A
  • OllyDumpEx
  • Volatility
  • DumpIt
  • TitanMist
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Name two tools to unpack packed code?

A
  • UPX
  • FUU (by Google)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly