Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

More documents

Recommendations

Info

Shaddows Crypt v2 Priv8 (for the lolz) • Custom packer sold to encrypt malwares • Uses Anti Debugging, Anti SandBoxing, Anti VM and so on. • Written in Delphi *cough* • Very lame *double cough*
Conclusion • Don’t bother • Uses simple API breakpoints: VirtualAllocEx, VirtualProtectEx, ZwProtectVirtualMemory, VirtualFree, LoadLibraryExA/W • Locate original file and dump when possible • If not, use them as entry point <strong>into</strong> the code • Allows to skip thousands of garbage routines • Most of them should be unpacked in less than 10 minutes, don’t spend hours
Page 1 and 2: Turbo unpacking: A Journey into Mal
Page 3 and 4: Introduction to « Packers » PECOF
Page 5 and 6: Y0da Crypt Dot Fake Signer • Obfu
Page 7 and 8: With compression Packers UPX Protec
Page 9 and 10: With compression Packers UPX Protec
Page 11 and 12: Standard packed File layout • Ori
Page 13 and 14: Challenges of Malicious Packers •
Page 15 and 16: Case Study : Hflux • Peer 2 Peer
Page 17: Case Study : CodecPack • Advertis

Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

Create successful ePaper yourself

Delete template?

Save as template?