Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

More documents

Recommendations

Info

With compression <strong>Packers</strong> UPX Protectors ASProtect Bundlers MoleBox • Protectors • Multiple encrypted code layers • Multiple compression algorithms in use • aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,… • Custom PECOFF table processing • Imports are usually* protected • Resources are usually* protected • Relocations are usually* protected • TLS can be emulated • Can protect x86/x64/.net files • Usually come with integrated licensing • Numerous anti-reversing protection • Every table you could think of and then some – * If present and selected by the user
With compression <strong>Packers</strong> UPX Protectors ASProtect Bundlers MoleBox • Bundlers • Multiple encrypted code layers • Multiple compression algorithms in use • aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,… • Custom PECOFF table processing • Imports are usually* protected • Resources are usually* compressed • Relocations are usually* compressed • TLS can be emulated • Can protect x86/x64 files • Some anti-reversing protection • Usually limited to import table/entry point – * If present and selected by the user
Page 1 and 2: Turbo unpacking: A Journey into Mal
Page 3 and 4: Introduction to « Packers » PECOF
Page 5 and 6: Y0da Crypt Dot Fake Signer • Obfu
Page 7: With compression Packers UPX Protec
Page 11 and 12: Standard packed File layout • Ori
Page 13 and 14: Challenges of Malicious Packers •
Page 15 and 16: Case Study : Hflux • Peer 2 Peer
Page 17 and 18: Case Study : CodecPack • Advertis
Page 19 and 20: Conclusion • Don’t bother •

Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

Create successful ePaper yourself

Delete template?

Save as template?