Unpacks the original executable into memory.Unpacking stub - used to unpack the codeĪnd, the unpacking stub performs three steps:.Packed section(s) (that hold out original code).Packers also can pack the entire EXE file or only code and data sectionsĪs shown in this image, the packer takes the target file as input and using the stub it will produce the packed file which is stub contains the compressed file.Ī stub is a small portion of code that contains the decryption or decompression agent used to decrypt the packed file.Īlso, the important thing about the packing process is that the packer relocated/obfuscated the original entry point in the packed section, this process makes identifying the import address table (IAT) and original entry point difficult. Originally, the packer used to shrink the size of executables in the disk like a compressor and if you facing the packed malware you will probably hear something about UPX packer, and this program is a type of compressor.Īlso, there are packers used to encrypt the executable, this type is used to evade AV detection and also evade reverse engineering because basic static analysis isn’t useful with packed files, first, you must unpack it and then analyze it.Īll Packers programs take an executable file and produce an executable file also, but, the produced contains nothing to inform you anything about the original file functionality, it’s a stub that will decompress or decrypt the original and the compressed or encrypted original file. Today, most of the malware is packed, and it’s a good skill for a malware analyst to recognize if the PE file is packed or not and also be able to unpack it to get the full sight. I’ll put all resources that I took information from it in the references section, so, you can take a look at them also. Hello, here is my study notes for the packing topic, hope anyone finds it useful.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |