Fighting malware and spam

Unpacking PE files on Windows Mobile

Nicolas Brulez Websense

As a testament to the surge in popularity of the Windows Mobile operating system, market research firm IDC in a press release last September said it expects approximately 30.4 million units of Windows Mobile-supported devices to ship worldwide by 2010. Despite the ubiquity of the Windows Mobile operating system, little is known about its executable packers and protectors, commonly used for malicious purposes.

The focus of this presentation is on the unpacking of PE packers and protectors, the dumping and rebuilding of decrypted applications, the methods used to discover original entry points, and the methods used to fix import tables on the Windows Mobile operating system.

A handful of Windows Mobile PE protectors share the same features as PE protectors for traditional Windows desktops, not limited to but including: anti-debugging, anti-dumping, import-table protection, and entry point protection.

The audience will learn how to build a working dumper and how to defeat protection schemes. Additional unpacking scripts will be given to attendees.

IDC reference: http://www.idc.com/getdoc.jsp?containerId=prUS20375006.