Generic unpacking – how to handle modified or unknown PE compression engines?

Tobias Graf Ewido Networks

  download slides (PDF)

Current Agobot collections show that open source crypters like YodaCrypter will become a bigger threat to the anti-virus industry. Static unpacking engines are fooled with added instructions or modified entry points – done in five minutes. One solution is to implement generic unpacking by emulating the underlying compression engine – similarly to polymorphic viruses.

In our paper/presentation we will show the most important problems of emulating a compression engine and how to solve them. First, we describe the emulation progress, the many advantages and the arising problems. Then we will give some impressions about the major problems: speed, error tracing and operating system emulation. Finally, we will give a snapshot of our current generic unpacking engine and show what is reached and what can be reached in the future.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.