3 hours 41 minutes
in the last session, we learned about the different types of packers and how they work in this session. We're going to examine and learn different techniques to be able to identify files that have been packed.
When you're analyzing malware, there's a few techniques that you can use to identify pack samples.
First, I'm going to tell you about them here, and then we can execute them in our lab. So the first one is to run the P E file through a tool that can scan it for signatures. Every packers got a unique signature, and that can help you identify.
There's a couple of tools that can help you accomplish this. The one I'm showing you here is E x e info p e. But there's also P e I. D. Uh, this one happens to be a clone of P E I. D.
And there's P E Explorer and P E Studio and detected easy these air all other tools that will allow you to be able to scan the p e file using signatures.
The second technique you can use is to open up the file in CFF Explorer or P I. D or any one of these tools to evaluate the P E section names.
Typically, the section names reveal a lot about the compiler or the packer that was used to create the program.
The third technique that you can use is to look for the unpack er stuff so typically, when execute a bles, run the file's start the execution from the first section, which would be like text or code
packed. Files, on the other hand, are different. They start the execution from the last section, indicating that the P E is beginning to execute from the unpacking stuff.
The fourth technique that you can use is to look for a small import table,
usually the P E Files. They're gonna import a lot of different A p I is that the program is going to use during its execution.
However, in PAC files, you're only going to see a few. AP is being utilized Onley enough to unpack the file.
The fifth technique that you could use is to simply look at the properties of the excusable. Remember, packed files are typically smaller in size and their strings are typically obvious. Skated.
This technique is rather simple, right? You could perform this by simply using extremes tool during a triage or simple static analysis process.
So to show you these techniques, let's go ahead and head over to our lab.
So here in our lab, we have three files and let's start with the easiest technique to scan your file with strings
follow. I want to scan is malware dot been. But before I dio just a note here, you can see that right off the bat. Among the two files the pact one is smaller Malware Dobbin is smaller than malware dot e x c.
All right, so I want to use TheStreet is tool on malware dot Been. So I will, right click and use the strings tool and immediately you can see that instead of a typical p e header, we have some section names. We have the strings E p x 01 and two.
So this is already giving you an idea that this piece of malware it is packed
In addition to seeing our section names as we're scanning through the strings, you can see that we've got some gibberish here and that these strings look obfuscated. We do have some ones that we can view. But in general, you can see that there's some obfuscation going on with this file. Okay, so that was our easiest technique using strings.
The next technique that we can use is to scan the malware with a tool that can scan it with Packer signatures.
So if we take our malware dot been and we drag it over to detect it easy,
you can see here that the Pachter signature is being detected by detected. Easy. Here we can see the malware. It looks like it's being packed with you. PX 396 which is the one I used
next using Detective Easy. We could look at the sections, which we've seen already.
If we click the arrow for number of sections, you can see that there's only three U P x 01 and two.
Remember, though different packers are going to have different section names
to look for or inspect the packer stuff we could utilize to tools.
First we can use detected easy to look at the entry point of the program. So by clicking on the entry point button here, we can see that it's 413 a 60
so Now what we can dio is we could take this and put it into a d bugger.
So if we take it and put it into X 64 debug, we can utilize the memory mapped window.
Here you can see that the entry point falls within our 411000 and 414000 address, which is within the U P X one section.
You can also see here that the permissions on this section are execute a ble
typically a normal execute herbal when opened in and oh, bugger would be pointing to an entry point in the dot tech section which this execute herbal clearly does not
now, using those techniques. So far, we've got a pretty good idea that this piece of malware is packed.
But the last thing that you could try is looking at the import table
in detected easy. If you click on the import button here, you can see that in this particular piece of malware, there's only a few AP eyes that are being listed were unpacked. Sample would have many more.
Okay, so now that you've identified a piece of malware that's packed, what are your options for unpacking it?
Well, there are several techniques you could employ. The first is that you could execute the sample and let it unpack in a live environment.
Now, this could be sufficient for you if all you need is to observe and or collect malware artifacts. Tools such as cocoa sandbox or the pocus emulator are good for this as their automated simulated, and they can also give you finer control of the unpacking process. Also, you could try using in a packer that's known for the Packer itself.
U P Accent Tamada thes air Commercially available pieces of software. You could download a copy or ask for one and see if you could unpack the sample this way
along those same lines. You could try using a generic Um Packer.
Typically generic, um, Packers like quick unpack. The one shown here thes have scripts built inside that work with specific packers so that you can automate the manual unpacking process.
Now the nice thing about the generic um, Packers is that they work with multiple packers, so even if they aren't designed for the packer you encounter, ah, lot of the times. These tools will be able to help you unpack. Sample.
You want to be careful with these, though, because when you use them, they typically executing our on the system.
Now, if none of these tools or techniques help you, the last option is to manually impact the malware, using any combination of scripts, tools and the do bugger.
There are many ways that we can tackle the manual unpacking process.
These air, however, outside the scope of this course and will be presented in an advanced level of detail in a future. Siri's
all right. So now that we have examined packing in the next session, we're going to examine another malware challenge obfuscation.
Advanced Malware Analysis: Redux
In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.