Unpacking Binaries
Before you can ever begin to analyze how a piece of malware behaves, you will most
likely be required to unpack that malware. Approaches to unpacking vary depending
upon your particular skill set, but usually a few questions are useful to answer before
you begin the fight to unpack something.
Is This Malware Packed?
How can you identify whether a binary has been packed? There is no one best answer.
Tools such as PEiD (see Chapter 20) can identify whether a binary has been packed
using a known packer, but they are not much help when a new or mutated packer has
been used. As mentioned earlier, strings can give you a feel for whether a binary has
been packed. Typical strings output on a packed binary will consist primarily of garbage
along with the names of the libraries and functions that are required by the unpacker. A
partial listing of the extracted strings from a sample of the Sobig worm is shown next:
!This program cannot be run in DOS mode.
Rich
.shrink
.shrink
.shrink
.shrink
PART V
Chapter 21: Hacking Malware
525
'!Vw@p
KMQl\PD%
N2]B
<...>
cj}D
wQfYX
kernel32.dll
user32.dll
GetModuleHandleA
MessageBoxA
D}uL
:V&&
tD4w
XC001815d
XC001815d
XC001815d
XC001815d
XC001815d
These strings tell us very little.
Pages:
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911