text) is most often the very first section within the binary. The
fourth section probably contains the unpacking stub, which will unpack the other three
sections before transferring control to an address within the first section.
Another thing to note from the strings output is that the binary appears to import
only two libraries (kernel32.dll and user32.dll), and from those libraries imports only
two functions (GetModuleHandleA and MessageBoxA). This is a surprisingly small
number of functions for any program to import. Try running dumpbin on any binary
Gray Hat Hacking: The Ethical Hacker??™s Handbook
526
Chapter 21: Hacking Malware
527
PART V
and you will typically get several screens full of information regarding the libraries and
functions that are imported. Suffice it to say, this particular binary appears to be packed
and a simple tool like strings was all it took to make that fairly obvious.
How Was This Malware Packed?
Now that you have identified a packed binary and your pulse is beginning to rise, it is
useful to attempt to identify exactly how the binary was packed. ???Why???? youmay ask. In
most cases you will not be the first person to encounter a particular packing scheme. If
you can identify a few key features of the packing scheme, you may be able to search for
and utilize tools or algorithms that have been developed for unpacking the binary you
are analyzing.
Pages:
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913