The amount of new malware being developed has increased at a staggering rate over the last couple of years. At the same time, executable packing technology has grown to provide malware authors with a myriad of choices in how they pack their malware to evade detection and analysis. This presents a growing problem to analysts who lack the time to learn how each packer works and can be unpacked, but still need to be able to quickly handle anything that comes their way.

There are three conventional approaches to automatic unpacking, including unpacking by emulation (very difficult to write 100% compatible to the platform and therefore tools that are closely held by their authors), unpacking by memory dump (not reliable and, will also corrupt variables with their post-initialization values), and finally, writing a specific unpacking engine for each packer based on reverse-engineering the packer code (also a huge undertaking to have enough coverage, also a cat-and-mouse game).

In this presentation I will demonstrate a semi-automatic approach to unpacking malware that bridges the gap between highly-skilled manual unpacking and speedy but costly automatic unpacking. By leveraging certain aspects of the i386 architecture we can unpack code from a great deal of packers to the OEP without emulation or specific knowledge of the packing algorithm.

Download: http://www.secure-software-engineering.com/downloads/recon2006/recon2006_Stewart_Ollybone.pdf