General unpacking of packed malware

Question

I did a brief survey on malware unpacking and I found several theses on automated general unpacking:Eureka, PolyUnpack, omniUnpack, Malware Normalization.

However, these theses are written years ago and I don't think these methods still work. A basic assumption of these methods is an unpacker routine restore whole protected code at a time. Thus, we can get original code dumping a certain memory region when an unpacker routine finishes its work.

When it comes to more sophisticated packer (such as Maya's veil), it doesn't reveal whole protected code. As far as I know an attempt to attack this problem is to distinguish between code that performs unpacking routine and code does not and I think this is not really unpacking.

Only way to unpacking sophisticated packers is manually reversing it?

Thank you.

Even though there is sophisticated malware out there, there is always unsophisticated malware for which those old techniques might still work. — mrexodia, Sep 15 '18 at 17:24

score 2 · Answer 1 · answered Sep 15 '18 at 16:05

2

You actually have more than one option in this case:

RE of sophisticated packer
Wait for someone else to RE the sophisticated packer and publish the method/tool. Maybe ask in this community?
Ask the author of sophisticated packer to provide the unpacker [buy one?]
Ask the author of packed program to provide it to you with no sophisticated packer applied.

Hope it help :)

D.L.

answered Sep 15 '18 at 16:05

Denis Laskov

2,438
15
15

Thank you for your reply. I know I can write an unpacker for a specific packer. – kensuke Sep 16 '18 at 16:18
I'm going to do further research to figure out a way to create generic unpacker – kensuke Sep 16 '18 at 16:20
@kensuke this may be helpful: https://reverseengineering.stackexchange.com/questions/72/unpacking-binaries-in-a-generic-way – julian Sep 17 '18 at 15:54

General unpacking of packed malware

1 Answers1