Generic unpacking – how to handle modified or unknown PE compression engines? presented at Virus Bulletin 2005

by Tobias Graf (Ewido networks),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2005/abstracts/tobiasgraf_andreasrudykTechFri1400.xml

Summary : Current Agobot collections show that open source crypters like YodaCrypter will become a bigger threat to the anti-virus industry. Static unpacking engines are fooled with added instructions or modified entry points – done in five minutes. One solution is to implement generic unpacking by emulating the underlying compression engine – similarly to polymorphic viruses.In our paper/presentation we will show the most important problems of emulating a compression engine and how to solve them. First, we describe the emulation progress, the many advantages and the arising problems. Then we will give some impressions about the major problems: speed, error tracing and operating system emulation. Finally, we will give a snapshot of our current generic unpacking engine and show what is reached and what can be reached in the future.