SlideShare a Scribd company logo

Reversing & malware analysis training part 7 unpacking upx

Abdulrahman Bassam
Abdulrahman Bassam
Technology
1 of 25
Download to read offline
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I Nagareshwar Talekar  Founder of SecurityXploded  Reverse Engineering, Malware Analysis, Cryptography, Password Forensics, Secure Coding etc.  Email: tnagareshwar at gmail.com www.SecurityXploded.com
Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
Contents  What is EXE Packing?  Purpose of Packing EXE  What is Unpacking?  Detection of Packer  Execution of Packed EXE Program  Standard Process of Unpacking EXE  Unpacking UPX using OllyDbg  DEMO - Unpacking UPX  Anti Anti-Debugging Plugins  References www.SecurityXploded.com
What is EXE Packing/Protecting?  EXE Packing: Compressing the Executable to a smaller Size  EXE Protecting: Encrypting with Anti-Debugging Techniques to prevent Reversing  In Reversing world, both Packer & Protector is commonly referred as Packer. Examples of Packers: UPX, AsProtect, Armadillo etc. www.SecurityXploded.com
EXE - Before Packing www.SecurityXploded.com
EXE - After Packing www.SecurityXploded.com
Purpose of Packing EXE  Prevent Reverse Engineering [Crack License, Secret Code etc.] • Defeat Static Disassembling • Make Dynamic Debugging Difficult  Reduce the size of Executable file  Bypass Anti-virus Detections with multi-level Packing  It is used by Software Vendors to prevent Serial Cracking and Malware Authors to prevent analysis by AV Researchers. www.SecurityXploded.com
What is Unpacking?  Extracting the Original Binary from the Packed Executable File.  Automatic Unpackers available for popular Packers. • May not work with different versions • Not available for Complex packers  Involves Live Debugging by Defeating Anti-Debugging techniques www.SecurityXploded.com
Detection of Packer  Packer Detectors like PEiD, RDG, ExeScan etc • Detect the popular Packers • Show the version of Packer also  PE Viewer Tools like PEditor, PEview • Look at Section Table • Look at Import Table www.SecurityXploded.com
Packer Detectors www.SecurityXploded.com
Structure of Packed EXE www.SecurityXploded.com Before Packing After Packing
Execution of Packed EXE Program  Execution starts from new OEP  Saves the Registerstatus using PUSHAD instruction  All the Packed Sections are Unpackedin memory  Resolvethe importtable of originalexecutablefile.  Restorethe originalRegisterStatus using POPAD instruction  Finally Jumps to Original Entry point to begin the actual execution www.SecurityXploded.com
Standard Process of Unpacking EXE  Debug the EXE to find the real OEP (Original Entry Point)  At OEP, Dump the fully Unpacked Program to Disk  [?] Fix the Import Table using ImpRec Tool  [?] Fix the PE Header www.SecurityXploded.com
Unpacking UPX using OllyDbg  Load the UPX packed EXE file into the OllyDbg  Start tracing the EXE, until you encountera PUSHAD instruction.  At this stage, put the HardwareBreakpoint (type'hr esp-4' at commandbar) so as to stopat POPAD instruction.  Otherway is to manually searchforPOPAD (Opcode 61) instructionand then set Breakpointon it. www.SecurityXploded.com
Unpacking UPX using OllyDbg (contd)  Next press F9 to continue the Execution.  You will break on the instruction which is immediately after POPAD or on POPAD instruction [based on the method you have chosen]  Now start tracing with F7 and soon you will encounter a JMP instruction which will Jump to OEP in the original program.  At OEP, dump the whole program using OllyDmp plugin. www.SecurityXploded.com
DEMO - Unpacking UPX www.SecurityXploded.com http://vimeo.com/42197903
Anti Anti-Debugging Plugins Here are useful OllyDbg Plugins for Anti Anti-Debugging  Olly Advanced  Hide Debugger  NtGlobalFlag  Anti Anti BPM www.SecurityXploded.com
Useful Tips  Always use simple EXE for Unpacking exercises  Use same EXE for all – You will know the OEP & other magic numbers  Use Windows XP for better (less annoying) debugging experience.  Have Patience, Its an Art and takes time.  For best results, do it in the Moon Light  www.SecurityXploded.com
What's Next?  Try Unpacking AsPack, AsProtect, PESpin, YodaP etc  Try Unpacking Packed DLL (Google - Neolite DLL Unpacking)  Try Advanced Packers: Armadillo  www.SecurityXploded.com
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! www.SecurityXploded.com

Recommended

Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
Mobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano GiammariaMobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano Giammaria
Giammaria Giordano
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
OWASP Delhi
 
Software Engineering - chp6- development phase
Software Engineering - chp6- development phaseSoftware Engineering - chp6- development phase
Software Engineering - chp6- development phase
Lilia Sfaxi
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
Florian Roth
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 

Recommended

Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
Mobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano GiammariaMobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano Giammaria
Giammaria Giordano
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
OWASP Delhi
 
Software Engineering - chp6- development phase
Software Engineering - chp6- development phaseSoftware Engineering - chp6- development phase
Software Engineering - chp6- development phase
Lilia Sfaxi
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
Florian Roth
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
Malware hunting with the sysinternals tools
Malware hunting with the sysinternals toolsMalware hunting with the sysinternals tools
Malware hunting with the sysinternals tools
Ali Asad Sahu
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
Florian Roth
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
Brent Muir
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
Susam Pal
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
Galen Framework - Responsive Design Automation
Galen Framework - Responsive Design AutomationGalen Framework - Responsive Design Automation
Galen Framework - Responsive Design Automation
Venkat Ramana Reddy Parine
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Systemes authentification
Systemes authentificationSystemes authentification
Systemes authentification
Lhouceine OUHAMZA
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
[Amateras uml]manual
[Amateras uml]manual[Amateras uml]manual
[Amateras uml]manual
Morifu
 
Instructions on how to create account in sonarcloud
Instructions on how to create account in sonarcloudInstructions on how to create account in sonarcloud
Instructions on how to create account in sonarcloud
ssuser29f27f
 
Reversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupxReversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupx
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 

More Related Content

What's hot

Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
[Amateras uml]manual
[Amateras uml]manual[Amateras uml]manual
[Amateras uml]manual
Morifu
 

What's hot (20)

Malware hunting with the sysinternals tools
Malware hunting with the sysinternals toolsMalware hunting with the sysinternals tools
Malware hunting with the sysinternals tools
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Galen Framework - Responsive Design Automation
Galen Framework - Responsive Design AutomationGalen Framework - Responsive Design Automation
Galen Framework - Responsive Design Automation
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Systemes authentification
Systemes authentificationSystemes authentification
Systemes authentification
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Product Security
Product SecurityProduct Security
Product Security
 
[Amateras uml]manual
[Amateras uml]manual[Amateras uml]manual
[Amateras uml]manual
 
Instructions on how to create account in sonarcloud
Instructions on how to create account in sonarcloudInstructions on how to create account in sonarcloud
Instructions on how to create account in sonarcloud
 

Similar to Reversing & malware analysis training part 7 unpacking upx

Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
Abdulrahman Bassam
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
Abdulrahman Bassam
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
Abdulrahman Bassam
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
The Power of PC Software.pdf
The Power of PC Software.pdfThe Power of PC Software.pdf
The Power of PC Software.pdf
Google chorome
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
Concentrated Technology
 

Similar to Reversing & malware analysis training part 7 unpacking upx (20)

Reversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupxReversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupx
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
 
Reversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensicsReversing & malware analysis training part 8 malware memory forensics
Reversing & malware analysis training part 8 malware memory forensics
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
 
App locker
App lockerApp locker
App locker
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
The Power of PC Software.pdf
The Power of PC Software.pdfThe Power of PC Software.pdf
The Power of PC Software.pdf
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Reversing & malware analysis training part 7 unpacking upx

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Nagareshwar Talekar  Founder of SecurityXploded  Reverse Engineering, Malware Analysis, Cryptography, Password Forensics, Secure Coding etc.  Email: tnagareshwar at gmail.com www.SecurityXploded.com
  • 6. Course Q&A  Keep yourself up to date with latest security news  http://www.securityphresh.com  For Q&A, join our mailing list.  http://groups.google.com/group/securityxploded www.SecurityXploded.com
  • 7. Contents  What is EXE Packing?  Purpose of Packing EXE  What is Unpacking?  Detection of Packer  Execution of Packed EXE Program  Standard Process of Unpacking EXE  Unpacking UPX using OllyDbg  DEMO - Unpacking UPX  Anti Anti-Debugging Plugins  References www.SecurityXploded.com
  • 8. What is EXE Packing/Protecting?  EXE Packing: Compressing the Executable to a smaller Size  EXE Protecting: Encrypting with Anti-Debugging Techniques to prevent Reversing  In Reversing world, both Packer & Protector is commonly referred as Packer. Examples of Packers: UPX, AsProtect, Armadillo etc. www.SecurityXploded.com
  • 9. EXE - Before Packing www.SecurityXploded.com
  • 10. EXE - After Packing www.SecurityXploded.com
  • 11. Purpose of Packing EXE  Prevent Reverse Engineering [Crack License, Secret Code etc.] • Defeat Static Disassembling • Make Dynamic Debugging Difficult  Reduce the size of Executable file  Bypass Anti-virus Detections with multi-level Packing  It is used by Software Vendors to prevent Serial Cracking and Malware Authors to prevent analysis by AV Researchers. www.SecurityXploded.com
  • 12. What is Unpacking?  Extracting the Original Binary from the Packed Executable File.  Automatic Unpackers available for popular Packers. • May not work with different versions • Not available for Complex packers  Involves Live Debugging by Defeating Anti-Debugging techniques www.SecurityXploded.com
  • 13. Detection of Packer  Packer Detectors like PEiD, RDG, ExeScan etc • Detect the popular Packers • Show the version of Packer also  PE Viewer Tools like PEditor, PEview • Look at Section Table • Look at Import Table www.SecurityXploded.com
  • 15. Structure of Packed EXE www.SecurityXploded.com Before Packing After Packing
  • 16. Execution of Packed EXE Program  Execution starts from new OEP  Saves the Registerstatus using PUSHAD instruction  All the Packed Sections are Unpackedin memory  Resolvethe importtable of originalexecutablefile.  Restorethe originalRegisterStatus using POPAD instruction  Finally Jumps to Original Entry point to begin the actual execution www.SecurityXploded.com
  • 17. Standard Process of Unpacking EXE  Debug the EXE to find the real OEP (Original Entry Point)  At OEP, Dump the fully Unpacked Program to Disk  [?] Fix the Import Table using ImpRec Tool  [?] Fix the PE Header www.SecurityXploded.com
  • 18. Unpacking UPX using OllyDbg  Load the UPX packed EXE file into the OllyDbg  Start tracing the EXE, until you encountera PUSHAD instruction.  At this stage, put the HardwareBreakpoint (type'hr esp-4' at commandbar) so as to stopat POPAD instruction.  Otherway is to manually searchforPOPAD (Opcode 61) instructionand then set Breakpointon it. www.SecurityXploded.com
  • 19. Unpacking UPX using OllyDbg (contd)  Next press F9 to continue the Execution.  You will break on the instruction which is immediately after POPAD or on POPAD instruction [based on the method you have chosen]  Now start tracing with F7 and soon you will encounter a JMP instruction which will Jump to OEP in the original program.  At OEP, dump the whole program using OllyDmp plugin. www.SecurityXploded.com
  • 20. DEMO - Unpacking UPX www.SecurityXploded.com http://vimeo.com/42197903
  • 21. Anti Anti-Debugging Plugins Here are useful OllyDbg Plugins for Anti Anti-Debugging  Olly Advanced  Hide Debugger  NtGlobalFlag  Anti Anti BPM www.SecurityXploded.com
  • 22. Useful Tips  Always use simple EXE for Unpacking exercises  Use same EXE for all – You will know the OEP & other magic numbers  Use Windows XP for better (less annoying) debugging experience.  Have Patience, Its an Art and takes time.  For best results, do it in the Moon Light  www.SecurityXploded.com
  • 23. What's Next?  Try Unpacking AsPack, AsProtect, PESpin, YodaP etc  Try Unpacking Packed DLL (Google - Neolite DLL Unpacking)  Try Advanced Packers: Armadillo  www.SecurityXploded.com
  • 24. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com