Hosting Provided By

Re: UPX issues in virus analysis

From: Nicolas Brulez <brulez(at)cartel-securite.fr>
Date: Tue Jul 08 2003 - 13:05:59 EDT

Hi!

>I'm not sure I've found the right list, but here we go...
The file probably have been packed with upx, and then a tool such as upx scrambler or something like has been
applied..
To work around it , you have to trace the protected file until you find the OEP (Original Entry Point) of the program, then you can dump the process. Its important to dump the process AT the entry point, and not further if you want a reliable dump.
Finally, you have to modify the PE header , and enter the new Entry point. Hint: LordPE is a nice PE editor. If you do it well, you don't have to work on the import table, the file should be perfectly disassemblable and analyzable. (and runnable :)

If you need further help, feel free to email me.

Best Regards,

--
Nicolas Brulez


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Received on Wed Jul 9 04:18:18 2003

This message: [ Message body ]
Next message: Harley David: "RE: Article Announcement: Can Microsoft End Spam?"
Previous message: CCD Support Account: "RE: Article Announcement: Can Microsoft End Spam?"
In reply to: Chris Ess: "UPX issues in virus analysis"
Next in thread: Wayne / DiamondCS.com.au: "Re: UPX issues in virus analysis (yes this is an SDBot/Mindjail variant)"
Reply: Wayne / DiamondCS.com.au: "Re: UPX issues in virus analysis (yes this is an SDBot/Mindjail variant)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:40 EDT