> You may want to look at scans #32 and #33 at:
>
> http://www.honeynet.org/scans/index.html
Okay, I've gone back through some of the postings for
responses for both of the scans you point to...and I'm
not seeing anything that really points to what I'm
looking for.
Maybe I can try to be a little bit more clear...my
original question was "Is anyone pursuing entry point
analysis of PE files, particularly files that have
been obfuscated/compressed/encrypted?".
In scan #32, several of the recipients are pursuing
entry point "identification" (ie, locating the entry
point of the PE file) but as of yet, there doesn't
seem to be any *analysis* being done.
I'll try to be a little more specific...
Is anyone pursuing any work in analyzing the byte
sequences or code at the PE file entry point in order
identify the obfuscator, packer, encrypter, or
compiler used?
> You may want to look at scans #32 and #33 at:
>
> http://www.honeynet.org/scans/index.html
Okay, I've gone back through some of the postings for
responses for both of the scans you point to...and I'm
not seeing anything that really points to what I'm
looking for.
Maybe I can try to be a little bit more clear...my
original question was "Is anyone pursuing entry point
analysis of PE files, particularly files that have
been obfuscated/compressed/encrypted?".
In scan #32, several of the recipients are pursuing
entry point "identification" (ie, locating the entry
point of the PE file) but as of yet, there doesn't
seem to be any *analysis* being done.
I'll try to be a little more specific...
Is anyone pursuing any work in analyzing the byte
sequences or code at the PE file entry point in order
identify the obfuscator, packer, encrypter, or
compiler used?
Thanks,
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
[ reply ]