Back to list
Jun 23 2006 06:08PM
als hush com
Jun 25 2006 11:07PM
Earl_Marcus_Tan dell com
Jun 23 2006 11:08PM
derez (derez packetforge net)
Jun 23 2006 10:42PM
Lance James (phishing securescience net)
als (at) hush (dot) com [email concealed] wrote:
> I recently came across a suspicious binary (.SCR) file in a
> compromised system. As I started to analyse it by running a
> 'strings' against it I noticed there was very little readable text
> in it, but the first line caught my attention: PECompact2.
> I did some research and it seems this indicates the binary is
> somehow compressed/obfuscated by using some sort of PE compression
> tool (probably http://www.bitsum.com/pec2.asp).
There are many ways to unpack and it really depends on the executable.
You're going to want to most likely find where it jumps to the Original
Entry Point (OEP). Then you would establish a breakpoint on that
instruction and dump the memory to file. This is the quick and easiest way.
There is also tools out there like OllyBone (I believe it's released
now) by Joe Stewart.
> Now I would like to unpack the executable to carry on with the
> analysis. From what I could understand this would only be possible
> by running it in a test win32 system, probably using a dissasembly
> tool, since it only "unpacks" itself when being executed. Is that
> correct? Would there be some other way of doing so, perhaps using
> some sort of decompression tool? I was not able to find any so far.
> Thanks for any help.
> Concerned about your privacy? Instantly send FREE secure email, no account required
> Get the best prices on SSL certificates from Hushmail
Secure Science Corporation
Author of "Phishing Exposed"
[ reply ]
Jun 23 2006 09:59PM
Greg Hunt (gregory hunt gmail com)
Copyright 2010, SecurityFocus