PECompact2Jun 23 2006 06:08PM als hush com (4 replies)
RE: PECompact2Jun 25 2006 11:07PM Earl_Marcus_Tan dell com
You would want to confirm that with a PE identifier because some packers
change the strings in the sections table in the PE header to confuse
people. A good tool to use for this is PEiD (http://peid.has.it/)
Regards,
marcus
-----Original Message-----
From: als (at) hush (dot) com [email concealed] [mailto:als (at) hush (dot) com [email concealed]]
Sent: Saturday, June 24, 2006 2:09 AM
To: binaryanalysis (at) securityfocus (dot) com [email concealed]
Subject: PECompact2
Greetings,
I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.
I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably http://www.bitsum.com/pec2.asp).
Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.
Thanks for any help.
regards,
alex
Concerned about your privacy? Instantly send FREE secure email, no
account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
You would want to confirm that with a PE identifier because some packers
change the strings in the sections table in the PE header to confuse
people. A good tool to use for this is PEiD (http://peid.has.it/)
Regards,
marcus
-----Original Message-----
From: als (at) hush (dot) com [email concealed] [mailto:als (at) hush (dot) com [email concealed]]
Sent: Saturday, June 24, 2006 2:09 AM
To: binaryanalysis (at) securityfocus (dot) com [email concealed]
Subject: PECompact2
Greetings,
I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.
I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably http://www.bitsum.com/pec2.asp).
Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.
Thanks for any help.
regards,
alex
Concerned about your privacy? Instantly send FREE secure email, no
account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
[ reply ]