Binary Analysis
PECompact2 Jun 23 2006 06:08PM
als hush com (4 replies)
RE: PECompact2 Jun 25 2006 11:07PM
Earl_Marcus_Tan dell com

You would want to confirm that with a PE identifier because some packers
change the strings in the sections table in the PE header to confuse
people. A good tool to use for this is PEiD (http://peid.has.it/)

Regards,
marcus

-----Original Message-----
From: als (at) hush (dot) com [email concealed] [mailto:als (at) hush (dot) com [email concealed]]
Sent: Saturday, June 24, 2006 2:09 AM
To: binaryanalysis (at) securityfocus (dot) com [email concealed]
Subject: PECompact2

Greetings,

I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.

I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably http://www.bitsum.com/pec2.asp).

Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.

Thanks for any help.

regards,
alex

Concerned about your privacy? Instantly send FREE secure email, no
account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

[ reply ]
Re: PECompact2 Jun 23 2006 11:08PM
derez (derez packetforge net)
Re: PECompact2 Jun 23 2006 10:42PM
Lance James (phishing securescience net)
Re: PECompact2 Jun 23 2006 09:59PM
Greg Hunt (gregory hunt gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus