At the end of January I handed in my thesis “Pandora's Bochs: Automatic Unpacking of Malware”, the last missing piece towards my graduation. It deals with building an automatic unpacker for runtime-packed PE binaries on top of the Bochs PC Emulator. The results were encouraging, but I hit some limits with Bochs's emulation speed, and there were also other issues with advanced packers that I could not fully investigate. Other than that, Pandora's Bochs can fairly reliably create memory dumps of an unpacked process, yet automatic import recovery and OEP reconstruction fail for packers that redirect imports or use “stolen bytes” or similar techniques.

I'm planning to release Pandora's Bochs's source code once I find some time to clean it up a little.

Kasperle on Apr 13, 2008, 12:24
Comment (1) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

i am thinking about use the optimize function provided by modern compilers, to anti the instructions reordering Metamorphism Technique. as we now that the normal data flow and control flow of a normal program, is just like a string. when the packer or instructions reordering get in, things like another string winding around the original string. but they can't mixing up. like two plastic insulated conductors, they can touch, but the currents never met. and some packers may think that they use the method "Metamorphic" to enlarge the code's length, complex the logics of the originals. though we have compliers, and compilers can automaticlly analyze it. so the "stolen OEP", the "redirect imports" are not problem. they just be optimized away. also, "the virtualization" packers are powerless too. i may not fit to do this job. and i think your Pandorasbochs is what i am looking for, longtime ago i was dreaming to write the unpacker like you do, and the vm debugger, the database log, is exactly as my wishes. maybe you can add the feature "reverse debug", and compiler optimization. it worth a try.

#1 jun hong[from china] on Aug 23, 2010, 07:08 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry

This blog is brought to you by damogran.de

	February '12
Mon	Tue	Wed	Thu	Fri	Sat	Sun
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

Pandora's Bochs

KasperBlog

Pandora's Bochs

Archives

Calendar

Syndicate This Blog