At the end of January I handed in my thesis “Pandora's Bochs: Automatic Unpacking of Malware”, the last missing piece towards my graduation. It deals with building an automatic unpacker for runtime-packed PE binaries on top of the Bochs PC Emulator. The results were encouraging, but I hit some limits with Bochs's emulation speed, and there were also other issues with advanced packers that I could not fully investigate. Other than that, Pandora's Bochs can fairly reliably create memory dumps of an unpacked process, yet automatic import recovery and OEP reconstruction fail for packers that redirect imports or use “stolen bytes” or similar techniques.

I'm planning to release Pandora's Bochs's source code once I find some time to clean it up a little.

Kasperle on Apr 13, 2008, 12:24
Comments (0) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry

This blog is brought to you by damogran.de

	July '10
Mon	Tue	Wed	Thu	Fri	Sat	Sun
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Pandora's Bochs

KasperBlog

Pandora's Bochs

Archives

Calendar

Syndicate This Blog