Author Topic: PolyUnpack  (Read 5826 times)

0 Members and 1 Guest are viewing this topic.

February 29, 2008, 05:52:43 pm
Read 5826 times

sowhat-x

  • Guest
Older,but useful...from the researchers of cc.gatech.edu:
http://www.acsac.org/2006/abstracts/122.html

Direct links,to both the paper and the tool:
http://www.acsac.org/2006/papers/122.pdf
http://polyunpack.cc.gt.atl.ga.us/polyunpack.zip

February 29, 2008, 06:00:32 pm
Reply #1

sowhat-x

  • Guest
...and another excellent generic unpacker:
I really wonder how comes this one wasn't already mentioned earlier...  :)

http://qunpack.ahteam.org/

February 29, 2008, 07:06:41 pm
Reply #2

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I shouldn't have to remind everyone to always run these unpackers in a safe/secure virtualalized or isolated environment.

Also, make sure you keep your virtualization software up to date. I'm sure many of you have seen malware take advantage of vulnerabilities in analysis tools (like peid, procdump, etc) as well as virtualization software:

Path Traversal vulnerability in VMware's shared folders implementation (2/28/08)
http://www.coresecurity.com/?action=item&id=2129

TJS

February 29, 2008, 07:44:24 pm
Reply #3

sowhat-x

  • Guest
Lol,I know you don't really like PEiD that much,he-he...  ;D
But I wonder what makes you keep mentioning this,
specifically when it comes to exe identifiers/unpackers:
like the same rule doesn't stand true for all other tools as well...

Eg.to my point of view,someone runs pretty much the same risk,
when parsing a 'infected' html page under say latest Firefox with NoScript,
or say Malzilla,or even under text-based Lynx...and the list goes on.
There's never a 100% guarantee a buffer overflow might not occur,
or that you haven't came accidentally across a newer "private" exploit:
since all of the above tools are public,and also extensively used by researchers,
they're even more exposed to malware authors that will look for bugs in them...

...Offensive Computing had a detailed thread regarding this vulnerability:
http://www.offensivecomputing.net/?q=node/644
To my poor point of view,the safest method is/was always a 'sacrificial lamb'...
and I kind of doubt that future trends of virtualization,
(both software/hardware based),will change that...at least in the very next years...

February 29, 2008, 11:48:24 pm
Reply #4

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I worry because too many kiddies today try to cut corners by searching for unpackers instead of learning how to unpack samples themselves. I dont want someone that searches for polyunpack and find this thread then go run some malware without understanding the risks... It takes me two minutes to post (and I don't mind reiterating this point because it's an important one)-- a small price to pay to prevent even one single botnet++; :)

TJS

PS: Please don't misunderstand-- I LOVE PEiD! It's a fantastic tool and I use it almost every day. I just don't trust it 100% because I think it has many limitations and potential vulnerabilities (you're exactly right and we share the same sentiments about virtually all publicly available software btw).

March 01, 2008, 01:41:49 pm
Reply #5

sowhat-x

  • Guest
Quote
...too many kiddies today try to cut corners by searching for unpackers...
Heh...reversing/security tools in general,can somehow be compared to...cars:
no matter how much 'safe' they're advertized to be,
it's always the driver himself that makes the whole point...
If running fast,and especially in unknown roads with 'tricky' turns,
well,that was it - there won't even exist the chance of feeling sorry afterwards...
there's no way to 'cut corners' when it comes to knowledge and/or safety...

Quote
I just don't trust it 100% because I think it has many limitations and potential vulnerabilities...
Ha-ha,100% is certainly a big number,lol...
actually,I doubt that even ourselves would trust it that much! ;D
To speak more precisely,that's also one of the main reasons,
that a newer/updated release has delayed that much...
if the only thing that mattered was signature additions/fixes,
I can assure anyone we would be way faster...
About limitations,if there are any ideas,I'll be glad of reporting them back...

Bugs/vulnerabilities though,as already said,
they're way much more of a priority...meaning,any "weirdo" .exes,eg.:
that crash PEiD when simply drag-and-dropped in the main window,
that crash PEiD when trying to view import table,
that return 'not a valid win32 executable' while they are indeed valid etc.
If anyone encounters these,no matter if malware or not...
then please do report/submit the samples in question;
either in PEiD's forum,here,via pm/e-mail,in Rapidshare,whatever...  :)

April 02, 2008, 05:04:02 am
Reply #6

sowhat-x

  • Guest