Packer tracing
 Ero Carrera (ero) <ero carrera gmailcom> |
Thursday, June 22 2006 03:55.00 CDT |
One of the things I talked about in one of Recons lightning talks was some quick research I had done tracing packers. Using some internal tools Ive written I traced the "behaviour" of different packers. I thought it would be nice to just show those results here too. These are presented as plots. Time is in the horizontal axes with the vertical one expressing the address where the traced event occurs. The colors encode memory writes and EIP location using green and blue respectively.
The packers were traced as they were unpacking Window XPs Notepad.exe. Its possible to see in some of the graphs a blue dot in the rightmost side, indicating the EIP jumping to the original entry point of the unpacked application.
I think these graphs are quite informative and give ideas on possible heuristics to tackle the problem of generic unpacking. The datasets used to generate them are rather large, for some packers I collected tens of millions of points which were plot as seen.
Specially interesting are the peculiar plots of tElock and Yodas packers, where its possible to see the EIP(blue) going through addresses which had been previously written to (green), indicating multi-stage unpacking taking place.
Note: In some graphs there are gaps in the EIP trace. That is obviously impossible as the execution is continuous, the reason for the gaps is that the EIP was outside the plotted range, for instance, in DLL code.
ASPack 2.12
Petite 2.2
UPX 1.95
FSG v2.0
tElock 0.98
Yodas Protector v1.02
Yodas Crypter v1.3
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |