Hack-Crack 信息安全 【Mars Information Serurity Institute】
站点说明

Scan the QRcode to download

扫描上方二维码下载我的最新应用,Findu(支持iOS Android)关注自己所关注的人,让一切都变的无所遁形,再也不怕搭到黑车啦!

【Findu Today】

本站所破解的程序仅限于分析研究只用,不可用于非法用途,如果喜欢该软件请购买正版。由于程序所造成的损失本人概不负责。

【订阅本站文章】

联系方式:

博客:http://www.h4ck.org.cn

Findu:http://findu.co

微博:http://weibo.com/cracklab

Codes:http://code.h4ck.org.cn

Twitter:http://twitter.com/#!/ob4by

QQ:382291381

danteng link
分类目录/搜索
版权信息:
Nginx Ubuntu php mysql [Valid RSS] Valid CSS!

hacker emblem

知识共享许可协议
火星信息安全研究院 by
obaby is licensed under a Creative Commons 署名-非商业性使用-相同方式共享 2.5 中国大陆 License.
基于www.h4ck.org.cn上的作品创作。

The Art of Unpacking

The Art of Unpacking
by Mark Vincent Yason
=====================================================
=====================================================

Abstract: Unpacking is an art—it is a mental challenge and is one of the most exciting mind
games in the reverse engineering field. In some cases, the reverser needs to know the
internals of the operating system in order to identify or solve very difficult anti-reversing tricks
employed by packers/protectors, patience and cleverness are also major factors in a
successful unpack. This challenge involves researchers creating the packers and on the other
side, the researchers that are determined to bypass these protections.

The main purpose of this paper is to present anti-reversing techniques employed by
executable packers/protectors and also discusses techniques and publicly available tools that
can be used to bypass or disable this protections. This information will allow researchers,
especially, malcode analysts to identify these techniques when utilized by packed malicious
code, and then be able decide the next move when these anti-reversing techniques impede
successful analysis. As a secondary purpose, the information presented can also be used by
researchers that are planning to add some level of protection in their software by slowing
down reversers from analyzing their protected code, but of course, nothing will stop a skilled,
informed, and determined reverser.


Table of Contents……………………………………………………………………………………………………. 2
1. INTRODUCTION……………………………………………………………………………………………………… 3

2. TECHNIQUES: DEBUGGER DETECTION……………………………………………………………………………………… 4
2.1. PEB.BeingDebugged Flag: IsDebuggerPresent() …………………………………………………………………… 4
2.2. PEB.NtGlobalFlag, Heap Flags ……………………………………………………………………………..5
2.3. DebugPort: CheckRemoteDebuggerPresent() / NtQueryInformationProcess()………………………………………….6
2.4. Debugger Interrupts ………………………………………………………………………………………… 7
2.5. Timing Checks ………………………………………………………………………………………………..8
2.6. SeDebugPrivilege ……………………………………………………………………………………………. 9
2.7. Parent Process ……………………………………………………………………………………………… 10
2.8. DebugObject: NtQueryObject() …………………………………………………………………………. 11
2.9. Debugger Window …………………………………………………………………………………………. 12
2.10. Debugger Process ……………………………………………………………………………………… 12
2.11. Device Drivers ………………………………………………………………………………………….. 12
2.12. OllyDbg: Guard Pages…………………………………………………………………………………. 13

3. TECHNIQUES: BREAKPOINT AND PATCHING DETECTION…………………………………………………. 14
3.1. Software Breakpoint Detection………………………………………………………………………….. 14
3.2. Hardware Breakpoint Detection…………………………………………………………………………. 15
3.3. Patching Detection via Code Checksum Calculation…………………………………………………. 16

4. TECHNIQUES: ANTI-ANALYSIS…………………………………………………………………………………. 17
4.1. Encryption and Compression…………………………………………………………………………….. 17
4.2. Garbage Code and Code Permutation………………………………………………………………….. 18
4.3. Anti-Disassembly ………………………………………………………………………………………….. 20

5. TECHNIQUES : DEBUGGER ATTACKS …………………………………………………………………………. 22
5.1. Misdirection and Stopping Execution via Exceptions ………………………………………………… 22
5.2. Blocking Input ……………………………………………………………………………………………… 23
5.3. ThreadHideFromDebugger ……………………………………………………………………………….. 24
5.4. Disabling Breakpoints …………………………………………………………………………………….. 25
5.5. Unhandled Exception Filter ………………………………………………………………………………. 26
5.6. OllyDbg: OutputDebugString() Format String Bug ………………………………………………….. 26

6. TECHNIQUES : ADVANCED AND OTHER TECHNIQUES …………………………………………………….. 27
6.1. Process Injection…………………………………………………………………………………………… 27
6.2. Debugger Blocker………………………………………………………………………………………….. 28
6.3. TLS Callbacks ………………………………………………………………………………………………. 29
6.4. Stolen Bytes …………………………………………………………………………………………………30
6.5. API Redirection …………………………………………………………………………………………….. 31
6.6. Multi-Threaded Packers…………………………………………………………………………………… 32
6.7. Virtual Machines……………………………………………………………………………………………. 32

7. TOOLS ………………………………………………………………………………………………………………. 34
7.1. OllyDbg………………………………………………………………………………………………………. 34
7.2. Ollyscript…………………………………………………………………………………………………….. 34
7.3. Olly Advanced………………………………………………………………………………………………. 34
7.4. OllyDump…………………………………………………………………………………………………….34
7.5. ImpRec ………………………………………………………………………………………………………. 34

8. REFERENCES……………………………………………………………………………………………………….. 35

Link:http://sdrv.ms/QDCDJX

原创文章,转载请注明: 转载自 火星信息安全研究院

本文标题: 《The Art of Unpacking》

本文链接地址: http://h4ck.org.cn/2012/12/the-art-of-unpacking/

《The Art of Unpacking》有 1 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注