PackerAttacker : un outil d’unpacking automatique de malware

Présenté à la DerbyCon par des chercheurs de chez Bromium, PackerAttacker est un outil open-source qui fait de l’unpacking générique de malwares.

D’après l’extrait du talk :

(…) all packers have a common goal: to write code to memory and execute it.
We’ve created a tool named The Packer Attacker, which exploits this common feature that exists in all packers.

From an injected DLL, The Packer Attacker uses memory and API hooks to monitor when a sample writes to its PE sections, allocates new memory, or executes within heap memory that has been given executable privileges. When any of these events culminate in a way that resembles expected packer behavior, the targeted memory page(s) are dumped to disk, accompanied by detailed logs of what caused the dump. For it’s memory hooks, The Packer Attacker limits access rights to tracked pages and uses a Vectored Exception Handler to catch ACCESS_VIOLATION exceptions when the memory is written to or executed. For it’s API hooks, the tool uses Microsoft Research’s Detours library. The injected DLL also will also propagate itself into new processes and track when code is unpacked to remote processes.

In our tests, The Packer Attacker has been able to pull full PE executables from actives samples of many high-profile malware families. In blind tests against an unknown variety of malware from a large malware repository, The Packer Attacker showed ~90% efficiency, defeating both known and unknown packers.

Vidéo du talk sur IronGeek.