5 comments on “Automated Unpacking: A Behaviour Based Approach

  1. This is very cool. One question, how can I analyze a piece of malware in a DLL?

    For example, let’s say the malware is typically launched with this command (and entry point of course):

    rundll32.exe malware.dll,DllMain

    • Hi Mick,

      If you are talking about analysing it with my unpack.py, then you can’t at the moment as you’ve pointed out something that I didn’t think of — passing command line arguments to the sample.

      I’ve just quickly checked the WinAppDbg documentation and it certainly looks possible, so I’ll work on that at a later date. Unfortunately at the moment, we have a nine day hot air balloon festival going on which is getting me six or so hours of paid work a day, but leaving me reasonably tired.

      I shall endeavour to add this functionality to unpack.py though, as some malware requires command line arguments before it will run properly.

      If you are wanting to analyse DLL files that were obtained as the result of a MySQL attack, then you can use my misql.py Cuckoo package.
      I have noticed similar MS-SQL attacks, and have started work on a similar MS-SQL package.

      Musingly,
      Karl.

  2. Pingback: Testing, Testing, Is This Thing On?! | Malware Musings

  3. Pingback: Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings

  4. Pingback: My Malware Analysis Setup | Malware Musings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s