首页
社区
课程
招聘
[转帖]Hump-and-Dump: Efficient Generic Unpacking by Li Sun, Tim Ebringer, Serdar Bozta
发表于: 2008-7-20 23:50 3016

[转帖]Hump-and-Dump: Efficient Generic Unpacking by Li Sun, Tim Ebringer, Serdar Bozta

2008-7-20 23:50
3016
Hump-and-Dump: Efficient Generic Unpacking  by Li Sun, Tim Ebringer, Serdar Bozta

We present a new and efficient generic unpacking algorithm which effectively locates the original entry point (OEP) area of a packed program. The algorithm is based upon the dual observation that (a) even in a packed program, the OEP bytes are almost always only executed once, and (b) most packers unpack the original program to an area of memory which has not been previously executed. Given this, the technique relies upon creating a histogram of the addresses of executed instructions (EIP on x86). Whilst others have done this, the trick is to order the histogram by the last time an address is executed. Decryption, decompression and copying appear as large spikes at the start of the histogram, followed by a flat section, of height one, which is usually the OEP. We attach figures showing histograms for some popular packers, on both linear and log scales, which clearly illustrate the OEP after the massive unpacking “hump”.

This technique is extremely efficient to implement, and can compute the OEP “on-the-fly” in an emulator, or off-line from a trace of EIP. For instance, for UPX 2.03w, we need less than 1K of memory to hold the necessary data structures, and computation is similarly cheap (and compatible with dynamic-translation emulators). Given the shape of the chart, and the fact that after the “hump” represents a good opportunity to dump the memory, we have given this technique the somewhat sordid name of hump-and-dump.

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 1
支持
分享
最新回复 (1)
雪    币: 134
活跃值: (84)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
2
很厉害的文章,在欧洲的一个安全研讨会上见过。
2008-7-21 11:21
0
游客
登录 | 注册 方可回帖
返回
//