[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [exelist] Newbie question regarding compressed EXEs and anti-virus progs

--- Boguslaw Brandys <brandysb@...> wrote:
> Better stay with AVP.Running any not known EXE is
> dangerous even for good
> programmer.
> The only realistic solution is that used with AVP:
> - recognize if file is compressed by any program
> like UPX,LZExe,wwpack etc
> - unpack to memory (but not run)
> - analize and fix if virus is found
> 
> Best Regards
> Boguslaw
> 
> 
> ----- Original Message -----
> From: "messie_x" <messie_x@...>
> To: <exelist@yahoogroups.com>
> Sent: Wednesday, March 20, 2002 5:56 PM
> Subject: [exelist] Newbie question regarding
> compressed EXEs and anti-virus
> progs
> 
> 
> > Please forgive me if this is not the right place
> to bring this
> > question up but I don't know a better one. I'm not
> a hacker, not even
> > a developer (although I used to be one years ago),
> just an ordinary
> > user today.
> >
> > I raised this question in a couple of
> security-related web forums
> > before but haven't received any response that
> helped so far.
> >
> > While testing a couple of anti-virus programs, I
> realized that nearly
> > all of them are not able to scan compressed
> executables (Kaspersky is
> > the exception but has some other drawbacks).
> >
> > My first idea was to search for a tool, that finds
> all compressed
> > executables and then uncompresses them so that a
> regular av scan will
> > work. After some web research, I realized that
> this approach seems to
> > be quite unrealistic as there are so many
> compressors which are just
> > developed with the main intention to prevent
> others from getting a
> > regular (unpacked) executable which they then can
> reverse engineer.
> >
> > But is should be possible to develop a program
> that
> > a) runs a compressed executable to the point where
> the contained
> > program is fully uncompressed in memory,
> > b) stops at that point,
> > c) calls an av on-demand scanner to scan the
> memory of the now
> > uncompressed program,
> > d) terminates without actually running the
> compressed executable
> >
> > The question now is wether such a nice tool
> already exists, or
> > something similar which could be adapted easily.
> >
> > I'd also appreciate links to a scanner that
> generates a list of all
> > compressed executables in a given directory and
> its subdirectories.
> >
> > The last question is off-topic but I'd also like
> to scan the contents
> > of Microsoft Installer files (*.msi) for viruses.
> How to unpack?
> >
> > Thank you.
> >
> > Messie
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> >
> >
> 
> 
> 
> -- 
> 
> Tego nie znajdziesz w zadnym sklepie!
> [ http://oferty.onet.pl ]
> 
> 
> 
IMHO some packers doesn't even allow to locally
executed programs to be scanned and/or dumped eg
Armadillo and AsProtect. i've found some trojans
packed with this tools. I used some other methods to
analyze the files, eg to determine what the trojans
do...
1. try using Filemon and Regmon from sysinternals. So
you can trace back the changes it made.
2. simple but it does work! try WinZip uninstaller (no
longer available but try the search engines) it can
trace file and registry modifications. to use it you
have to unzip the dll manually into winzip folder.
create a zip file containing the exe file. rename the
exe as setup.exe and run from inside winzip. if it
doest work with winzip 8 try winzip 7.x or 6.x ..
3. the most safe way is to use a virtual machine. i
use both vmware and connectix virtual pc. make a
read-only system and run anything there... put some
tools there eg AVP procdump winice hiew etc... and the
unpacked can be transferred later using virtual network..

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/