ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Packer Detection
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Thanks for the info. There are so many packers that you can't provide for all of them, and some of the antivirus programs ignore all but a few. Is any of the code you guys are working on adaptable to detecting other packers as well?

Regards,
View user's profileSend private message
Paul Craig's Presentation
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Very interesting. Although I'm not a programmer, I got the gist of it. I wonder, however, just how far you need to go. If something isn't really going to hurt you, then you don't really need to unpack it. The example he gave of needing to know what the snake ate, for instance. You might not really need to know exactly what the snake ate. What you are really concerned with is: can what he ate hurt you and/or will he eat you at some point.

1)If you can tell the kind of snake you're dealing with, that will tell you his general diet. 2)Failing that, you might get some information from the size of the snake. If he is considerably smaller than you, there is a good chance that he's not going to eat you at least. 3)Failing that, if you can tell where the snake hangs out, that might also give you some information about what he eats. If you can get the information pertaining to two of these items, you might be able to make a reasonable decision as to whether what he has eaten can hurt you and/or if he will eat you at some point--without cutting him open.

Of course, Paul gave several caveats that might be use to give you an idea as to whether or not there is malware involved without really going through the whole procedure. Of course, the automated tools available can minimize your effort if you perform the unpacking.

Eh?

Regards,
View user's profileSend private message
Unrecognized Packers
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
l don't know how far you got with unpacking code--hopefully far enough to take care of a few of the most commonly used packers in some cases. For unrecognized packers, could you just let the code run and set breakpoints to check for signatures/partial signatures. If it started to look like a virus signature (say more than 50% of a current signature), you could flag it for the user to look at.

Regards,
View user's profileSend private message
Memory Scanning Improvement
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 4 of 4  

  
  
 Reply to topic