Pindemonium: A DBI-Based Generic Unpacker for Windows Executable

by Sebastiano Mariani, Lorenzo Fontana
Sept. 15, 2017 1 comment belen_caty Pen Testing & Audits

In this thesis we explore the possibility to exploit the functionality of a DBI framework since it provides great functionality useful during the analysis process: it allows an instruction level granularity inspection and modification, through high level APIs, which gives the analyst full control of the program being instrumented. Our system can extract and reconstruct the original program from a packed version of it, helping and speeding up the analysis of an obfuscated binary. The packers employ different techniques with various levels of complexity, but all of them must share one common behavior during the run-time unpacking: they have to write new code in memory and eventually execute it. Starting from this we have designed a generic unpacking algorithm that can correctly detect this behaviour and defeat the most popular of packing techniques. Not only the packing strategy can be really different, but the obfuscation can be increased by hiding the function imported by the program.

Steven Ulm 8 months ago

Your idea is crazy, but somehow I can see what you mean... especially the DBI framework part.