Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00...
Transcript of Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00...
![Page 1: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/1.jpg)
![Page 2: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/2.jpg)
‣ Product: ewido security suite
‣ Protection against Trojans, Adware, Spyware, ...
‣ First release: Christmas 2003
‣ Emulation research since 2002
‣ Used for generic unpacking
Who we are
![Page 3: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/3.jpg)
Agenda
‣ Motivation
‣ Generic unpacking
‣ Typical problems
‣ Results
![Page 4: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/4.jpg)
‣ How PE compression engines work
‣ Static unpacking
‣ When static unpacking engines fail
Motivation
![Page 5: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/5.jpg)
How PE compression engines work
‣ Malware is detected by searching for known patterns
‣ Malware is detected by heuristics analysis
‣ PE compression engines compress or encrypt the content of portable executables
‣ Compression/encryption cause pattern matching and heuristics analysis fail
![Page 6: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/6.jpg)
How PE compression engines work
‣ Structure of PE compression engines is usually the same
‣ Look at a very simple one to show the most important issues
‣ Lamecrypt encrypts the body by XOR
‣ Loader is appended to decrypt at runtime
![Page 7: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/7.jpg)
How PE compression engines work
mob ebx, 0001D600
decryptloop:xor [ebx+00401000], 90dec ebxcmp ebx, -1jnz decryptloop
jmp 0041DA48
Loader of Lamecrypt
![Page 8: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/8.jpg)
Static unpacking
‣ Analyze decompress-/decrypt-algorithm
‣ Decompress/decrypt with specific routine
‣ Which PE compression engine was employed?
‣ Pick required parameters
‣ Invoke the specific routine
![Page 9: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/9.jpg)
void decrypt_lamecrypt(BYTE* image, DWORD size){� if (checksig(entrypoint+0x0F, “4B83FBFF75F39D”)) { DWORD offset = getDWORD(entryoint+0x0A); DWORD size = getDWORD(entrypoint+0x04); for (DWORD i=0; i<size; i++) image[i] = image[i] ^ 0x90; }}
Static unpackingSpecial routine for Lamecrypt
![Page 10: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/10.jpg)
When static unpacking engines fail
‣ Unknown PE compression engine
‣ No specific routine
‣ No way to decrypt/decompress
‣ Modified PE compression engine
‣ Detection fails and required parameters cannot be extracted
![Page 11: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/11.jpg)
When static unpacking engines fail
‣ Uses its own PE compression engine to hide the malicious activity
‣ Could be detected easily by heuristics
‣ Even simple compression engines are effective
Bagle
![Page 12: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/12.jpg)
When static unpacking engines fail
decryptloop:lodsbxor al, 13stosbloop decryptloop
...mov esi, 00401000mov edi, esimov ecx, 00004F4Bcld
Bagle
![Page 13: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/13.jpg)
When static unpacking engines fail
‣ Modified PE compression engine
‣ Modification is very easy (open source)
‣ Often used with backdoors
Yodacrypter
![Page 14: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/14.jpg)
original loader modified loader
pushadcall +00pop ebpsub ebp, 00401DF3mov ecx, 97Blea edi, [ebp+00401E3B]
pushadcall +00pop ebpsub ebp, 00401F0mov ecx, 15add ebp, 3mov ecx, 97Blea edi, [ebp+00401E3B]
When static unpacking engines failYodacrypter
![Page 15: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/15.jpg)
When static unpacking engines fail
‣ Unknown PE compression engines
‣ Attacks on detection
‣ Attacks on parameters
![Page 16: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/16.jpg)
Generic unpacking
‣ What do we need?
‣ How to unpack every PE compression engine
‣ CPU simulation
‣ Memory simulation
‣ Operating system simulation
![Page 17: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/17.jpg)
What do we need?
‣ Decompress/decrypt PE compression engine without knowing which PE compression engine was employed
‣ Decompress/decrypt without parameters or algorithm
![Page 18: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/18.jpg)
Unpack every PE compression engine
‣ Execute the malware, wait a little and perform a memory scan
‣ Every PE compression engine needs to unpack/decrypt its content in memory
‣ Ultimate generic unpacker
![Page 19: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/19.jpg)
Unpack every PE compression engine
‣ Very unsafe!
‣ Extension: instead of execution
‣ Emulation
‣ If the emulation can achieve a near-perfect simulation of the reality
‣ Ultimate and safe generic unpacker
![Page 20: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/20.jpg)
CPU Simulation
‣ Known to handle polymorphic viruses
‣ Step by step each instruction is simulated
![Page 21: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/21.jpg)
CPU Simulation
mob ebx, 0001D600
decryptloop:
xor [ebx+00401000], 90
dec ebx
cmp ebx, -1
jnz decryptloop
set sim_ebx to 0001D600
calculate address, map, xor with 0x90
decrease sim_ebx by one
![Page 22: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/22.jpg)
CPU Simulation
‣ PE compression engines execute millions of instructions
‣ All of them have to be emulated!
‣ Speed is the most important problem
‣ 450kb executable packed with UPX
‣ 6 million instructions to unpack
![Page 23: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/23.jpg)
Memory Simulation
‣ Has to be very fast
‣ Decompression routines transfer lots of bytes
‣ 450kb packed executable
‣ Theoretically 900.000 memory operations
‣ The number of operations often doubles
![Page 24: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/24.jpg)
Memory Simulation
‣ Need to simulate stack, executable image, heap
‣ Needs to be flexible
‣ Some anti-debugging techniques rely on write access exceptions
‣ Simulate read/write access
![Page 25: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/25.jpg)
Operating System Simulation
‣ Import table needs to be rewritten
‣ LoadLibrary/GetProcAddress
‣ Some PE compression engines check CRC
‣ File system APIs
‣ Bagle tries to fool emulation with seldom APIs
![Page 26: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/26.jpg)
Operating System Simulation
‣ Simulate each API directly
‣ Our generic unpacker support more than 100 APIs
![Page 27: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/27.jpg)
1000BF88: RegisterWindowMessage(ArmReReadMessage);1000BF94: PostMessageA1000F4F7: GetCurrentProcessId1000F57F: CreateFileA("\\.\SICE", ..., 3, ...)1000F593: GetLastError -> 21000F57F: CreateFileA("\\.\NTICE", ..., 3, ...)1000F593: GetLastError -> 21000F57F: CreateFileA("\\.\SIWDEBUG", ..., 3, ...)1000F593: GetLastError -> 21000F57F: CreateFileA("\\.\SIWVID", ..., 3, ...)1000F593: GetLastError -> 2
Operating System Simulation
![Page 28: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/28.jpg)
100082BC: RegOpenKeyEx(80000000, CLSID\{C9DC10FD-D921-13D1B2E4-0060975B8649}, ..);100078C8: GetSystemTime10008230: GetTempPath (return c:\temp\)10008262: CreateFileA("c:\temp\58AB070C.TMP", ..., 3, ...)100078C8: GetSystemTime10008113: RegOpenKeyEx(80000002, Software\The Silicon Realms Toolworks\Armadillo, ..);1000812C: RegQueryValueEx(0,{65EED8A09843E1F6},..);10008143: RegCloseKey
Operating System Simulation
![Page 29: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/29.jpg)
479576: LoadLibraryA(advapi32.dll)479646: GetProcAddress(77DA0000,100194A8->RegCloseKey)479646: GetProcAddress(77DA0000,100194CA->RegOpenKeyExA)479646: GetProcAddress(77DA0000,100194DA->RegSetValueExA)479646: GetProcAddress(77DA0000,100194EC->RegCreateKeyExA)479576: LoadLibraryA(shell32.dll)479646: GetProcAddress(5,1001950C->ShellExecuteA)
Operating System Simulation
![Page 30: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/30.jpg)
Typical Problems
‣ Error tracing
‣ When to stop?
‣ Speed
![Page 31: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/31.jpg)
Error Tracing
‣ What do you do if your emulation engine does not emulate correctly?
‣ Millions of instructions
‣ Error tracing very complex
‣ Solution: automatically debug during emulation
‣ Comparison reveals most errors
![Page 32: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/32.jpg)
Load_Real_Exe();Start_Debugger_For_Real_Exe();
while (!different){ Emulate_One_Instruction(); Execute_One_Instruction_With_Debugger(); Compare_Emulation_With_Reality();}
Error Tracing
![Page 33: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/33.jpg)
When to stop?
‣ When can we stop the emulation?
‣ Undecidable
‣ Fallback: maximum time-out
‣ Heuristic checks
![Page 34: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/34.jpg)
When to stop?
‣ Entry point signatures from standard entry points
‣ Stop at some API functions
‣ Relationship between emulated opcodes/simulated API functions
Possible heuristic rules
![Page 35: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/35.jpg)
Speed
‣ Speed is the most important problem
‣ CPU simulation needs to be as fast as possible
‣ Measure speed on AMD64 3000+
‣ Measure speed on Athlon XP 1200
![Page 36: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/36.jpg)
while (true){ Decode_Instruction(r.eip); Lookup_Simulation_Function(); Execute_This_Instruction();}
SpeedUsual algorithm 1
![Page 37: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/37.jpg)
void Xor_Simulation_Function(){ Decode_Mod_Rm(op_1, op_2); if (op_2 is memory) ReMap_Memory(op_2); op_1 = op_1 XOR op_2;}
SpeedUsual algorithm 2
![Page 38: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/38.jpg)
Speed
CPU Instructions Time(ms)Speed(MIPS)
AMD64 5.939.677 859 6,9
Athlon XP 5.939.677 1317 4,5
Usual algorithm - Speed (UPX)
![Page 39: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/39.jpg)
Speed
‣ Code usually does not change
‣ Fast decoding cache
‣ Generate special code at runtime
‣ Reduces conditional jumps
‣ Form blocks and link them together
‣ Reduces unpredictable jumps
![Page 40: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/40.jpg)
while (true){ if (Is_Instruction_In_Cache(r.eip)) Jump_To_Instruction_Code(); else Translate_Instruction();}
SpeedImproved emulation algorithm 1
![Page 41: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/41.jpg)
void Translate_Instruction(){ Decode_Instruction(r.eip); Generate_Individual_Code(); Insert_Code_Into_Cache(); Chain_Code_Block();}
SpeedImproved emulation algorithm 2
![Page 42: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/42.jpg)
Speed
CPU Instructions Time(ms)Speed (MIPS)
AMD64 5.939.677 67 (859) 89 (6,9)
Athlon XP 5.939.677 104 (1317) 57 (4,5)
Improved algorithm - Speed (UPX) comparison
![Page 43: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/43.jpg)
Results
‣ Generic unpacking not often used in anti-virus engines
‣ Showed that generic unpacking is possible in practise
![Page 44: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/44.jpg)
Results
‣ Armadillo, ASPack, Exegriper, FSG, Lamecrypt, Mew, Morphine, Neolite, Netwalker, PCShrink, PECompact, PEPack, Petite, PEX, PKLite32, StonesPECrypter, UPack, UPX, Winkript, YodaCrypter
‣ Can be unpacked in 20 - 300ms (80-100MIPS)
‣ All variants and modified versions
![Page 45: Product: ewido security suite - Virus Bulletin · original loader modified loader pushad call +00 pop ebp sub ebp, 00401DF3 mov ecx, 97B lea edi, [ebp+00401E3B] pushad call +00 pop](https://reader033.fdocuments.net/reader033/viewer/2022060518/604b69a177c7403e1d35faf4/html5/thumbnails/45.jpg)
Recent improvements
‣ Improved code quality
‣ Performed compiler like optimization
‣ Improved perfomance:
‣ Lamecrypt 486 MIPS (34 MIPS)
‣ UPX 553 MIPS (89 MIPS)