Palo Alto Networks, Inc.
SOFTWARE PACKER-AGNOSTIC UNPACKING OF PACKED EXECUTABLES

Abstract:

To unpack packed executables generated with a packer or packing technique that cannot be identified, a universal unpacker unpacks the executable by running the packed executable in a controlled environment and monitoring execution of the program code which unpacks the executable and memory accessed as a result. The unpacker intercepts system calls issued during execution and can allow, emulate, or block intercepted system calls to provide maximum protection of the host system on which it executes. Unpacking and monitoring can continue until a criterion for termination has been satisfied, such as whether a specified time has elapsed, a specified number of instructions have executed, or a system call which triggers termination has been intercepted. The unpacker writes the memory that comprises the unpacked executable to disk. Malware analysis can then be performed on the unpacked executable.