Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PECompact2

from [Andrei Saygo] Network Security [Permanent Link]
Subject: Re: PECompact2
Date: Fri, 30 Jun 2006 07:30:31 +0300 
On Friday 23 June 2006 21:05, als@hush.com wrote:

Greetings,

I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.

I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably http://www.bitsum.com/pec2.asp).

Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.



You can use PEiD and it's generic unpacker. Also you can search on the 
net for a PECompact2 unpacking tool.
But, please don't do this on your machine :) (at least don't unpack it 
with PEiD on your real system), use VMWare/VirtualPC/smth else...

Regards,
-- 
Andrei Saygo
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SyScan'06 Highlight - Is Phone Banking Safe?, thomas48
Next by Date:  Tracing Excel Worksheets beyond metadata, inspector
Previous by Thread:  PECompact2, als
Next by Thread:  Re: PECompact2, RaMatkal
Indexes:  [Date] [Thread] [Top] [All Lists]