It’s been about a year and a half since I wrote about a behavioural approach to automated unpacking, and I figured it was time to add some more functionality to unpack.py. This time, I’m going to look at malware decrypting/decompressing code from within itself, and process hollowing, and see if we can capture the decrypted/decompressed/newly written memory. Let’s spruce unpack.py up a tad.
more here...........http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
more here...........http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/