As part of a research activity on a classification framework we have encountered problems with packed executables and the need for a generic unpacker with the following features arose naturally:
• It should work on bare metal as long as inside a virtual machine
• The unpacking tool must be as stealthy as possible
• It must at least rebuild a valid PE for static analysis and optionally a functional executable.
This paper is not about mathematical stuff but rather on internal Windows kernel mechanisms we have to subvert to build a stealthy and efficient unpacker. The idea is to give full implementation details that are usually not covered in other papers on this subject. It covers points like (not exhaustive list) :
* kernel exception handling hooking
* memory manager internals (internal structures, direct PTE modifications, copy on write, page fault handler, …).
* Userland PE loader
Many papers describing generic unpackers have been published so far but unfortunately they do not provide full implementation details. We’ll show results on popular COTS packers and real world, homemade packed, malware samples.