Windows 8 is HOT!
Security researchers are busy finding Windows 8 vulnerabilities while users are figuring out how to find the restart button in the new interface UI.
Windows 8 is definitely one of the big targets for hackers in 2013 based on McAfee 2013 Threats Predictions report
. Currently, more than 60% of malware samples are packed by PE packers. What is a packer
? A packer is a type of archive tool that compresses and encrypts other executable files in a disk and restores the original executable images when the packed files are loaded into memory. However, we can’t jump to the conclusion that every packed file is malicious. Some commercial packer vendors offer packers to protect applications against Reverse Engineering (RE), by putting the content of those applications into a strong protection “shell”.
A packed file is a type of archived file, but packed and regular archives are quite different. Users have to extract an archived file onto a hard disk before they can access the contents. On the other hand, a PE packed file is normally unpacked in memory. There are many archived files, such as zipped files, in Windows OS folders. So how many of them are packed? In this post, I will share my findings on searching for packed files in the Windows 8 OS.
The tools I am using here are PEiD and ExeInfo, two popular packer detectors. 1,832 signatures were picked from PEiD v0.93, and 3,281 rules from ExeInfo. The packer signature database of PEiD is a subset of that of ExeInfo. I also removed some non-packer rules from ExeInfo. As usual, I chose REer's favorite folder, \Windows\System32, as the testing folder. First, I scanned that folder with PEiD, and received a couple of packer detection results. Among them, the signatures for "Armadillov1xxv2xx" and "Armadillov171" triggered false positives. Those signatures search for the following binary strings from OEP respectively. In this case, you can ignore them.
55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6
55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1
I also found that ExeInfo itself was packed by the UPX packer.