64-bit Imports Rebuilding and Unpacking

Expo Theatre (Hall G) October 19, 2010 - Feedback     

Bookmark and Share

Sébastien Doucet

64-bit malware are coming! 64-bit malware are coming! I’ve been repeating this for the last 2 years; it’s not tinfoil hat talk anymore. With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process for malware analysis and to make it as trivial as it is now for protected 32-bit executables. Accordingly, I will be showcasing two tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC (now obsolete imports rebuilding tool) to live on under the best possible compatibility with all the x64 versions of the Windows operating system. This presentation will uncover the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Additionally, I will provide an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit.The presentation will conclude with 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64, demonstrating that obfuscation by obscurity is not an excuse anymore to ignore 64-bit malware.