GREM Bypassing Packers and Obfuscation Questions and Answers

Question 1

An analyst is manually unpacking a malware sample and, after stepping through the packer's stub code, encounters a `JMP EAX` instruction. The value in the EAX register points to a memory region that was recently allocated and written to by the stub. What does this instruction most likely represent?

Accepted Answer

The transfer of execution to the Original Entry Point (OEP).

Answer

This pattern is a classic final step for a packer. The unpacking stub decrypts or decompresses the original program's code into a new memory region. The final instruction of the stub is a 'tail jump' that transfers execution control to this newly written code, which begins at the Original Entry Point (OEP).

Question 2

A reverse engineer encounters a conditional branch in a program that always resolves to the same path at runtime, but is constructed in a way that is difficult for static analysis tools to determine. For example, a condition like `if ((x * x) + 1 <= 0)` is used to guard a malicious code block. What is this control flow obfuscation technique called?

Accepted Answer

Opaque predicate

Answer

An opaque predicate is a conditional expression whose outcome is known beforehand by the malware author but is designed to be difficult for an automated tool or static analysis to figure out. This forces the tool to analyze dead code paths or makes the control flow graph unnecessarily complex, confusing the analyst.

Question 3

While dynamically analyzing a packed executable, an analyst observes the program allocate a new memory section with `PAGE_EXECUTE_READWRITE` permissions, write data into it, and then prepare to execute it. To reliably identify the Original Entry Point (OEP) at the moment of transition, which of the following is the most effective action?

Accepted Answer

Setting a hardware breakpoint on execution for the newly allocated memory section.

Answer

After a packer writes the decrypted/unpacked code to a new memory region, it must transfer execution to that region. By setting a hardware breakpoint on execution for that entire memory section, the debugger will immediately pause when the first instruction of the unpacked code is about to be run. This location is the OEP.

Question 4

During static analysis, an analyst finds no meaningful ASCII strings. However, when debugging, they observe a small loop that runs immediately before a Windows API call. This loop uses a multi-byte XOR key to decode a block of data on the stack, which then resolves to a string like "kernel32.dll". This is a common implementation of what technique?

Accepted Answer

Stack string obfuscation

Answer

This technique is known as stack string obfuscation. Malware authors use it to hide important strings (like DLL names, API function names, C2 domains, etc.) from static analysis tools. The strings are stored in an obfuscated form and are only deobfuscated in a temporary location (the stack) right before they are needed, making them difficult to discover without dynamic analysis.

Question 5

Which of the following is a classic indicator of a PE file packed with a standard, non-modified version of UPX (Ultimate Packer for eXecutables)?

Accepted Answer

The PE header contains section names like `UPX0` and `UPX1`.

Answer

Standard UPX packers typically create two primary sections named `UPX0` and `UPX1`. The `UPX0` section contains the compressed data of the original program, and `UPX1` contains the unpacking stub code. The file's entry point is set within the `UPX1` section.

(GREM) Giac Reverse Engineering Malware Practice Test

(GREM) Giac Reverse Engineering Malware Practice Test

GREM Bypassing Packers and Obfuscation Questions and Answers