O'Reilly logo

Learning Malware Analysis by Monnappa K A

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.1.1 Identifying The OEP

In this section, you will understand the techniques to identify the OEP in the packed binary. In the following screenshot, examining the packed binary ipestudio (https://www.winitor.com/) shows many indicators that suggest the file is packed. The packed binary contains three sections, UPX0, UPX1, and .rsrc. From the screenshot, you can see that the entry point of the packed binary is in the UPX1 section, so the execution begins here, and this section contains the decompression stub that will unpack the original executable at runtime. Another indicator is that the raw-size of the UPX0 section is 0, but the virtual-size is 0x1f000; this suggests that the UPX0 section does not occupy any space on the disk, but it ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required