The UPX0 section has a "raw-size" of zero and a large "virtual-size"-this section does not exist on the disk, and will be dynamically filled when the program runs. text section is very strange, since that section should have the executable code. There are only three sections: UPX0, UPX1, and. In the pestudio window examining puttycomp.exe, 
rsrc sections which contain large unused sections filled with zeroes, as we will see below. The other sections have lower entropy, especially the. text section has entropy 6.7, which is typical for assembly code which varies a lot, but is not completely random.
entry-point: This is where execution starts. No program should ever allow write and execute permissions on the same memory segment, as a basic security principle. The difference is that the raw-size is rounded up to the nearest 4K block size. Comparing the "raw-size" (size on disk) and "virtual-size" (size in memory) values, they are almost equal for each section. 
In the pestudio window examining putty.exe,
virustotal shows false possitives too: one engine falsely regards putty itself as malicious, but 11 flag the packed file, apparently regarding the packing itself as suspicious. These are false positives since this is a harmless program, not malware. indicators shows the number of suspicious features in each file. The hash values shown in the right pane are different, because the disk files are different. Make sure that the top line in the left pane is selected. "Windows 10 with Analysis Tools" machine from anĭownload this file, and put it on your desktop:Īs shown below. You can use any Windows system, but it's easiest Use the "Windows 10 with Analysis Tools" VM 
A Windows machine, preferably the "Windows 10 with Analysis Tools" VM. PMA 121: Unpacking with OllyDbg and pestudio (20 pts + 30 extra) PMA 121: Unpacking with OllyDbg and pestudio (20 pts + 30 extra) What you need
0 kommentar(er)
