Abstract: Automated unpacking of a portable executable file includes setting a debugging breakpoint at an original entry point address of a packed portable executable file. A debugging process is executed for the packed portable executable file to obtain a debugged portable executable file in memory. One or more of import address table data and relocation table data are collected during execution of the debugging process for the packed portable executable file. The debugged portable executable file in memory is copied to a storage medium, and the debugging process is terminated.
Abstract: A method, computer program product, and computer system for obtaining, by a computing device, a file, wherein the file includes a plurality of portions. A first hash of a first portion of the plurality of portions may be generated. The first portion may be combined with a second portion of the plurality of portions. A second hash of the first portion with the second portion of the plurality of portions may be generated, wherein the first hash may be indicative of a first level of functional similarity between a function of the file and a function of a second file, wherein the second hash may be indicative of a second level of functional similarity with the function of the file and the function of the second file.
Abstract: Automated unpacking of a portable executable file includes setting a debugging breakpoint at an original entry point address of a packed portable executable file. A debugging process is executed for the packed portable executable file to obtain a debugged portable executable file in memory. One or more of import address table data and relocation table data are collected during execution of the debugging process for the packed portable executable file. The debugged portable executable file in memory is copied to a storage medium, and the debugging process is terminated.