Abstract: Automated unpacking of a portable executable file includes setting a debugging breakpoint at an original entry point address of a packed portable executable file. A debugging process is executed for the packed portable executable file to obtain a debugged portable executable file in memory. One or more of import address table data and relocation table data are collected during execution of the debugging process for the packed portable executable file. The debugged portable executable file in memory is copied to a storage medium, and the debugging process is terminated.

Abstract: A method, computer program product, and computer system for obtaining, by a computing device, a file, wherein the file includes a plurality of portions. A first hash of a first portion of the plurality of portions may be generated. The first portion may be combined with a second portion of the plurality of portions. A second hash of the first portion with the second portion of the plurality of portions may be generated, wherein the first hash may be indicative of a first level of functional similarity between a function of the file and a function of a second file, wherein the second hash may be indicative of a second level of functional similarity with the function of the file and the function of the second file.

Abstract: A portable executable file is analyzed by parsing a binary image of the portable executable file to generate a parsed field. An attribute of the parsed field is determined. The attribute of the parsed field is compared to a valid characteristic of a valid corresponding field based upon, at least in part, a portable executable file format specification. It is determined if the attribute of the parsed field matches the valid characteristic of the valid corresponding field.

Abstract: A portable executable file is analyzed by parsing a binary image of the portable executable file to generate a parsed field. An attribute of the parsed field is determined. The attribute of the parsed field is compared to a valid characteristic of a valid corresponding field based upon, at least in part, a portable executable file format specification. It is determined if the attribute of the parsed field matches the valid characteristic of the valid corresponding field.

Abstract: Automated unpacking of a portable executable file includes setting a debugging breakpoint at an original entry point address of a packed portable executable file. A debugging process is executed for the packed portable executable file to obtain a debugged portable executable file in memory. One or more of import address table data and relocation table data are collected during execution of the debugging process for the packed portable executable file. The debugged portable executable file in memory is copied to a storage medium, and the debugging process is terminated.

Abstract: A portable executable file is analyzed by parsing a binary image of the portable executable file to generate a parsed field. An attribute of the parsed field is determined. The attribute of the parsed field is compared to a valid characteristic of a valid corresponding field based upon, at least in part, a portable executable file format specification. It is determined if the attribute of the parsed field matches the valid characteristic of the valid corresponding field.

Abstract: A method, computer program product, and computer system for obtaining, by a computing device, a file, wherein the file includes a plurality of portions. A first hash of a first portion of the plurality of portions may be generated. The first portion may be combined with a second portion of the plurality of portions. A second hash of the first portion with the second portion of the plurality of portions may be generated, wherein the first hash may be indicative of a first level of functional similarity between a function of the file and a function of a second file, wherein the second hash may be indicative of a second level of functional similarity with the function of the file and the function of the second file.

Abstract: Automated unpacking of a portable executable file includes setting a debugging breakpoint at an original entry point address of a packed portable executable file. A debugging process is executed for the packed portable executable file to obtain a debugged portable executable file in memory. One or more of import address table data and relocation table data are collected during execution of the debugging process for the packed portable executable file. The debugged portable executable file in memory is copied to a storage medium, and the debugging process is terminated.

Abstract: A portable executable file can be repaired by identifying an invalid field of a portable executable file. A likelihood of repairing the invalid field of the portable executable file is determined. A repair model for repairing the invalid field of the portable executable file is generated, and the invalid field of the portable executable file is repaired based upon, at least in part, the repair model.

Abstract: A portable executable file is analyzed by parsing a binary image of the portable executable file to generate a parsed field. An attribute of the parsed field is determined. The attribute of the parsed field is compared to a valid characteristic of a valid corresponding field based upon, at least in part, a portable executable file format specification. It is determined if the attribute of the parsed field matches the valid characteristic of the valid corresponding field.

Abstract: Automated unpacking of a portable executable file includes setting a debugging breakpoint at an original entry point address of a packed portable executable file. A debugging process is executed for the packed portable executable file to obtain a debugged portable executable file in memory. One or more of import address table data and relocation table data are collected during execution of the debugging process for the packed portable executable file. The debugged portable executable file in memory is copied to a storage medium, and the debugging process is terminated.

Abstract: A portable executable file can be repaired by identifying an invalid field of a portable executable file. A likelihood of repairing the invalid field of the portable executable file is determined. A repair model for repairing the invalid field of the portable executable file is generated, and the invalid field of the portable executable file is repaired based upon, at least in part, the repair model.