The OwnPidFilter should be removed to prevent false negatives of malware injecting itself into the unpacker.
The filter is no longer necessary, as the problem it solved (preventing false positives when the unpacker scans its own memory) could be solved differently. To achieve this, the execution order was modified:
The bytes of the sample to unpack are completely processed first (i.e. copying and checking if its a library) before the first memory snapshot is taken. This enables the MemMapChangeFilter to filter out the bytes of the sample.
The tasks for the unpacker's pid are created and filtered before all the other pids are processed. This prevents the unpacker's memory from being polluted with PE headers during the self check.
The
OwnPidFilter
should be removed to prevent false negatives of malware injecting itself into the unpacker.The filter is no longer necessary, as the problem it solved (preventing false positives when the unpacker scans its own memory) could be solved differently. To achieve this, the execution order was modified:
MemMapChangeFilter
to filter out the bytes of the sample.