SlideShare a Scribd company logo

Packers

Ange Albertini
Ange Albertini

- Models: simple, malware, advanced - Categories and Features: compresser, protecter, crypter, bundler, virtualiser, mutater - Landscape: Free, Commercial, Malware / Bundlers, Compressors, Virtualizers - Detailed features: compression, anti-analysis, anti-debugging, anti-dumping, anti-emulation, bundlers - EntryPoints: FSG, UPX (with LZMA), AsPack, PECompact, MEW, Upack - Algorithms: aPLib, LZMA, CRC32

Technology
1 of 8
Download to read offline
Packers (5th April 2010) Ange Albertini http://corkami.blogspot.com Creative Commons Attribution 3.0
Table of contents 3 Models: simple, malware, advanced 4 Categories and Features: compresser, protecter, crypter, bundler, virtualiser, mutater 5 Landscape: Free, Commercial, Malware / Bundlers, Compressors, Virtualizers 6 Detailed features: compression, anti-analysis, anti-debugging, anti-dumping, anti-emulation, bundlers 7 EntryPoints: FSG, UPX (with LZMA), AsPack, PECompact, MEW, Upack 8 Algorithms: aPLib, LZMA, CRC32 Changelog 2010/04/05 +algorithms 2010/04/04 +models 2010/03/29 +entrypoints 2010/03/24 +categories and features, detailed features 2010/02/23 +landscape (first graphic)
decryption (one layer,add/rol/xor) decompression optimisation relocation imports loading obfuscation jump to entry point simple malware advanced anti-analysis anti-debugger anti-emulation packer stub original code allocation (VirtualAlloc / empty section) decryption (MANY layers,add/rol/xor) decompression imports loading jump to entry point trapped start original code allocation (VirtualAlloc / empty section) cleaning main body decryption (Tea/RC4/operators) Packers Models allocation decryption decompression engine loading (partial) decryption (advanced algorithms) relocations, imports,... DRM Management integrity check tampering original code extra threads (monitoring, page guard,...) startup packer engine Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
Different architecture mutater compresser protecter crypter transformation (original code is rewritten) extension (extra packer code is executed) aPLib LZMA NRV FFCE lzab lznt deflate LZMAT BriefLZ JCALG1 add/xor/rol RC4 PRNG (LCG) *Tea Blowfish DES AES IDEA ElGamal Encryption algorithms Compression algorithms anti-debuggers anti-emulation integrity check anti-dump DRM Countermeasures Original File Stack + RISC x86 proprietary bundler dropping injection API hooking Packers Categories & Features virtualiser reflowing synonyms Different code File Embedding ROL+XOR crc32 md5 sha1 adler md4 tiger whirlpool Checksum/hashes Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
Bundlers Virtualisers RLPack EXECryptor ThinAppObsidium EnigmaeXPressor Armadillo Hacks Demos WareZ Games DRM Alexei Solodovnikov Oreans Bitsum NorthStar Ashkbiz 'y0da' Danehkar Bartosz 'Bart' Wojcik Free Commercial PEBundle PECompact ASProtect PELOCK PeX NFO NSAnti (Anti007) Malware RPolycrypt RCryptor RJoiner Morphine MaskPE YodaCrypter YodaProtector NTKrnl Molebox PolyEne BJFNT tELockSTonePE PECrypt32 PEShrinker PEPaCK PEDiminisher marioPACKer RDG Tejon Crypter [MSLRH] DragonArmour PenguinCrypt nPack PESpin WWPack32 EXEFog PackMan KKryptor PolyCrypter PE-Armor NiceProtect ORiEN Themida Code Virtualizer Winlicence VMProtect XProtector PrivatePersonalPacker CRYPToCRACk's PE Protector Anticrack Protector Krypton Escargot MZOoPE PCGuard SecureEXE NoobyProtect ZProtect Hmimys' Protector ExeStealth !ExePack UltraProtect Berio EXEJoiner MicroJoiner Beria Vbox PolycryptPE DOS EntryPoint Patchers PseudoSigner FakeSigner AHT Entry Point Protector DingBoy PE-Lock SecuROM Safedisc Starforce LaserLock Tages Pohernah Morphnah ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?? ? ? ? ? ? Alex Protector Packers Landscape Ange Albertini 2009-2010 Creative Commons Attribution http://corkami.blogspot.com
detailed packers’ features compression (used on top of compression algorithms) section merging merge all sections (just one entry in the section table) imports imports are stored and loaded with a more compact import table format imports by hash exports are parsed until it matches a specific hash, instead of a GetProcAddress call call optimisation turn relative operands of jumps and calls into absolute → better compression resources compresses resources, avoiding critical ones (main icon, manifest,. . . ) protection token check presence check to allow the program to run: dongle, CD/DVD, key, file, network... fingerprinting token is specific to a hardware element: disk/OS/CPU/MAC/... demo mode inclusion of a demo binary/mode that is executed when token is absent or not enough privileged integrity check the contents are unmodified with checksum or hash anti-analysis overlap jumping after the first byte of an instruction illusion makes the analyst the something incorrect happened junk insertion of dummy code between relevant opcodes jumps insertion of jumps to makes analysis visually harder polymorphism different but equivalent code → 2 packed files of the same source are different self generation packer stub generates polymorphic code on the fly → same file executes differently virtualization virtualizes (part of) packer stub code → harder analysis stack strings are built and decrypted before use, then discarded → to avoid obvious references faking add fake code similar to known packers to fool identifcation thread use several parallel threads to make analysis harder timing comparing time between two points to detect unusual execution anti-debugging (and anti-tools, by extension) detect detect the presence of an attached debugger: IsDebuggerPresent prevent prevent a debugger to attach to the target itself or stay attached nuisance make debugger session difficult: BlockInput, slow down... thread spawn a monitoring thread to detect tampering, breakpoints, . . . artifacts detects a debugger by its artifact: window title, device driver, exports, ... limitation prevent the use of a tool via a specific limitation exploit prevent the use of a tool via a specific vulnerability backdoor detect or crash a debugger via a specific backdoor self-debugging debug itself to prevent another debugger to be attached int1 block interruption 1 → debuggers stop working fake add code of known packer to fool identification anti-dumping (prevent making a working executable from a memory image) tampering erase or corrupt specific file parts to prevent rebuilding (header, packer stub,. . . ) imports add obfuscation between imports calls and APIs (obfuscation, virtualization, stealing, . . . ) on the fly API address is resolved before each use to prevent complete dumping API hooking alter API behavior: redirect benign API to a critical one → dump not working inlining copy locally the whole content of API code → no more ’import calls’ relocate relocate API code in separate buffer → calls don’t lead to imported DLLs byte stealing move the first bytes of the original code elsewhere → harder rebuilding and bypasses breakpoints page guard blocks of code are encrypted individually, and decrypted temporarily only upon execution flow flow opcodes are removed and emulated (or decrypted) by the packer during execution → incorrect dump virtualization virtualizes (part of) original code, API start. . . → dump not working without VM code anti-emulation opcodes using different opcodes sets (FPU, MMX, SSE) to block emulators undoc use of rare or undocumented opcodes to block non-exhaustive emulators API unusual APIs are called to block non-exhaustive emulators (anti-virus) loop extra loops are added to make time-constraint emulators give up bundlers drop original file is written to disk then executed injection original file is injected in existing process → no new file on disk + higher privileges hooking file handling APIs are modified to make embedded files usable like external ones Ange Albertini, 2010, cc by 3.0 http://corkami.blogspot.com
EntryPoint: pusha call _1 db 0E9h ; E9 EB045D45 CALL ... jmp _2 _1: pop ebp inc ebp push ebp retn _2: call _3 db 0EBh ; EB54 JMP <garbage> _3: pop ebp EntryPoint: mov eax, _1 push eax push dword ptr fs:[0] mov fs:[0], esp xor eax, eax mov [eax], ecx [...] _1: mov eax, <random1> lea ecx, [eax + <random2>] mov [ecx + 1], eax mov edx, [esp + 4] mov edx, [edx + c] mov byte ptr [edx], 0e9 add edx, 5 sub ecx, edx mov [edx - 4], ecx xor eax, eax retn mov eax, 12345678 pop dword ptr fs:[0] add esp, 4 push ebp push ebx EntryPoint: xchg [_1], esp popad xchg eax, esp push ebp _1: movsb mov dh, 80 call [ebx] jnb _1 xor ecx, ecx call [ebx] EntryPoint: pushad mov esi, <address> lea edi, [esi + <negative>] push edi or ebp, ffffffff ; * Not in UPX >3 jmp $ + 12 nop nop ; * nop ; * nop ; * nop ; * nop ; * mov al, [esi] inc esi mov [edi], al _1: mov esi, <address> mov ebx, esi lodsd lodsd push eax lodsd xchg eax, edi mov dl, 80 _2: movsb mov dh, 80 call [ebx] jnb _2 [...] EntryPoint: jmp _1 EntryPoint: mov esi, <address> lodsd push eax push dword ptr [esi+34] jmp short _1 [...] _1: push dword ptr [esi+38] lodsd push eax mov edi, [esi] mov esi, <address2> EntryPoint: pushad mov esi, <address> lea edi, [esi + <negative>] push edi mov ebp, esp lea ebx, [esp - 3E80] xor eax, eax _1: push eax cmp esp, ebx jnz _1 inc esi inc esi push ebx push 0C478 push edi add ebx, 4 push ebx push 534E push esi add ebx, 4 push ebx push eax mov dword ptr [ebx], 20003 nop nop nop nop nop push ebp push edi push esi push ebx sub esp, 7C mov edx, [esp + 90] PECOMPACT FSG UPX UPX (LZMA) AsPack MEW Upack Packers EntryPoints Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
crcloop: test eax, 1 jz no_xor shr eax, 1 xor eax, 0EDB88320h jmp loop no_xor: shr eax, 1 loop: loop crcloop CRC32 start: push ebp mov ebp, esp add esp, -54 push ebx push esi push edi mov [ebp - c], ecx [...] $+84: add ecx, [ebp - 34] mov eax, 300 shl eax, cl add eax, 736 dec eax test eax, eax jb no_init inc eax mov [ebp - 2c], 0 init_buffer: mov edx, [ebp - 10] mov ecx, [ebp - 2c] mov [edx + ecx * 4], 400 inc [ebp - 2c] dec eax jnz init_buffer no_init: [...] mov al, 1 pop edi pop esi pop ebx mov esp, ebp pop ebp retn 10 LZMA start: pushad mov esi, [esp + 24] mov edi, [esp + 28] cld mov dl, 80 xor ebx, ebx copy_literal: movsb mov bl, 2 next: call getbit jnb short copy_literal xor ecx, ecx call getbit [...] sub esi, eax rep movsb pop esi jmp next getbit: add dl, dl jnz skip mov dl, [esi] inc esi adc dl, dl skip: retn [...] end: sub edi, [esp + 28] mov [esp + 1c], edi popad retn 0c APLIB Packers Algorithms Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com

Recommended

Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 

Recommended

Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disastersinfodox
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en MasseKurt Baumgartner
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010Gabriele Santini
 

More Related Content

What's hot

Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disastersinfodox
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 

What's hot (20)

Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 

Similar to Packers

Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
The why and how of moving to php 7
The why and how of moving to php 7The why and how of moving to php 7
The why and how of moving to php 7Wim Godden
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.xWim Godden
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101Craft Symbol
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.xWim Godden
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4Wim Godden
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8Wim Godden
 
What To Expect From PHP7
What To Expect From PHP7What To Expect From PHP7
What To Expect From PHP7Codemotion
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 

Similar to Packers (20)

AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
The why and how of moving to php 7
The why and how of moving to php 7The why and how of moving to php 7
The why and how of moving to php 7
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
What To Expect From PHP7
What To Expect From PHP7What To Expect From PHP7
What To Expect From PHP7
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 

More from Ange Albertini

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formatsAnge Albertini
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formatsAnge Albertini
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiotAnge Albertini
 
Improving file formats
Improving file formatsImproving file formats
Improving file formatsAnge Albertini
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscapeAnge Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formatsAnge Albertini
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisionsAnge Albertini
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communitiesAnge Albertini
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionistAnge Albertini
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formatsAnge Albertini
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)Ange Albertini
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF fileAnge Albertini
 

More from Ange Albertini (20)

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formats
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formats
 
TimeCryption
TimeCryptionTimeCryption
TimeCryption
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiot
 
Improving file formats
Improving file formatsImproving file formats
Improving file formats
 
KILL MD5
KILL MD5KILL MD5
KILL MD5
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscape
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formats
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisions
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communities
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
 
Hacks in video games
Hacks in video gamesHacks in video games
Hacks in video games
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF file
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs facts
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Packers

  • 1. Packers (5th April 2010) Ange Albertini http://corkami.blogspot.com Creative Commons Attribution 3.0
  • 2. Table of contents 3 Models: simple, malware, advanced 4 Categories and Features: compresser, protecter, crypter, bundler, virtualiser, mutater 5 Landscape: Free, Commercial, Malware / Bundlers, Compressors, Virtualizers 6 Detailed features: compression, anti-analysis, anti-debugging, anti-dumping, anti-emulation, bundlers 7 EntryPoints: FSG, UPX (with LZMA), AsPack, PECompact, MEW, Upack 8 Algorithms: aPLib, LZMA, CRC32 Changelog 2010/04/05 +algorithms 2010/04/04 +models 2010/03/29 +entrypoints 2010/03/24 +categories and features, detailed features 2010/02/23 +landscape (first graphic)
  • 3. decryption (one layer,add/rol/xor) decompression optimisation relocation imports loading obfuscation jump to entry point simple malware advanced anti-analysis anti-debugger anti-emulation packer stub original code allocation (VirtualAlloc / empty section) decryption (MANY layers,add/rol/xor) decompression imports loading jump to entry point trapped start original code allocation (VirtualAlloc / empty section) cleaning main body decryption (Tea/RC4/operators) Packers Models allocation decryption decompression engine loading (partial) decryption (advanced algorithms) relocations, imports,... DRM Management integrity check tampering original code extra threads (monitoring, page guard,...) startup packer engine Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
  • 4. Different architecture mutater compresser protecter crypter transformation (original code is rewritten) extension (extra packer code is executed) aPLib LZMA NRV FFCE lzab lznt deflate LZMAT BriefLZ JCALG1 add/xor/rol RC4 PRNG (LCG) *Tea Blowfish DES AES IDEA ElGamal Encryption algorithms Compression algorithms anti-debuggers anti-emulation integrity check anti-dump DRM Countermeasures Original File Stack + RISC x86 proprietary bundler dropping injection API hooking Packers Categories & Features virtualiser reflowing synonyms Different code File Embedding ROL+XOR crc32 md5 sha1 adler md4 tiger whirlpool Checksum/hashes Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
  • 5. Bundlers Virtualisers RLPack EXECryptor ThinAppObsidium EnigmaeXPressor Armadillo Hacks Demos WareZ Games DRM Alexei Solodovnikov Oreans Bitsum NorthStar Ashkbiz 'y0da' Danehkar Bartosz 'Bart' Wojcik Free Commercial PEBundle PECompact ASProtect PELOCK PeX NFO NSAnti (Anti007) Malware RPolycrypt RCryptor RJoiner Morphine MaskPE YodaCrypter YodaProtector NTKrnl Molebox PolyEne BJFNT tELockSTonePE PECrypt32 PEShrinker PEPaCK PEDiminisher marioPACKer RDG Tejon Crypter [MSLRH] DragonArmour PenguinCrypt nPack PESpin WWPack32 EXEFog PackMan KKryptor PolyCrypter PE-Armor NiceProtect ORiEN Themida Code Virtualizer Winlicence VMProtect XProtector PrivatePersonalPacker CRYPToCRACk's PE Protector Anticrack Protector Krypton Escargot MZOoPE PCGuard SecureEXE NoobyProtect ZProtect Hmimys' Protector ExeStealth !ExePack UltraProtect Berio EXEJoiner MicroJoiner Beria Vbox PolycryptPE DOS EntryPoint Patchers PseudoSigner FakeSigner AHT Entry Point Protector DingBoy PE-Lock SecuROM Safedisc Starforce LaserLock Tages Pohernah Morphnah ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?? ? ? ? ? ? Alex Protector Packers Landscape Ange Albertini 2009-2010 Creative Commons Attribution http://corkami.blogspot.com
  • 6. detailed packers’ features compression (used on top of compression algorithms) section merging merge all sections (just one entry in the section table) imports imports are stored and loaded with a more compact import table format imports by hash exports are parsed until it matches a specific hash, instead of a GetProcAddress call call optimisation turn relative operands of jumps and calls into absolute → better compression resources compresses resources, avoiding critical ones (main icon, manifest,. . . ) protection token check presence check to allow the program to run: dongle, CD/DVD, key, file, network... fingerprinting token is specific to a hardware element: disk/OS/CPU/MAC/... demo mode inclusion of a demo binary/mode that is executed when token is absent or not enough privileged integrity check the contents are unmodified with checksum or hash anti-analysis overlap jumping after the first byte of an instruction illusion makes the analyst the something incorrect happened junk insertion of dummy code between relevant opcodes jumps insertion of jumps to makes analysis visually harder polymorphism different but equivalent code → 2 packed files of the same source are different self generation packer stub generates polymorphic code on the fly → same file executes differently virtualization virtualizes (part of) packer stub code → harder analysis stack strings are built and decrypted before use, then discarded → to avoid obvious references faking add fake code similar to known packers to fool identifcation thread use several parallel threads to make analysis harder timing comparing time between two points to detect unusual execution anti-debugging (and anti-tools, by extension) detect detect the presence of an attached debugger: IsDebuggerPresent prevent prevent a debugger to attach to the target itself or stay attached nuisance make debugger session difficult: BlockInput, slow down... thread spawn a monitoring thread to detect tampering, breakpoints, . . . artifacts detects a debugger by its artifact: window title, device driver, exports, ... limitation prevent the use of a tool via a specific limitation exploit prevent the use of a tool via a specific vulnerability backdoor detect or crash a debugger via a specific backdoor self-debugging debug itself to prevent another debugger to be attached int1 block interruption 1 → debuggers stop working fake add code of known packer to fool identification anti-dumping (prevent making a working executable from a memory image) tampering erase or corrupt specific file parts to prevent rebuilding (header, packer stub,. . . ) imports add obfuscation between imports calls and APIs (obfuscation, virtualization, stealing, . . . ) on the fly API address is resolved before each use to prevent complete dumping API hooking alter API behavior: redirect benign API to a critical one → dump not working inlining copy locally the whole content of API code → no more ’import calls’ relocate relocate API code in separate buffer → calls don’t lead to imported DLLs byte stealing move the first bytes of the original code elsewhere → harder rebuilding and bypasses breakpoints page guard blocks of code are encrypted individually, and decrypted temporarily only upon execution flow flow opcodes are removed and emulated (or decrypted) by the packer during execution → incorrect dump virtualization virtualizes (part of) original code, API start. . . → dump not working without VM code anti-emulation opcodes using different opcodes sets (FPU, MMX, SSE) to block emulators undoc use of rare or undocumented opcodes to block non-exhaustive emulators API unusual APIs are called to block non-exhaustive emulators (anti-virus) loop extra loops are added to make time-constraint emulators give up bundlers drop original file is written to disk then executed injection original file is injected in existing process → no new file on disk + higher privileges hooking file handling APIs are modified to make embedded files usable like external ones Ange Albertini, 2010, cc by 3.0 http://corkami.blogspot.com
  • 7. EntryPoint: pusha call _1 db 0E9h ; E9 EB045D45 CALL ... jmp _2 _1: pop ebp inc ebp push ebp retn _2: call _3 db 0EBh ; EB54 JMP <garbage> _3: pop ebp EntryPoint: mov eax, _1 push eax push dword ptr fs:[0] mov fs:[0], esp xor eax, eax mov [eax], ecx [...] _1: mov eax, <random1> lea ecx, [eax + <random2>] mov [ecx + 1], eax mov edx, [esp + 4] mov edx, [edx + c] mov byte ptr [edx], 0e9 add edx, 5 sub ecx, edx mov [edx - 4], ecx xor eax, eax retn mov eax, 12345678 pop dword ptr fs:[0] add esp, 4 push ebp push ebx EntryPoint: xchg [_1], esp popad xchg eax, esp push ebp _1: movsb mov dh, 80 call [ebx] jnb _1 xor ecx, ecx call [ebx] EntryPoint: pushad mov esi, <address> lea edi, [esi + <negative>] push edi or ebp, ffffffff ; * Not in UPX >3 jmp $ + 12 nop nop ; * nop ; * nop ; * nop ; * nop ; * mov al, [esi] inc esi mov [edi], al _1: mov esi, <address> mov ebx, esi lodsd lodsd push eax lodsd xchg eax, edi mov dl, 80 _2: movsb mov dh, 80 call [ebx] jnb _2 [...] EntryPoint: jmp _1 EntryPoint: mov esi, <address> lodsd push eax push dword ptr [esi+34] jmp short _1 [...] _1: push dword ptr [esi+38] lodsd push eax mov edi, [esi] mov esi, <address2> EntryPoint: pushad mov esi, <address> lea edi, [esi + <negative>] push edi mov ebp, esp lea ebx, [esp - 3E80] xor eax, eax _1: push eax cmp esp, ebx jnz _1 inc esi inc esi push ebx push 0C478 push edi add ebx, 4 push ebx push 534E push esi add ebx, 4 push ebx push eax mov dword ptr [ebx], 20003 nop nop nop nop nop push ebp push edi push esi push ebx sub esp, 7C mov edx, [esp + 90] PECOMPACT FSG UPX UPX (LZMA) AsPack MEW Upack Packers EntryPoints Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com
  • 8. crcloop: test eax, 1 jz no_xor shr eax, 1 xor eax, 0EDB88320h jmp loop no_xor: shr eax, 1 loop: loop crcloop CRC32 start: push ebp mov ebp, esp add esp, -54 push ebx push esi push edi mov [ebp - c], ecx [...] $+84: add ecx, [ebp - 34] mov eax, 300 shl eax, cl add eax, 736 dec eax test eax, eax jb no_init inc eax mov [ebp - 2c], 0 init_buffer: mov edx, [ebp - 10] mov ecx, [ebp - 2c] mov [edx + ecx * 4], 400 inc [ebp - 2c] dec eax jnz init_buffer no_init: [...] mov al, 1 pop edi pop esi pop ebx mov esp, ebp pop ebp retn 10 LZMA start: pushad mov esi, [esp + 24] mov edi, [esp + 28] cld mov dl, 80 xor ebx, ebx copy_literal: movsb mov bl, 2 next: call getbit jnb short copy_literal xor ecx, ecx call getbit [...] sub esi, eax rep movsb pop esi jmp next getbit: add dl, dl jnz skip mov dl, [esi] inc esi adc dl, dl skip: retn [...] end: sub edi, [esp + 28] mov [esp + 1c], edi popad retn 0c APLIB Packers Algorithms Ange Albertini 2010 Creative Commons Attribution http://corkami.blogspot.com