What is the primary purpose of packing for malware authors?
Compressed malware code is tricky to reverse and hard for AV to check
- Compression
- Obfuscation
What is Packing?
Taking existing code, and compressing it so it takes up less space.
- Packers take the original file, and treat it all as data.
- They then compress it as best as possible.
- This then becomes the Data section of the new packed Executable.
- The packer adds a short code section which is responsible for unpacking the data section.
In the most common type of basic packer – the final file will have 2 main PE sections.
- Packed original code
- Unpacker section
Dynamic Unpacking normally involves letting the file run until it is at the Original Entry Point, and then dumping memory:
- Describe 1-2 signs you may have reached the original Entry point (1-2 lines each)
- Dumping a process from memory will frequently break what part of the file which will need to be patched before analysis?
- OEP: Jump outside main decryption loop, jump to unclear/dynamic location, code with unclear destination, WriteMemory or VirtualAlloc
- Import Address Table (ImpRec)
What is the last thing a packer does?
The last thing the packer does is transfer control to the Original Entry Point (which you will often see referred to as OEP)
How can you identify a packer?
- Name of the different sections
- Code is more complex
- Strings are not readable
- Packers have identifiable strings
- What import they use
- have less imports
- High Entropy
- Call graphs
- Certain code sections
What is Entropy?
Entropy is essentially a mathematical formula to measure randomness or predictability. Packed data looks encrypted, so it has HIGH entropy. Tools to check entropy: DIE (Detect It Easy), DensityScout
Name tools to identify packers?
- DIE (Detect It Easy)
- DensityScout
- RDG Packer Detector
Name a few common packers?
- UPX
- FSG
- ASPACK
- Morphine
What are the main steps to unpack code?
- Identify Packer: Check PE section names, entry point code, strings, imports
- OSINT on packer type
- Static Unpacking: using packer tool
- Dynamic Unpacking
- Emulation: stepping through the code and find OEP
How does Dynamic Unpacking works?
- Open packed file in debugger
- Let packer stub run and unpack original program
- Trial and error on where to set the breakpoint
- Goal: Find jmp to Original Entry Point
- Watch out for normal Anti-debug tricks
- Dump process from memory
- Fix dump with ImpRec (IAT)
Tips to find OEP?
- Look for jmp/call to a dynamic location
- Code with unclear destination
- Looking for spot where decryption completes
- Function calls of WriteMemory or VirtualAlloc
Name a few tools to dump memory?
- OllyDumpEx
- Volatility
- DumpIt
- TitanMist
Name two tools to unpack packed code?
- UPX
- FUU (by Google)
