3 hours 41 minutes
Hello and welcome to malware analysis Challenges Mauer Packers
in this session, we're going to talk about, of course, Packers, but we'll also talk about Crypt ER's and different scholars used by Mauer and how they work.
Alright, so Packers a Packer is a piece of software that compresses and execute herbal. Now, remember, packers themselves are malicious. However, they offer malware authors several advantages.
The first is that that you reduce the size of the execute herbal. So it's possible that with a smaller execute herbal, this could evade security perimeter appliances. But not only that. Packers also change the appearance of the execute herbal by obfuscating the contents and hiding the real code. In essence, malware authors use packers
to hide the true intent of the software.
There are several packers that you'll become familiar with when you're performing your malware analysis, and they support different features. As an example, you P X is a well known packer, which offers flexibility and compress ability, where, in contrast, the amid a packer
is much harder to analyze because it includes a myriad of anti reverse engineering features.
The nice part about packers, though, is that in many scenarios, there are tools and plug ins that helped maketh e unpacking process a bit easier
from a high level packers, no matter which one you choose, will take an input as a P E execute herbal, and then it will output a new p e Execute herbal, which is packed
now To illustrate how this works, you can think about an E X C having two main components. The P E Header and the sections. Now, as you remember from previous sessions, the sections contain code data, and other resource is the program needs to run.
These sections are the largest, and they need to be compressed to reduce the size of the execute herbal. The header, which contains information about the execute herbal, is also compressed by the Packer. The Packer program takes both the headers and sections from the P E file and generates some new sections that have the compressed data.
So now we have a new header and we've got new sections, and this is combined thio output, a new execute herbal file. The resulting output is a file which consumes less. Based on the hard drive, it's compressed and obfuscated. Now the question you may be asking yourself is okay,
Now that we've got this new compressed execute herbal,
does it run? Does it work? And if yes, how?
Well, the short answer is yes. And here's how. When the new pact execute herbal File is created a packer in beds within it, a piece of code called the unpacking stuff
this unpacking stuff it acts as a loader, which knows the location of the compressed code and data in the PAC file. You can kind of think of this as a Packer instruction book, one that tells you how to take the compressed code and data and output into memory, using the original execute a bles un compressed code and data.
So not only does the unpacking stub create a shell around the original code, which is compressed and then decompressed.
The unpacking stuff resolves imports and hands over instruction to the unpacked code by jumping to the original entry point of the Pact program.
Now, we mentioned earlier that one byproduct of the packing process is to alter what the malware looks like. In essence, this is obfuscating the code and data and provides the protection we talked about earlier from security products such as anti virus
now obfuscation or as I like to call it, encryption Light is also found encrypt er's Crypt ER's air similar to packers, and that their primary role is to add a layer of defense for the malicious payload. They try to bypass antivirus by masquerading as harmless programs, and then they go on to unpack their malicious payload.
In addition, Thio adding obfuscation and packing in some instances they may also add icons or other resource is that make a sample look like a legitimate piece of software. Scriptures typically cater to cybercriminals who simply just don't have the technical knowledge of malware or packing.
They just want to distribute their malicious code to a wide audience
Another type of packer like software we have is protectors.
Protectors also obfuscate malware code by taking simple expressions and making them look more convoluted than they really are. This is commonly referred to as junk code. In these instances, you'll have obfuscated functions which simply do nothing, and they are there to confuse the analyst.
Lastly, we have installers which can also be used for legitimate purposes but have been repurposed by malware authors to provide installation options to malware.
Using a tool such as auto, I t. An attacker can easily compress and generate a piece of malware that has its own execute herbal its own stall options, which can be easily distributed by clicking through a few gooey menu options.
In this session, we've given an overview of Packers, scriptures, installers and protectors.
In the next session, let's examine ways that we can identify packers.
Advanced Malware Analysis: Redux
In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.