Packers Part 1

Video Activity

Welcome to Module 6 – Packers and in this module, we'll understand packers in some detail. Packers are self-decrypting executable files and were originally made for compressing the code size. You'll learn the key characteristics of packers such as packer string advertisement. Packers have few strings and imports, high entropy data, and large virtua...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

Welcome to Module 6 – Packers and in this module, we'll understand packers in some detail. Packers are self-decrypting executable files and were originally made for compressing the code size. You'll learn the key characteristics of packers such as packer string advertisement. Packers have few strings and imports, high entropy data, and large virtual sections with small raw disk size. We'll also discuss the reasons of using packers such as to hide strings, change the hash, and mask the binary signatures. Next, we'll explore some legitimate uses of packers including code compression, Intellectual Property Protection, anti-reverse engineering, anti-cheat, and Digital Rights Management (DRM). Finally, we'll discuss about some examples of packets such as UPX, Armadillo, ASPack, VMProtect, Themida.

Video Transcription
00:03
>> Hello and welcome to Cybrary.
00:03
My name is Sean Pierce, I'm
00:03
a subject matter expert for
00:03
Introduction to malware or analysis.
00:03
Today we will be covering Packers,
00:03
so, what are packers?
00:03
One-sentence, they are self decrypting executables.
00:03
A long time ago, developers noticed that if you
00:03
crack open EXE file in a hex editor,
00:03
a lot of the file is empty space full of zeros,
00:03
and as we mentioned before,
00:03
a lot of X86 code is repeated,
00:03
90 percent of all the code that's out
00:03
there consists of just 14 X86 instructions.
00:03
There's definitely room for improvement,
00:03
but PE files weren't made to
00:03
be efficient in terms of size.
00:03
Early developers made Packers,
00:03
so they are programs that would either make an
00:03
executable that's much smaller in
00:03
size than the original and when you execute it,
00:03
it would unfold or decompress,
00:03
or decrypt the original code into memory.
00:03
This is annoying for us as
00:03
malware analysts because this will hide
00:03
anything that's in the native binary
00:03
that we might like to look for,
00:03
like strings, and we will see
00:03
an example in a few minutes but we saw
00:03
that with our illusion bought example we can
00:03
just look at the strings and
00:03
the executable and we can see IP addresses,
00:03
URLs, commands, and that was really useful.
00:03
But if something is compressed,
00:03
we wouldn't see that information right off the bat.
00:03
Packers are really useful to our authors because
00:03
it hinders just the easy process
00:03
so just looking for strings and the executable,
00:03
and it also will change the hash value of
00:03
the original executable because it's
00:03
a completely different executable.
00:03
When you look at malware,
00:03
if you just download some of
00:03
the Internet or get it from malware,
00:03
exchange websites, a lot of them will be packed.
00:03
Not quite sure if I'd say majority
00:03
>> of malware is packed,
00:03
>> but a lot of it is out there.
00:03
It's hard to categorize
00:03
how much power is out there, how many variants,
00:03
versions and other things
00:03
because with the packer, you can say,
00:03
I have this malware and I'm going to pack
00:03
it and it produces new hash,
00:03
same behavior, new hash,
00:03
and then you say,
00:03
I'm going to use another Packer on
00:03
the same original file and you can produce a new file,
00:03
a new hash, but same behavior.
00:03
This is producing multiple files
00:03
that are in fact the same piece of malware,
00:03
but with different hashes.
00:03
It's hard to say, I know this is
00:03
a variant and this file is just the exact same thing,
00:03
it just had a packer on it because even if we unpack
00:03
it and somehow get the original code out,
00:03
it may not have
00:03
the same hash value because the packer may
00:03
have done something to tinker with it.
00:03
When we're looking at malware samples and
00:03
we want to see if it's packed or not,
00:03
we can look for some strings,
00:03
there won't be many, but if there are,
00:03
there are sometimes, actually,
00:03
I would say usually strings that advertise the packer.
00:03
One might be UPX and
00:03
so you might see the string UPX everywhere.
00:03
You might see another one that's
00:03
like the mystic compressor,
00:03
or [inaudible], or
00:03
something like that and if
00:03
you just Google that and can be like,
00:03
so, thermite or Packer.
00:03
Also, packers tend to
00:03
dynamically resolve all of
00:03
the functions that the original program needed,
00:03
so that means it has very few imports.
00:03
You will note, remember from
00:03
our last example with the illusion bot,
00:03
it would dynamically resolve
00:03
all of its functions that it needed.
00:03
But when we looked at the functions in IDA,
00:03
when we looked at the imports in IDA,
00:03
it only listed four or five and that was all
00:03
it needed to resolve the other functions.
00:03
Packers tend to have the same type
00:03
>> profile where it only
00:03
>> has one or two or three imports
00:03
>> in it's import section in
00:03
>> the PE header and it uses
00:03
those to resolve what
00:03
the original program had originally.
00:03
Also in packers encrypt
00:03
something or compressed something,
00:03
the result is high entropy,
00:03
as there's a lot of difference in the bytes.
00:03
Normal code doesn't have very high entropy
00:03
and doesn't have a whole lot of
00:03
randomness from byte to byte, to byte.
00:03
Most bytes are very similar
00:03
and with just compressed data,
00:03
most bytes are very different.
00:03
We'll take a look at an example
00:03
>> of that here in a minute.
00:03
>> Another indicator that a file is
00:03
packed would be that there are
00:03
large virtual sections with
00:03
very small ROD disk size and we'll see
00:03
an example here in a bit but don't let that scare you,
00:03
it's basically just virtual sections
00:03
are what the program with a PE file says,
00:03
I need this much memory when this code begins executing
00:03
and the raw disk size is
00:03
>> how much code is actually there.
00:03
>> If you have a few bytes of
00:03
code and it says it needs a whole ton of memory,
00:03
that's a little suspicious because that
00:03
means it's doing something big,
00:03
it's unfolding, it's doing something with that memory.
00:03
Of course, a program can always
00:03
ask for more memory than it
00:03
needs but most don't.
00:03
Packers are usually very specialized in their purpose,
00:03
so they're pretty much
00:03
the only software that I know it does that,
00:03
but then again, I'm not expert
00:03
in very unique development of very unique software,
00:03
I generally look at very general software,
00:03
video games and basic executables,
00:03
and packers, and crack [inaudible] and stuff like that.
00:03
When a mal author uses a packer,
00:03
generally they're trying to do three things.
00:03
One is hide strings and
00:03
other binary signatures and changing,
00:03
they try to change the hash,
00:03
so this gets in our way,
00:03
and we're going to walk
00:03
through how we can take care of this problem.
00:03
You might think, now,
00:03
why doesn't antivirus or
00:03
other security products look
00:03
for signatures of packed software?
00:03
Like I mentioned earlier,
00:03
that one of the characteristics
00:03
of a packer is that it
00:03
advertises that it is the thermite of packers,
00:03
the UPX packer, is the mystic Packer.
00:03
Well, it's because there are legitimate
00:03
>> uses for packers.
00:03
>> As I mentioned before, code compression
00:03
was the reason why they were made to begin with,
00:03
but also intellectual property protection,
00:03
so large companies might use a packer
00:03
to protect their Qi Jin algorithms,
00:03
so Photoshop, and other Adobe products tend to have
00:03
very specialized code when
00:03
they check to see if your key is valid.
00:03
Because that's their intellectual property,
00:03
if they lose that ability to sell their software,
00:03
then their business model is short.
00:03
>> This is a anti reverse engineering technique.
00:03
Not only is it done for
00:03
key generators or key checking algorithms,
00:03
but it is also done for video games to
00:03
protect the video game software from being altered so
00:03
that people can't just access
00:03
all the resources that a video game process would have.
00:03
A normal software can do this too.
00:03
If you make a small app,
00:03
and I've seen many,
00:03
and you want to protect it from
00:03
reverse engineers figuring out
00:03
exactly how you do something,
00:03
you could use a packer.
00:03
With video games, it's important because if
00:03
you play an online video game
00:03
and you have a bunch
00:03
of walls and it's a first-person shooter,
00:03
and you can shoot through the walls,
00:03
but you can't see through them.
00:03
How does the game know if
00:03
you've actually shot someone through the wall?
00:03
Well, the game server will send you
00:03
all the locations of all the players at all times.
00:03
When you shoot, the software on your end,
00:03
tells the server I shot a bullet,
00:03
and it's going this direction, this velocity, whatever,
00:03
and your software does the
00:03
>> calculation of whether or not
00:03
>> it hits the other player
00:03
and then reports to the game server,
00:03
okay, this player died because this bullet got it.
00:03
The game server might do
00:03
some checking to verify that or might not,
00:03
or maybe the players that it is describing
00:03
to your version of
00:03
the software are invisible, you can't see them.
00:03
But if you have altered your game and
00:03
you've hacked the software
00:03
to tell you exactly where people are,
00:03
even if they are invisible,
00:03
then you have a big advantage,
00:03
and people wouldn't want to play this game
00:03
where someone has a huge advantage.
00:03
This has happened before in the past.
00:03
Another related topic is digital rights management.
00:03
There's a lot of licensing built-in
00:03
to some of the more legitimate packing products,
00:03
and they say, okay,
00:03
so you license this packer,
00:03
and this packer will protect your licensing,
00:03
so no one can even execute this thing.
00:03
It won't even unfold,
00:03
it won't even decrypt unless they have
00:03
a proper key and it checks online with our key server,
00:03
and in this way,
00:03
you can protect your game from being pirated,
00:03
and so on and so forth.
00:03
Whether you believe in
00:03
intellectual property or digital rights management or
00:03
also it's stuff that's beside the points and
00:03
some reverse engineers do not believe in
00:03
that type of stuff and they go out of their way to
00:03
break these packers or licensing things,
00:03
just to say, "Hey,
00:03
I can do this, stop
00:03
trying to restrict my rights or whatever."
00:03
But the Digital Millennium Copyright Act
00:03
actually prevents people from
00:03
even researching this topic.
00:03
It's a legal gray area
00:03
where technically you are
00:03
not allowed to reverse engineer.
00:03
Some of the intellectual property protection mechanisms
00:03
built into things, for instance, DVDs.
00:03
The video isn't just
00:03
encoded on the disk, it's actually encrypted,
00:03
it's scrambled, and you need
00:03
a decryption key to access it.
00:03
There's major zones where
00:03
the DVD uses
00:03
that zone's encryption key to properly decrypt.
00:03
That's why you can't just buy a copy of a video or
00:03
a movie from China
00:03
and then put it in your DVD player and it work,
00:03
because China has its own zone,
00:03
its own keys for its own DVDs,
00:03
and North America has it's own.
00:03
Reverse engineers, for a while it was illegal for
00:03
them to even look
00:03
into those algorithms or how any of that stuff worked.
00:03
But there is an exception
00:03
in the law for security researchers.
00:03
If you are doing security auditing on a piece of
00:03
software to make sure that it is
00:03
secure and you find a vulnerability,
00:03
then you can publish your results.
00:03
You can say exactly how you did something
00:03
and you would be free from prosecution.
00:03
But if you cracked open Adobe Photoshop
00:03
and then you're reverse engineering it and you said,
00:03
"Oh, this is how those key engine
00:03
works," you publish code data around it,
00:03
>> that is illegal.
00:03
>> There is debates about this.
00:03
If you want to learn more, you can
00:03
look at the Free Software Foundation.
00:03
They are very much
00:03
against even
00:03
saying intellectual property law, will irritate them.
00:03
But keep in mind,
00:03
when you are reverse engineering,
00:03
especially defenses of software,
00:03
you may be violating law.
00:03
I'm pretty sure you can do
00:03
it with your own resources and equipment,
00:03
but if you publish it,
00:03
then that's definitely something
00:03
they will try to come after you for.
00:03
As I mentioned before, there
00:03
are legitimate uses for packers,
00:03
but I think by far,
00:03
Malware uses them the most.
00:03
The most common ones I have
00:03
seen in my line work has been UPX.
00:03
For sure, it's one of the
00:03
oldest, longest running packers,
00:03
and it is mainly geared toward compression.
00:03
Armadillo is definitely geared
00:03
towards protecting a software,
00:03
and I believe the source code got leaked awhile
00:03
ago and so on the underground
00:03
it's fairly common and you'll see a lot
00:03
of packer signature detectors
00:03
like Fire off it, Armadillo like 1.71.
00:03
I think those were originally got leaked or
00:03
maybe it was just a really flimsy signature.
00:03
ASPack is another one I've seen,
00:03
VMProtect, that's more legitimate,
00:03
it also does licensing and I
00:03
think it's tends to be very expensive.
00:03
Themida is very difficult to crack.
00:03
Really as for me I'm not an expert on packer,
00:03
but I know my way around things.
00:03
But typically reverse engineers will specialize
00:03
in unpacking or are like,
00:03
"Oh, ASPack,
00:03
I have a unpacker
00:03
for that I've written a program or whatever."
00:03
Typically reverse engineers just
00:03
do the job they need to do.
00:03
If that's finding an IP address
00:03
for the command and control servers, they'll find it.
00:03
They don't need to unpack the program or
00:03
understand every detail of how something works.
00:03
They just go for the gold and say,
00:03
okay, run this program, see what it calls out to,
00:03
and they need to say,
00:03
oh, it has these strings,
00:03
they'll just dump the memory,
00:03
and we'll go over how to do that in just a minute.
00:03
I found this image a while ago and I think it's
00:03
probably the best collection of Packers I've seen.
00:03
I wish I knew who made it, but packer or landscape.
00:03
More over on the right side,
00:03
you'll see more commercial,
00:03
more legitimately used packers,
00:03
and over on the left, the free ones tend to be
00:03
abused a bit more by Malware authors.
00:03
They are easier to unpack,
00:03
and you usually can cut through them pretty fast.
00:03
What exactly happens when an executable is packed?
00:03
Well, as you can see from these images
00:03
that I just completely ripped off the Internet.
00:03
Normally, there's several sections
00:03
>> as we've seen before,
00:03
>> an executable usually follow the convention
00:03
>> of dot text,
00:03
>> our data, dot data whatever BSS.
00:03
The entry point for the code,
00:03
usually called the OEP,
00:03
the original entry point
00:03
is usually somewhere in the dot text section.
00:03
That's where the executable code
00:03
is usually stored by the compiler.
00:03
The packer will take this whole file,
00:03
the P header, all the sections,
00:03
and it will compress all of that and then
00:03
stick it in a file that it will make,
00:03
and it'll have a little stub,
00:03
that's what they call it, and the stub will
00:03
typically unpack it in
00:03
memory when it runs and then
00:03
execute the OEP, the original entry point.
00:03
We can see two pretty simplistic images here.
Up Next