Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

Welcome to Module 6 – Packers and in this module, we'll understand packers in some detail. Packers are self-decrypting executable files and were originally made for compressing the code size. You'll learn the key characteristics of packers such as packer string advertisement. Packers have few strings and imports, high entropy data, and large virtual sections with small raw disk size. We'll also discuss the reasons of using packers such as to hide strings, change the hash, and mask the binary signatures. Next, we'll explore some legitimate uses of packers including code compression, Intellectual Property Protection, anti-reverse engineering, anti-cheat, and Digital Rights Management (DRM). Finally, we'll discuss about some examples of packets such as UPX, Armadillo, ASPack, VMProtect, Themida.

Video Transcription

00:04
Hello and welcome to Cyber Bury. My name is Sean Pierce on the subject matter expert for introduction to Malware Analysis. Today we will be covering packers.
00:12
So what are packers
00:14
and one sentence? They are self decrypting. Execute a bles.
00:18
So a long time ago, developers noticed that if you crack open e x e file and a hex editor,
00:25
a lot of the file is empty space full of zeros.
00:29
And
00:31
as we have mentioned before, ah, a lot of
00:34
exiting six code is repeated
00:38
90% of all the code that's out there. Ah
00:42
consists of just 14 Exit E six instructions, so there's definitely room for improvement. But, uh,
00:49
P E files weren't made to be,
00:51
ah, efficient in terms of size.
00:54
So
00:56
early developers made packers Esso their programs that would,
01:02
ah,
01:03
either make an execute a ble
01:06
that would that's much smaller in size and the original,
01:10
and
01:11
when you executed, it would unfold or decompress or decrypt
01:17
the original code into memory.
01:19
So
01:22
this is annoying for us as Mauer analysts, because this will hide anything that's in the native binary
01:30
that ah, that we might like to
01:34
look for like strings
01:38
and We will see an example in a few minutes,
01:42
but
01:42
we saw that with our illusion. Bought example. Weaken. Just look at the strings and the executed along. We can see I p addresses your l's commands,
01:53
and that was really useful.
01:56
But if something is compressed, we wouldn't see that information right off the bat.
02:00
So packers a really useful toe our authors, because it
02:06
hinder, is just the easy process of just looking for strings in the execute a ble and also will change the hash value of the original executed because it's a completely different
02:15
execute herbal.
02:16
So
02:19
when you look at malware, if you just download some off the Internet or get it from,
02:23
um, my were
02:27
exchange websites, ah, lot of them will be packed. The
02:31
not quite sure if I'd say majority of malware
02:35
eyes packed, but a lot of it is out there. It's kind of hard to categorize
02:42
how much malware is out there, How many variants, versions and other things because
02:47
with a packer, you can say, OK,
02:51
have this malware and I'm going to pack it,
02:53
Um,
02:54
and it produces new hash, same behavior, new hash, and
03:00
then you say Okay, I'm gonna use another packer on the same original file and you produce a new file, a new hash and but same behavior. So
03:10
this is ah,
03:14
producing multiple files that are, in fact, the same piece of malware, but with different hashes. So it's kind of hard to say. Okay, I know this is a variant, and this file is just the exact same thing. It just had a packer on it
03:27
because even if we unpack it
03:30
and somehow get the original code out, it may not have the same hash value because the packer may have done something to it, tinkered it
03:38
tinkered with it
03:40
s so when we're looking at mile were samples and we
03:45
I want to see if it's packed or not.
03:49
We can look for some shrinks.
03:52
There won't be many, but if there are, there are sometimes Ah, actually, I would say usually strings that advertise the packer.
04:01
So
04:02
one might be u p x. And so you might see the string the U P. X everywhere. You might see another one that's like,
04:11
you know, the mystic compressor or there Mina or something like that. If you just Google that it could be like, OK, it's the thermite, a packer.
04:18
Also, packers tend to dynamically
04:24
resolve all of the functions that the original program needed.
04:30
Uh, so that means it has very few imports. You'll note. Remember from our last example with the illusion bought, it would dynamically Alec. It would dynamically resolve
04:42
all of its functions that it needed.
04:45
But when we looked at the functions and IDA that only listed like for when we looked at the imports and IDA, it only listed like four or five, and that was all it needed to resolve the other functions.
04:58
So packers tend to have the same kind profile where
05:01
it only has one or two or three imports in its import section in the P E header
05:10
and
05:11
ah,
05:12
it uses those to resolve
05:15
with the original program had
05:17
originally
05:19
also, when packers encrypt something or compress something, uh,
05:27
the result is high entropy,
05:30
as in, there's ah lot of difference in the bites.
05:33
Normal code doesn't have very high entropy,
05:38
and it doesn't have a whole lot of randomness from bite to bite to bite. Most bites are very similar,
05:45
and, uh,
05:46
with just compressed data, most bites are very different,
05:50
so
05:51
we'll take a look at an example of that. Sure, in a minute.
05:56
Another indicator that a final is packed,
05:59
uh, would be that there are large virtual sections,
06:03
uh, with very small rod disc size,
06:08
and we'll see an example here in a bit.
06:11
But don't let that scare you.
06:14
It's basically just virtual sections.
06:17
You are
06:19
what the program with a P file says. I need this much memory
06:25
when this code begins executing.
06:28
And,
06:30
uh, the raw disc size is how much code is actually there.
06:36
So if
06:39
if you have, like a few bites of code
06:42
and it says it needs a whole ton of memory,
06:45
that's a little suspicious, because that means it's doing something big. It sze unfolding. It's it's doing something with that memory. Of course, the program can always ask for more memory that needs, but most don't
07:00
packers air, usually very specialized in their purpose, so they're pretty much the only ones.
07:05
They're pretty much the only software that I know that does that.
07:10
But then again, I'm not expert in like
07:16
very unique development of very unique software. I generally look at very general software video games and
07:24
basic X cuticles and packers and crack Mieze and stuff like that.
07:30
So
07:30
when um, our author uses a packer,
07:34
generally they're trying to do
07:36
three things. One is hide strings on other binary signatures
07:42
and changing. They try to change the hash.
07:45
So
07:46
this gets in our way and we're gonna walk through how we can take care of this problem.
07:51
You might think. OK,
07:54
now why doesn't antivirus
07:57
or other
08:00
security products look forward? Signatures of packed software
08:05
like, Ah, I mentioned earlier that,
08:09
um, a lot of
08:11
01 of the characteristics of a Packer is that advertises that it is the thermite. A packer is the U P. X Packer is the ah
08:20
mystic Packer.
08:22
Um,
08:22
well, it's because there are legitimate uses for packers. A cz I mentioned before quote code compression was reason why they were made to begin with, but also intellectual property protection
08:35
Eso large companies might use ah packer
08:41
to protect their key Jen
08:43
uh, algorithms
08:46
So
08:48
photo shop
08:48
other and other adobe products tend to have very, um,
08:56
specialized code
08:58
when they checked to see if your keys valid.
09:01
Uh, because
09:05
that's their intellectual property. The
09:07
if they lose that ability to sell their software than their business model
09:15
is shot.
09:16
Um,
09:18
and this is, ah, anti reverse engineering technique.
09:24
And not only is it done for key generators or, um,
09:28
key checking algorithms, but it's also done for video games. Like
09:33
to protect the video game software from being altered
09:37
so that people can't just
09:41
access all the resource is that ah, videogame process would have,
09:48
um,
09:48
so
09:50
a normal software
09:52
can do this, too. So if you have make a small app
09:56
on, I've seen many
09:58
and you wanna protect it
10:01
from reverse. Engineers figured out exactly how you do something
10:05
you could use a packer.
10:07
So,
10:07
uh, with video games, it's It's important because if you play on online video game and
10:15
u um,
10:18
you know, have a bunch of walls and it's the first person shooter and you can shoot through the walls,
10:24
but you can't see through them.
10:26
Uh, how does the game? No, if you've
10:28
actually shot someone through the wall,
10:31
well,
10:31
the game server will send you all the locations of all the players
10:37
at all times.
10:39
And when you shoot the software on your end
10:45
tells the server, I
10:46
shot a bullet. And it is going this director destruction, this velocity, whatever. And, um,
10:52
your software does the calculation of whether or not it hits the other player and,
10:58
uh, then reports the game, sir. Okay, this player died because this bullet got it
11:03
and the game's over. Might
11:05
do some checking to verify that or might not. Uh,
11:09
or maybe the players that it is describing to
11:13
your version of the software are invisible. You can't see them.
11:18
But
11:20
if you have altered your game
11:22
and you,
11:24
you know, hacked the software to tell you exactly where people are, even if they are invisible,
11:30
then you have, ah, big advantage. So and people wouldn't want to play this game where someone has, ah, huge advantage.
11:37
And this has happened before in past.
11:41
Another
11:43
related topic is like digital rights management.
11:46
Um,
11:46
there's a lot of
11:48
licensing built into sewn the more legitimate
11:52
packing products,
11:54
and, uh,
11:56
they say, Okay, so you'll license this. Packer and Packer will protect.
12:01
You're licensing so no one can even execute this thing. It won't even unfold. It won't even decrypt unless they have a proper key and it checks online with our key server. And this way you can protect your game from being Pirated and
12:16
so on and so forth.
12:18
Um,
12:20
whether you
12:22
believe and,
12:24
you know, intellectual property or digital rights management or all this other stuff, it's beside the point on some reverse engineers
12:35
do do not believe in that type of stuff, and they go out of their way to break thes these packers or licensing things.
12:43
Um, just to
12:46
say, Hey, I can do this, you know? Stop tryingto restrict my rights or whatever, but the Digital Millennium Copyright Act
12:54
actually prevents people from even,
12:58
um
13:00
researching this topic,
13:03
and it's ah, it's a legal gray area
13:05
where
13:07
technically, you are not allowed to reverse engineer
13:11
um,
13:13
some of the some of the intellectual property protection mechanisms built in tow things,
13:20
for instance, DVDs.
13:22
You know, the video isn't just encoded on. The disk is actually encrypted. It's scrambled,
13:28
and you need a decryption key, too.
13:31
Access it, and there's major zones where,
13:37
ah, the DVD,
13:39
uh, uses that zones.
13:41
Yeah, encryption key
13:45
to properly decrypt. And that's why you can't just buy a copy of a video or a movie from China
13:52
and then put it in your DVD player and at work
13:54
because China has its own zone, his own keys for its own DVDs, and North America has its own
14:03
and, uh, reverse engineers
14:05
for, you know, for a while it was illegal for them to even look into
14:11
those algorithms air how any of that stuff worked. But there is an exception
14:16
in the law for security researchers.
14:20
So if you are
14:22
doing security auditing on a piece of software to make sure that it is secure
14:28
Ah, and you find a vulnerability, then you can publish your results. You can say exactly how you did something and you would be free from prosecution.
14:37
But if you cracked open Adobe photo shop and then you were reverse engineering it and
14:43
you said, Oh,
14:45
you know, this is how this key Jen works. You publish, Cody, get around it. That is illegal.
14:52
And, ah,
14:54
there is debates about this. And if you want to learn more, you can look at the Free Software Foundation. They are
15:01
very much against Ah,
15:03
even saying intellectual property will will irritate them.
15:07
But keep in mind when you are reverse engineering, especially defense is off
15:15
software.
15:16
Now,
15:16
you may be violating law.
15:20
Um,
15:22
I'm pretty sure you can do it
15:24
with your own resources and equipment, but if you publish it, then that's definitely something they will try to come after you. For
15:33
as I mentioned before, there are legitimate uses for packers, but
15:37
I think
15:39
by far our uses them the most
15:41
and the most common ones I have seen.
15:46
And my line of work has been you PX For sure, it's one of the oldest, longest running packers, and it is Ah,
15:54
that is mainly go geared toward compression.
15:58
Armadillo is definitely geared towards protecting a software,
16:03
and I believe the source code got leaked a while ago. And so ah,
16:07
on the underground, it's it's fairly common, and you'll see a lot of signature detection.
16:14
Um,
16:15
Packer signature detectors like fire off that armadillo like 1.71
16:22
I think that was the version they got leaked. Or maybe it was just Ah, really flimsy signature.
16:26
Um, s pack is another one. I've seen bm protect. That's more legitimate. It also does licensing, and I think it's tends to be very
16:34
expensive. Thermite is very difficult to crack, um,
16:41
and it's ah,
16:42
at least for me. I'm not like an expert on Packer, but I know my way around things.
16:48
But typically, reverse engineers won't specialize in unpacking or,
16:55
you know, or like Oh, you know, a s pack. I have ah, unpacked her for that. I've written a program or or whatever. Um,
17:03
typically, reverse engineers just do the job they need to do.
17:07
And if that's finding an I P address or the command control servers, they'll find it. They don't need to unpack the program or understand every detail of how something works. They just go for the gold and say, OK, run this program, See what it calls out to
17:22
If they need toe, say,
17:25
Oh, it has these strings, they'll just dump the memory and we'll go over how to do that in just a minute. I found this image a while ago, and I think it's probably the best collection of packers I've seen,
17:38
and it's ah, I wish I knew who made it.
17:41
But this is Packer landscape, and
17:45
moreover, on the right side, you'll see Maur commercial more. Ah,
17:52
legitimate used legitimately used packers,
17:56
um, and over on the left, the free ones tend to be abused a bit more by Mauer authors,
18:03
and they're easier to unpack.
18:07
And, uh,
18:08
you usually can cut through them pretty fast. So what exactly happens when an execute ble is packed?
18:17
Well, a CZ You can see from these images that I just completely ripped off the internet.
18:22
Um,
18:22
normally, there's several sections as we've seen before in an execute a ble usually follow the convention of that tax. Our data data, whatever B s s and
18:37
ah, the entry point for the code
18:41
usually called the
18:42
oh E P. The original entry point
18:45
is usually somewhere in the dot tech section. That's where the execute a ble
18:49
code is usually stored by the compiler. And the Packer will take this whole, um,
18:59
file
19:00
the P header.
19:02
Ah, all the sections. It'll compress all of that
19:06
and then stick it in
19:07
a file that it will make.
19:10
And it'll have
19:12
Ah, little stub is what they call it, And the stubble typically
19:18
unpack
19:18
it in memory when it runs and then execute
19:23
the O. E p the original entry point.
19:26
So you can see
19:29
too pretty simplistic images here

Up Next

Intro to Malware Analysis and Reverse Engineering

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor