Hello and welcome to Cyber Bury. My name is Sean Pierce on the subject matter expert for introduction to Malware Analysis. Today we will be covering packers.
and one sentence? They are self decrypting. Execute a bles.
So a long time ago, developers noticed that if you crack open e x e file and a hex editor,
a lot of the file is empty space full of zeros.
as we have mentioned before, ah, a lot of
exiting six code is repeated
90% of all the code that's out there. Ah
consists of just 14 Exit E six instructions, so there's definitely room for improvement. But, uh,
P E files weren't made to be,
ah, efficient in terms of size.
early developers made packers Esso their programs that would,
either make an execute a ble
that would that's much smaller in size and the original,
when you executed, it would unfold or decompress or decrypt
the original code into memory.
this is annoying for us as Mauer analysts, because this will hide anything that's in the native binary
that ah, that we might like to
look for like strings
and We will see an example in a few minutes,
we saw that with our illusion. Bought example. Weaken. Just look at the strings and the executed along. We can see I p addresses your l's commands,
and that was really useful.
But if something is compressed, we wouldn't see that information right off the bat.
So packers a really useful toe our authors, because it
hinder, is just the easy process of just looking for strings in the execute a ble and also will change the hash value of the original executed because it's a completely different
when you look at malware, if you just download some off the Internet or get it from,
exchange websites, ah, lot of them will be packed. The
not quite sure if I'd say majority of malware
eyes packed, but a lot of it is out there. It's kind of hard to categorize
how much malware is out there, How many variants, versions and other things because
with a packer, you can say, OK,
have this malware and I'm going to pack it,
and it produces new hash, same behavior, new hash, and
then you say Okay, I'm gonna use another packer on the same original file and you produce a new file, a new hash and but same behavior. So
producing multiple files that are, in fact, the same piece of malware, but with different hashes. So it's kind of hard to say. Okay, I know this is a variant, and this file is just the exact same thing. It just had a packer on it
because even if we unpack it
and somehow get the original code out, it may not have the same hash value because the packer may have done something to it, tinkered it
s so when we're looking at mile were samples and we
I want to see if it's packed or not.
We can look for some shrinks.
There won't be many, but if there are, there are sometimes Ah, actually, I would say usually strings that advertise the packer.
one might be u p x. And so you might see the string the U P. X everywhere. You might see another one that's like,
you know, the mystic compressor or there Mina or something like that. If you just Google that it could be like, OK, it's the thermite, a packer.
Also, packers tend to dynamically
resolve all of the functions that the original program needed.
Uh, so that means it has very few imports. You'll note. Remember from our last example with the illusion bought, it would dynamically Alec. It would dynamically resolve
all of its functions that it needed.
But when we looked at the functions and IDA that only listed like for when we looked at the imports and IDA, it only listed like four or five, and that was all it needed to resolve the other functions.
So packers tend to have the same kind profile where
it only has one or two or three imports in its import section in the P E header
it uses those to resolve
with the original program had
also, when packers encrypt something or compress something, uh,
the result is high entropy,
as in, there's ah lot of difference in the bites.
Normal code doesn't have very high entropy,
and it doesn't have a whole lot of randomness from bite to bite to bite. Most bites are very similar,
with just compressed data, most bites are very different,
we'll take a look at an example of that. Sure, in a minute.
Another indicator that a final is packed,
uh, would be that there are large virtual sections,
uh, with very small rod disc size,
and we'll see an example here in a bit.
But don't let that scare you.
It's basically just virtual sections.
what the program with a P file says. I need this much memory
when this code begins executing.
uh, the raw disc size is how much code is actually there.
if you have, like a few bites of code
and it says it needs a whole ton of memory,
that's a little suspicious, because that means it's doing something big. It sze unfolding. It's it's doing something with that memory. Of course, the program can always ask for more memory that needs, but most don't
packers air, usually very specialized in their purpose, so they're pretty much the only ones.
They're pretty much the only software that I know that does that.
But then again, I'm not expert in like
very unique development of very unique software. I generally look at very general software video games and
basic X cuticles and packers and crack Mieze and stuff like that.
when um, our author uses a packer,
generally they're trying to do
three things. One is hide strings on other binary signatures
and changing. They try to change the hash.
this gets in our way and we're gonna walk through how we can take care of this problem.
You might think. OK,
now why doesn't antivirus
security products look forward? Signatures of packed software
like, Ah, I mentioned earlier that,
01 of the characteristics of a Packer is that advertises that it is the thermite. A packer is the U P. X Packer is the ah
well, it's because there are legitimate uses for packers. A cz I mentioned before quote code compression was reason why they were made to begin with, but also intellectual property protection
Eso large companies might use ah packer
to protect their key Jen
other and other adobe products tend to have very, um,
when they checked to see if your keys valid.
that's their intellectual property. The
if they lose that ability to sell their software than their business model
and this is, ah, anti reverse engineering technique.
And not only is it done for key generators or, um,
key checking algorithms, but it's also done for video games. Like
to protect the video game software from being altered
so that people can't just
access all the resource is that ah, videogame process would have,
can do this, too. So if you have make a small app
and you wanna protect it
from reverse. Engineers figured out exactly how you do something
you could use a packer.
uh, with video games, it's It's important because if you play on online video game and
you know, have a bunch of walls and it's the first person shooter and you can shoot through the walls,
but you can't see through them.
Uh, how does the game? No, if you've
actually shot someone through the wall,
the game server will send you all the locations of all the players
And when you shoot the software on your end
shot a bullet. And it is going this director destruction, this velocity, whatever. And, um,
your software does the calculation of whether or not it hits the other player and,
uh, then reports the game, sir. Okay, this player died because this bullet got it
and the game's over. Might
do some checking to verify that or might not. Uh,
or maybe the players that it is describing to
your version of the software are invisible. You can't see them.
if you have altered your game
you know, hacked the software to tell you exactly where people are, even if they are invisible,
then you have, ah, big advantage. So and people wouldn't want to play this game where someone has, ah, huge advantage.
And this has happened before in past.
related topic is like digital rights management.
licensing built into sewn the more legitimate
they say, Okay, so you'll license this. Packer and Packer will protect.
You're licensing so no one can even execute this thing. It won't even unfold. It won't even decrypt unless they have a proper key and it checks online with our key server. And this way you can protect your game from being Pirated and
you know, intellectual property or digital rights management or all this other stuff, it's beside the point on some reverse engineers
do do not believe in that type of stuff, and they go out of their way to break thes these packers or licensing things.
say, Hey, I can do this, you know? Stop tryingto restrict my rights or whatever, but the Digital Millennium Copyright Act
actually prevents people from even,
researching this topic,
and it's ah, it's a legal gray area
technically, you are not allowed to reverse engineer
some of the some of the intellectual property protection mechanisms built in tow things,
You know, the video isn't just encoded on. The disk is actually encrypted. It's scrambled,
and you need a decryption key, too.
Access it, and there's major zones where,
uh, uses that zones.
Yeah, encryption key
to properly decrypt. And that's why you can't just buy a copy of a video or a movie from China
and then put it in your DVD player and at work
because China has its own zone, his own keys for its own DVDs, and North America has its own
and, uh, reverse engineers
for, you know, for a while it was illegal for them to even look into
those algorithms air how any of that stuff worked. But there is an exception
in the law for security researchers.
doing security auditing on a piece of software to make sure that it is secure
Ah, and you find a vulnerability, then you can publish your results. You can say exactly how you did something and you would be free from prosecution.
But if you cracked open Adobe photo shop and then you were reverse engineering it and
you know, this is how this key Jen works. You publish, Cody, get around it. That is illegal.
there is debates about this. And if you want to learn more, you can look at the Free Software Foundation. They are
very much against Ah,
even saying intellectual property will will irritate them.
But keep in mind when you are reverse engineering, especially defense is off
you may be violating law.
I'm pretty sure you can do it
with your own resources and equipment, but if you publish it, then that's definitely something they will try to come after you. For
as I mentioned before, there are legitimate uses for packers, but
by far our uses them the most
and the most common ones I have seen.
And my line of work has been you PX For sure, it's one of the oldest, longest running packers, and it is Ah,
that is mainly go geared toward compression.
Armadillo is definitely geared towards protecting a software,
and I believe the source code got leaked a while ago. And so ah,
on the underground, it's it's fairly common, and you'll see a lot of signature detection.
Packer signature detectors like fire off that armadillo like 1.71
I think that was the version they got leaked. Or maybe it was just Ah, really flimsy signature.
Um, s pack is another one. I've seen bm protect. That's more legitimate. It also does licensing, and I think it's tends to be very
expensive. Thermite is very difficult to crack, um,
at least for me. I'm not like an expert on Packer, but I know my way around things.
But typically, reverse engineers won't specialize in unpacking or,
you know, or like Oh, you know, a s pack. I have ah, unpacked her for that. I've written a program or or whatever. Um,
typically, reverse engineers just do the job they need to do.
And if that's finding an I P address or the command control servers, they'll find it. They don't need to unpack the program or understand every detail of how something works. They just go for the gold and say, OK, run this program, See what it calls out to
If they need toe, say,
Oh, it has these strings, they'll just dump the memory and we'll go over how to do that in just a minute. I found this image a while ago, and I think it's probably the best collection of packers I've seen,
and it's ah, I wish I knew who made it.
But this is Packer landscape, and
moreover, on the right side, you'll see Maur commercial more. Ah,
legitimate used legitimately used packers,
um, and over on the left, the free ones tend to be abused a bit more by Mauer authors,
and they're easier to unpack.
you usually can cut through them pretty fast. So what exactly happens when an execute ble is packed?
Well, a CZ You can see from these images that I just completely ripped off the internet.
normally, there's several sections as we've seen before in an execute a ble usually follow the convention of that tax. Our data data, whatever B s s and
ah, the entry point for the code
oh E P. The original entry point
is usually somewhere in the dot tech section. That's where the execute a ble
code is usually stored by the compiler. And the Packer will take this whole, um,
Ah, all the sections. It'll compress all of that
and then stick it in
a file that it will make.
Ah, little stub is what they call it, And the stubble typically
it in memory when it runs and then execute
the O. E p the original entry point.
too pretty simplistic images here