Packers Part 2

Video Activity

In this module, we'll understand more on packers. We'll demonstrate the visual changes in a malware code when a packer has been included versus the one with no packer. We'll use Cantor Dust to display the visual changes.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this module, we'll understand more on packers. We'll demonstrate the visual changes in a malware code when a packer has been included versus the one with no packer. We'll use Cantor Dust to display the visual changes.

Video Transcription
00:04
so I'm gonna show you. Ah, little demo off the difference we can see in the code.
00:12
So over on the left, here we have the original bought by an eerie from,
00:17
um,
00:19
the illusion bought that we downloaded from the get help, Paige,
00:23
and
00:24
I'm gonna copy it over on the right side and over here of download this program called Cantor Dust,
00:32
uh, made by a researcher, works in the national labs, and he has talked at Black Hat where he releases tools, Actually. Really, really good. Uh, but he said he'd release
00:44
more than just this demo, and he never did. I don't know what his deal is, but it makes really pretty pictures and allows us to quickly see what's going on so
00:56
we can take our original binary, are bought, weaken dragged over here, and we can say OK, so this thing,
01:04
you can view it in different coordinate systems. Um,
01:11
it's electrical.
01:12
It definitely has some patterns. Some lines in it that you can see.
01:17
It definitely has, um,
01:22
some data, like right over here
01:25
in the corner,
01:26
you can see the smaller cubes,
01:30
and that is asking that those are the strings that we typically see.
01:36
And over on the left
01:38
we can see
01:40
these two columns of green,
01:44
and that's all fine and good.
01:48
And it gives us some kind of clear
01:52
idea of the type of data that's in there.
01:56
It's basically showing us the bites.
02:00
So
02:01
we have our original, but by near here,
02:05
I'm gonna make a copy of it.
02:08
I'm gonna pull up a command, prompt
02:13
CMD
02:15
It's in this directory
02:19
and I'm going to download
02:22
a program. U P X. Like I said, the
02:25
one of the oldest Packers
02:28
most commonly used.
02:30
I'm just going down. What for Windows here.
02:35
And I've put the program right here.
02:37
So I'm a type
02:39
U P X.
02:42
Yeah,
02:43
and I'm going to pack
02:46
the baht binary copy.
02:50
So it does its little banner, and then it says it edited this file. It compressed the size by 41%
02:57
so that's nearly half of the size it was before.
03:00
Just rename this file too
03:05
packed.
03:09
Run cantor dust again.
03:13
So this was our original
03:15
bought binary,
03:16
and this is our pact version.
03:19
You can see there's really no
03:22
ah
03:23
structure to it.
03:24
It's a lot of randomness. There is really nothing there that weaken point and say, Oh, I can see that there's some structure, this file, that there tends to be a cluster of bites that are very similar over here.
03:38
Um,
03:38
you know, we we can't really make much of it. It's because it's compressed. It's high entropy
03:46
also.
03:49
I'll show this in the future.
03:51
But if we run strings on our original binary,
03:54
I can see
03:57
that there are plenty. The user agents. Ah, the obfuscated strings, the pass or encoded pass. You know, the function calls. And if we
04:08
run the same strings command on
04:11
ah, the pact binary,
04:13
we see that there are hardly any.
04:16
There's a few functions that it needs to resolve the other functions dynamically.
04:25
There's probably a reference to you. PX in there somewhere.
04:30
Yeah
04:31
u PX explanation point u P x zero u P x one PX to these air actually the names of the sections,
04:39
but
04:40
well, we'll take a look at that in a bit.
04:43
And just for a test
04:46
we can
04:47
look at the hash is no shot, one
04:56
shot one
04:58
75
05:00
and the five
05:01
and they are indeed different.
05:04
All it takes is one bit to be flipped
05:08
toe, generate a new hash or two to derive. Ah NIU hash
05:13
visual reverse engineering might
05:15
take hold in the future,
05:17
but, ah,
05:20
I I don't see it happening just yet. The tools aren't quite there, but
05:26
I definitely recommend this talk.
05:28
Even if he didn't really release his tool that he said he was going to. It's still pretty inspiring toe to see what what's possible
05:34
with just visually inspecting
05:38
binary.
Up Next