Packers Part 5

Video Activity

In this module, we'll begin by learning about more advanced packers. Some more advanced packers may have multiple layers, layers of junk code, built-in defences (like anti-analysis code and anti-debugging code), custom encryption, and create small virtual machine. Finally, we'll quickly recap the key areas learned in the module. There are also some...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this module, we'll begin by learning about more advanced packers. Some more advanced packers may have multiple layers, layers of junk code, built-in defences (like anti-analysis code and anti-debugging code), custom encryption, and create small virtual machine. Finally, we'll quickly recap the key areas learned in the module. There are also some good resources that will help you establish expertise:

  • Malware Analyst's Cookbook

  • Practical Malware Analysis

Video Transcription
00:03
>> Typically, I have a slide for notes for the paranoid.
00:03
Well, there are more advanced Packers out there.
00:03
I've seen some that have multiple layers,
00:03
where it will unfold
00:03
one layer and then that layer will just in
00:03
turn unfold another layer and then
00:03
that will in turn unfold another layer.
00:03
Maybe in somewhere,
00:03
there's some built-in defenses,
00:03
like anti-analysis code or anti-debugging code,
00:03
to make sure a debugger isn't
00:03
being used to take it apart.
00:03
Between here and there and between the layers,
00:03
there's lots and lots of junk code.
00:03
Just meaningless instructions or
00:03
meaningless function calls,
00:03
stuff to distract you, annoy you.
00:03
If you look at a Packer for a while,
00:03
you typically are able
00:03
to eye the junk code. You can figure it out.
00:03
That might sound strange,
00:03
but honestly the person who wrote
00:03
the Packer isn't going to go to
00:03
a huge amount of effort to deter you
00:03
because a week for
00:03
them might be an hour for you to overcome.
00:03
I remember one Packer,
00:03
it did a weird jump call move combination,
00:03
where it would move a value from
00:03
EAX to ECS and then a few instructions later,
00:03
move ECS back into EAX.
00:03
It was pretty easy to pick out where it was
00:03
saving these registers and where it was restoring them.
00:03
It was pretty easy to see that the function calls
00:03
another Packer was using
00:03
didn't even check the return values
00:03
of those function calls.
00:03
It was easy to see which function calls
00:03
it actually was paying attention
00:03
to and the other ones that were just throw away values.
00:03
A lot of Packers have custom encryption.
00:03
When you get into more reverse engineering,
00:03
you'll see that there are
00:03
crypto APIs in the operating system
00:03
that some Packers will call,
00:03
some Packers will implement its own crypto,
00:03
we go for open source and AES,
00:03
Advanced Encryption Standard,
00:03
or open source RC4, or whatever else.
00:03
They copy paste because it's easy,
00:03
it's fast. It works.
00:03
Maybe they might tweak it a little so you can't
00:03
just use a tool out there
00:03
or use code that
00:03
you found out there that they were using.
00:03
There might be custom encryption,
00:03
but it's nothing you can't
00:03
overcome because with a debugger,
00:03
we can easily step through
00:03
every step of every part of it.
00:03
As you saw in the demo, we could easily just step
00:03
over stuff or just run straight through things.
00:03
Some of the most advanced Packers out
00:03
there will actually convert
00:03
>> all of the original code that
00:03
>> it was told to pack and it will convert it into
00:03
another language pretty much
00:03
and then execute that language
00:03
in its own virtual machine.
00:03
You might think about that and be like, what?
00:03
Well, if you think about Java,
00:03
you can take a dot Java file,
00:03
which is English readable strings and it compiles it
00:03
into a byte code
00:03
so that the Java virtual machine can then execute it.
00:03
Java is a well-understood virtual machine.
00:03
It's not that big of
00:03
a deal to make a disassembler for it.
00:03
But Packers that create
00:03
their own virtual machines each time,
00:03
it's very difficult to
00:03
disassemble that code because even then it might be
00:03
obfuscated or your disassembler
00:03
might not be able to handle some of the tricks
00:03
it has built-in and
00:03
it could create a rather complicated virtual machine.
00:03
At that point, it's not worth your time usually to
00:03
reverse engineer what it's
00:03
doing instruction by instruction.
00:03
Usually, you just want
00:03
to get whatever data you're targeting out of it,
00:03
like an IP address,
00:03
or a domain name,
00:03
or a particular configuration.
00:03
I wouldn't worry about those much.
00:03
If you ever come across a very advanced Packer,
00:03
then spend some time on it,
00:03
get to know what it's doing.
00:03
But definitely don't waste your time.
00:03
Learning is good.
00:03
I highly suggest that maybe you
00:03
just take a solid week and go through
00:03
a more difficult Packer or a tutorial online
00:03
about how to pack something like AS unpack or AS pack.
00:03
But definitely don't spin your wheels
00:03
on something that's not worth your time.
00:03
Because as a reverse engineer,
00:03
you're generally paid a lot and you know a lot
00:03
and you have a very detail-oriented view of something.
00:03
Packers are meant to distract
00:03
you and some of them are really good,
00:03
but they are usually very expensive,
00:03
so they're not that common.
00:03
Just a recap of what we
00:03
covered and a list of good resources.
00:03
We talked about what packers are,
00:03
some of the more common ones and then we
00:03
took the most common UPX.
00:03
Then we saw how to pack something,
00:03
how to unpack something.
00:03
We saw what exactly it's doing to the
00:03
executable and how it actually
00:03
unfolds it in memory or decrypts it in memory.
00:03
This does require a bit of assembly knowledge and
00:03
in particular the PUSHAD and POPAD instructions
00:03
because those are not usually,
00:03
as I said, admitted by compilers.
00:03
It's not usually generated code.
00:03
If we see that, we usually think,
00:03
something a little funky is going on here.
00:03
Those are excellent instructions to look out for.
00:03
I suggest the Practical and also
00:03
Cookbook because as we saw their scripts,
00:03
even though they're a bit old,
00:03
can be very enlightening
00:03
to see exactly what's going on in
00:03
a PE file and can
00:03
give us some good indicators
00:03
of whether a file is packed,
00:03
like what the entropy or the virtual sizes versus
00:03
the raw sizes of
00:03
what's on disk versus what's going to go in memory.
00:03
Practical Malware Analysis has
00:03
a decent section on Packers.
00:03
I'll suggest that you check those out.
00:03
There are plenty of Packers out
00:03
there freely available for download.
00:03
If you want to build
00:03
a simple Hello World program and then pack it with
00:03
a dozen different packers and
00:03
then see how each one is doing its thing,
00:03
that is a great way to learn.
00:03
You're going to learn 90 percent
00:03
of this with doing it yourself.
00:03
Again, my name is Sean Peters.
00:03
I hope you enjoy this video and we'll see you soon.
Up Next