Runtime Packers

Question 1

What is the primary purpose of packing for malware authors?

Answer 1

Compressed malware code is tricky to reverse and hard for AV to check

• Compression
• Obfuscation

Question 2

What is Packing?

Answer 2

Taking existing code, and compressing it so it takes up less space.

• Packers take the original file, and treat it all as data.
• They then compress it as best as possible.
• This then becomes the Data section of the new packed Executable.
• The packer adds a short code section which is responsible for unpacking the data section.

Question 3

In the most common type of basic packer – the final file will have 2 main PE sections.

Answer 3

1. Packed original code
2. Unpacker section

Question 4

Dynamic Unpacking normally involves letting the file run until it is at the Original Entry Point, and then dumping memory:

• Describe 1-2 signs you may have reached the original Entry point (1-2 lines each)
• Dumping a process from memory will frequently break what part of the file which will need to be patched before analysis?

Answer 4

• OEP: Jump outside main decryption loop, jump to unclear/dynamic location, code with unclear destination, WriteMemory or VirtualAlloc
• Import Address Table (ImpRec)

Question 5

What is the last thing a packer does?

Answer 5

The last thing the packer does is transfer control to the Original Entry Point (which you will often see referred to as OEP)

Question 6

How can you identify a packer?

Answer 6

• Name of the different sections
• Code is more complex
• Strings are not readable
• Packers have identifiable strings
• What import they use
• have less imports
• High Entropy
• Call graphs
• Certain code sections

Question 7

What is Entropy?

Answer 7

Entropy is essentially a mathematical formula to measure randomness or predictability. Packed data looks encrypted, so it has HIGH entropy. Tools to check entropy: DIE (Detect It Easy), DensityScout

Question 8

Name tools to identify packers?

Answer 8

• DIE (Detect It Easy)
• DensityScout
• RDG Packer Detector

Question 9

Name a few common packers?

Answer 9

• UPX
• FSG
• ASPACK
• Morphine

Question 10

What are the main steps to unpack code?

Answer 10

1. Identify Packer: Check PE section names, entry point code, strings, imports
2. OSINT on packer type
3. Static Unpacking: using packer tool
4. Dynamic Unpacking
5. Emulation: stepping through the code and find OEP

Question 11

How does Dynamic Unpacking works?

Answer 11

1. Open packed file in debugger
2. Let packer stub run and unpack original program
   
   1. Trial and error on where to set the breakpoint
3. Goal: Find jmp to Original Entry Point
   
   1. Watch out for normal Anti-debug tricks
4. Dump process from memory
5. Fix dump with ImpRec (IAT)

Question 12

Tips to find OEP?

Answer 12

• Look for jmp/call to a dynamic location
• Code with unclear destination
• Looking for spot where decryption completes
• Function calls of WriteMemory or VirtualAlloc

Question 13

Name a few tools to dump memory?

Answer 13

• OllyDumpEx
• Volatility
• DumpIt
• TitanMist

Question 14

Name two tools to unpack packed code?

Answer 14

• UPX
• FUU (by Google)