How to ID Runtime packers?
#1
Posted 14 April 2011 - 10:46 AM
I looked at it in a Hex viewer, but couldn't find any packer header. Also PeId couldn't find any packer.
So i'm fresh out of ideas, how to figure out, what's going on.
#2
Posted 14 April 2011 - 08:06 PM
Juat to be 100% clear...the size is smaller, but it is still functional? In other words, it is some sort of executable, and it functions correctly even though it is 40% of the original (that is also fuunctional)...A friend came to me with a problem. He has a file, which is only about 40% of the original and he would like to know which packer is used.
I looked at it in a Hex viewer, but couldn't find any packer header. Also PeId couldn't find any packer.
So i'm fresh out of ideas, how to figure out, what's going on.
You might have to look at the binary code, but often (in Linux/Unix), executables can be built with debug information embedded into the binary and also less than optimal code optimization. There are also thins like symbol tables that are used to "link" together different pieces of the executable. These can also be "stripped" out.
So, it may be that thing like this have been done, and the binary isn't actually "compressed" (or packed)
#3
Posted 14 April 2011 - 08:49 PM
#4
Posted 14 April 2011 - 08:59 PM
He found the program on the net, labled as a portable version for USB-Stick. The manufacturer site features no portable version for USB-Stick.
So far it was determined, that it contains no known virus and does not show any suspicious behavior in a sandbox.
But what exactly was done to the program, stays an enigma.
#5
Posted 14 April 2011 - 09:14 PM
Thanks Icecube! FastScanner was able to tell what it was. Simple UPX. Will see tomorrow if it was right.You can try one of the tools (or text files) listed here:
#6
Posted 14 April 2011 - 09:26 PM
UPX can't unpack the file. Not sure, if because the file has been patched afterwards, or because Fastscanner named the wrong program.
#7
Posted 15 April 2011 - 09:10 AM
What does the sections table look like? Ie the names. (sometimes a simple rename back to what is expected may be sufficient for upx to decompress it)
Does it look ok in a disassembler?
Is oep detectable?
#8
Posted 20 April 2011 - 04:52 PM
http://www.heaventools.com/PE_Explorer_plug-ins.htmPE Explorer ships with the UPX Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with UPX. All versions of UPX are supported, from the obsolete early versions (prior to 0.80) up to the latest 3.0x versions.
In addition, PE Explorer supports for files modified with many UPX scramblers such as Advanced UPX Scrambler, UPoLyX, UPX Lock, and even more: now it supports for Upack and NSPack.
#9
Posted 20 April 2011 - 05:04 PM
Also, it is relatively simple to build your own packer and it will pass at online scans like virustotal.
Not easy to detect these headers if they are custom modified.
#11
Posted 22 April 2011 - 09:22 AM
A year ago I've also created libraries to read PE headers, the goal was to read the version encoded inside the binaries: http://reboot.pro/11890/
It was really interesting to see how they are composed.
#12
Posted 01 May 2011 - 10:36 AM
Got myself the original and compressed it with upx. Then i compared the two files and added all references to upx from my comressed file to the other.
Afterwards upx could decompress the file without problem.
Unfortunately, the producer seems to to not reflect all changes in their version number. I have now already 3 files, all claiming to be the same version, two of them directly downloaded from the manufacturers site, which are not identical.
So that makes it a bit complicated to figure out, what was done to the file to make it portable.
Thanks for all the help. Couldn't have done it without you, guys.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users