I looked at it in a Hex viewer, but couldn't find any packer header. Also PeId couldn't find any packer.
So i'm fresh out of ideas, how to figure out, what's going on.
How to ID Runtime packers?
Started by
MedEvil
, Apr 14 2011 10:46 AM
11 replies to this topic
#1
MedEvil
-
- .script developer
-
- 7771 posts
Platinum Member
Posted 14 April 2011 - 10:46 AM
A friend came to me with a problem. He has a file, which is only about 40% of the original and he would like to know which packer is used.
I looked at it in a Hex viewer, but couldn't find any packer header. Also PeId couldn't find any packer.
So i'm fresh out of ideas, how to figure out, what's going on.
I looked at it in a Hex viewer, but couldn't find any packer header. Also PeId couldn't find any packer.
So i'm fresh out of ideas, how to figure out, what's going on.
#2
sbaeder
-
- .script developer
-
- 1338 posts
Gold Member
- Location:usa - massachusettes
-
United States
Posted 14 April 2011 - 08:06 PM
Juat to be 100% clear...the size is smaller, but it is still functional? In other words, it is some sort of executable, and it functions correctly even though it is 40% of the original (that is also fuunctional)...A friend came to me with a problem. He has a file, which is only about 40% of the original and he would like to know which packer is used.
I looked at it in a Hex viewer, but couldn't find any packer header. Also PeId couldn't find any packer.
So i'm fresh out of ideas, how to figure out, what's going on.
You might have to look at the binary code, but often (in Linux/Unix), executables can be built with debug information embedded into the binary and also less than optimal code optimization. There are also thins like symbol tables that are used to "link" together different pieces of the executable. These can also be "stripped" out.
So, it may be that thing like this have been done, and the binary isn't actually "compressed" (or packed)
#4
MedEvil
-
- .script developer
-
- 7771 posts
Platinum Member
Posted 14 April 2011 - 08:59 PM
Yes it is an executable and still fully functional, at least that's what i've been told.
He found the program on the net, labled as a portable version for USB-Stick. The manufacturer site features no portable version for USB-Stick.
So far it was determined, that it contains no known virus and does not show any suspicious behavior in a sandbox.
But what exactly was done to the program, stays an enigma.
He found the program on the net, labled as a portable version for USB-Stick. The manufacturer site features no portable version for USB-Stick.
So far it was determined, that it contains no known virus and does not show any suspicious behavior in a sandbox.
But what exactly was done to the program, stays an enigma.
#5
MedEvil
-
- .script developer
-
- 7771 posts
Platinum Member
Posted 14 April 2011 - 09:14 PM
Thanks Icecube! FastScanner was able to tell what it was. Simple UPX. Will see tomorrow if it was right.You can try one of the tools (or text files) listed here:
#6
MedEvil
-
- .script developer
-
- 7771 posts
Platinum Member
Posted 14 April 2011 - 09:26 PM
Ok, couldn't wait. Had to try.
UPX can't unpack the file. Not sure, if because the file has been patched afterwards, or because Fastscanner named the wrong program.
UPX can't unpack the file. Not sure, if because the file has been patched afterwards, or because Fastscanner named the wrong program.
#7
joakim
-
- Team Reboot
-
- 912 posts
Silver Member
- Location:Bergen
-
Norway
Posted 15 April 2011 - 09:10 AM
Lots of things could have been done to it. Just delete a resource for instance and your exe gets smaller in size without any compression involved...
What does the sections table look like? Ie the names. (sometimes a simple rename back to what is expected may be sufficient for upx to decompress it)
Does it look ok in a disassembler?
Is oep detectable?
What does the sections table look like? Ie the names. (sometimes a simple rename back to what is expected may be sufficient for upx to decompress it)
Does it look ok in a disassembler?
Is oep detectable?
#8
Icecube
-
- Team Reboot
-
- 1063 posts
Gold Member
-
Belgium
Posted 20 April 2011 - 04:52 PM
This might help to see if the UPX compressed binary was scrambled:
http://www.heaventools.com/PE_Explorer_plug-ins.htmPE Explorer ships with the UPX Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with UPX. All versions of UPX are supported, from the obsolete early versions (prior to 0.80) up to the latest 3.0x versions.
In addition, PE Explorer supports for files modified with many UPX scramblers such as Advanced UPX Scrambler, UPoLyX, UPX Lock, and even more: now it supports for Upack and NSPack.
#9
Brito
-
- .script developer
-
- 10616 posts
Platinum Member
- Location:boot.wim
- Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
-
European Union
Posted 20 April 2011 - 05:04 PM
Yes, I already saw some files using scrambled UPX packers.
Also, it is relatively simple to build your own packer and it will pass at online scans like virustotal.
Not easy to detect these headers if they are custom modified.
Also, it is relatively simple to build your own packer and it will pass at online scans like virustotal.
Not easy to detect these headers if they are custom modified.
#11
Brito
-
- .script developer
-
- 10616 posts
Platinum Member
- Location:boot.wim
- Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
-
European Union
Posted 22 April 2011 - 09:22 AM
ExEinfo seems very nice.
A year ago I've also created libraries to read PE headers, the goal was to read the version encoded inside the binaries: http://reboot.pro/11890/
It was really interesting to see how they are composed.
A year ago I've also created libraries to read PE headers, the goal was to read the version encoded inside the binaries: http://reboot.pro/11890/
It was really interesting to see how they are composed.
#12
MedEvil
-
- .script developer
-
- 7771 posts
Platinum Member
Posted 01 May 2011 - 10:36 AM
Finally got around to solve this.
Got myself the original and compressed it with upx. Then i compared the two files and added all references to upx from my comressed file to the other.
Afterwards upx could decompress the file without problem.
Unfortunately, the producer seems to to not reflect all changes in their version number. I have now already 3 files, all claiming to be the same version, two of them directly downloaded from the manufacturers site, which are not identical.
So that makes it a bit complicated to figure out, what was done to the file to make it portable.
Thanks for all the help. Couldn't have done it without you, guys.
Got myself the original and compressed it with upx. Then i compared the two files and added all references to upx from my comressed file to the other.
Afterwards upx could decompress the file without problem.
Unfortunately, the producer seems to to not reflect all changes in their version number. I have now already 3 files, all claiming to be the same version, two of them directly downloaded from the manufacturers site, which are not identical.
So that makes it a bit complicated to figure out, what was done to the file to make it portable.
Thanks for all the help. Couldn't have done it without you, guys.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
