UPX discovery

Packers are tools used to compress executables to reduce their file size whilst retaining their executable property. Hackers harness packing as one of the numerous tricks to avoid detection. However, there are times when software authors pack their legitimate tools and thus not all packed executables are malware.
UPX is a popular packer. I packed several files with it and analysed them in a hex editor to try to discover patterns. Lo and behold... the tell-tale signs of a UPX packed file is the presence of UPX strings (ie. UPX0, UPX1 and UPX!).
Further investigation demonstrates that searching for UPX strings is not accurate because the UPX packed executables still function even if you change the UPX text. A reliable methodology of detecting packed executables is a tool called PEiD. It identifies UPX packed files by hexadecimal values.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

dnssecaudit.py

Since I was on a roll with Copilot, I decided to automate DNSSEC auditing with the following Python script. Not the most creative tool name....

  • "An error occured in avast! engine: Invalid argument"
    This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
  • Encrypted mails
    I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...