Malware Analysis — Journey into Packers

I have been wanting to write about Malware Analysis and trying to think about a topic that would be a good segway into understanding the domain of Malware but not Malware per se — ‘Packers’

Packer(n): A tool that compresses, encrypts and/or encodes/modifies a file’s content/format for legitimate or malicious usage.

A packer simply implements a mathematical transformation, an algorithm, that transforms the input data into a form that can be later retrieved without loss of meaningful data.

Example Packers from the simple to the complex include UPX, Andromeda, Hancitor etc..

Here we will look into the simple UPX packer, more complex ones later.

UPX (Universal Packer for Executables): This is by far the most common packer, so common that its used mostly as the first layer of packing — just to minimize the size of the executable. Lets see it in works.

For this example, I have a simple ‘Process Hollowing’ packed binary. Process Hollowing is a standard technique for process injection, in which a host process memory is hollowed out literally and replaced by the payload/arbitrary executable and then control is passed onto it to execute the desired effect. In this example the packed binary loads/executes the common windows color management app(colorcpl.exe) which is benign as far as I can tell :)

Static analysis: The packed binary is a UPX packed executable.