General Packer

What is packer?

¹

A packer is a tool that combines an executable file's code, data, and sometimes resources into a single package. It includes code to unpack the program dynamically and execute it, without altering the program's original purpose.

What types of packers are there?

It is generally one or a combination of the following operations:²

Bundling

Makes a single executable with multiple files.

• PyInstaller
• cx_Freeze
• py2exe
• PyOxidizer
• Nuitka
• Briefcase

Compression

Compresses the executable to reduce its original size.

• UPX
• PEtite
• MPRESS
• PECompact
• kkrunchy
• ASPack

Obfuscates

Obfuscates the executable by encodin/gencrypting it.

• ExeCryptor
• ELFCrypt
• Code Virtualizer
• Dotfuscator
• ConfuserEx
• xorPacker
• Hyperion

Protection

Makes the reversing of the executable harder (i.e. using anti-debugging, anti-tampering or other tricks).

• ExeCryptor
• Themida
• ASProtect
• Enigma Protector
• VMProtect
• ZProtect

Virtualization

Embeds a virtual machine that virtualizes the instructions of executable files. It uses a customized and different virtual instruction set every time to protect your application. The virtual machine can be a simple interpreter or a complex virtualization engine, responsible for decrypting and executing the wrapped code at runtime. Virtualization technology creates an abstraction layer, hiding the actual instructions and data of the malicious software within the virtual machine, making reverse engineering and detection more challenging.

• Themida
• ASProtect
• Enigma Protector
• VMProtect
• Molebox

What it's used for?

Malware authors hide their malicious code behind this compression layer. This code is only decompressed and executed after the malware runs (in runtime mode), which helps malware authors bypass static signature-based detection.

1. Increased Difficulty for Static Analysis.
2. Obfuscation: Techniques used to obscure the code's logic and structure, making it harder for analysts to understand.
3. Multi-Layer Packing: Employing multiple layers of packing to further complicate analysis and increase resistance to detection.
4. Bypassing Signature Detection.
5. Changing File Signatures: Modifying the executable's file signature to evade detection by security software that relies on file signatures for identification.

By employing these tactics, malicious software authors aim to evade detection by security measures that rely on straightforward identification or behavioral analysis. This layered approach complicates the process for security analysts and software defenses, allowing the malware to operate undetected for longer periods and potentially causing harm to systems and data.

Tools

• https://github.com/TheAenema/hm-pe-packer
• https://github.com/Nariod/RustPacker
• https://github.com/89luca89/pakkero

Resource

• https://github.com/frank2/packer-tutorial
• https://www.codeproject.com/Articles/5317556/Creating-Your-Very-Own-x64-PE-Packer-Protector-fro

---

1. The process of unpacking a sample ↩

2. awesome-executable-packing ↩