Академический Документы
Профессиональный Документы
Культура Документы
decryption
allocation startup
(VirtualAlloc / empty section)
trapped
decompression
allocation
start
(VirtualAlloc / empty section)
decryption
(MANY layers,add/rol/xor) engine loading
decryption
(one layer,add/rol/xor)
decryption
(Tea/RC4/operators) integrity check
packer decompression
optimisation
stub relocation
decompression DRM Management
original
code extra threads
original (monitoring,
simple code page guard,...)
Packers
Models malware
anti-analysis
anti-debugger
anti-emulation
advanced
virtualiser
Countermeasures
anti-debuggers
protecter
anti-emulation
integrity check
anti-dump
DRM
Checksum/hashes
Original
ROL+XOR File
crc32
md5
sha1
adler
mutater
md4
tiger
crypter
whirlpool
bundler
Different code
reflowing
Encryption algorithms synonyms
File Embedding
add/xor/rol dropping
RC4 injection
PRNG (LCG) API hooking
*Tea
Blowfish
DES
AES
IDEA
ElGamal
Packers
Ange Albertini 2010
Categories & Features
Creative Commons Attribution - cc by
http://corkami.googlecode.com/files/packers_features.pdf
Packers
Landscape
Bundlers Commercial
Virtualisers Vbox
Oreans
Code Virtualizer
VMProtect
Themida XProtector
Alexei Solodovnikov Winlicence
EntryPoint Patchers
?? ?
Krypton EXEFog ? ? ?
? ? ?
? ? ? ? ?
Pohernah ? ?
? ? ? ? ?
PE-Armor NiceProtect ? ? ?
Morphnah
? ? ?
?
?
?
? ?
? ?
Escargot MicroJoiner
? Morphine
? ? ? ? ?
Free Hacks MaskPE
Malware
EntryPoint:
PECOMPACT EntryPoint:
xchg [_1], esp
EntryPoint: pushad
popad
mov eax, _1 mov esi, <address>
xchg eax, esp
push eax lea edi, [esi + <negative>]
push ebp
push dword ptr fs:[0] push edi
_1:
mov fs:[0], esp or ebp, ffffffff ; * Not in UPX >3
movsb
xor eax, eax jmp $ + 12
mov dh, 80
mov [eax], ecx nop
call [ebx]
[...] nop ; *
jnb _1
_1: nop ; *
xor ecx, ecx
mov eax, <random1> nop ; *
call [ebx]
lea ecx, [eax + <random2>] nop ; *