What's a packer and why are they used?

malware analysis packers

Today we demonstrate what a packer is, why it might be used, and a practical approach to unpacking a sample. While packers have legitimate uses in software protection and compression, they are a staple in the malware author's toolkit for evading signature-based detection.



Technical Analysis Video



Understanding Binary Packers

Binary packers are utilities that transform an executable file into a new, obfuscated version. Unlike standard ZIP compression, a packed executable remains functional. When executed, an internal "Unpacking Stub" restores the original code into memory before transferring control to it.



How Packers Work: The Stub Mechanism

  • The Packed Data: The original payload, usually compressed or encrypted.
  • The Unpacking Stub: Code that executes first to decrypt the payload in RAM.
  • Modified PE Header: Headers updated to point the Entry Point to the stub.


Detecting and Analyzing Packers

In malware analysis, identifying a packer is the first hurdle. Here are the primary methods used to analyze them:



1. Static Analysis & Entropy

Static analysis involves inspecting the file's structure without execution. High Entropy (approaching 8.0) is a major red flag, indicating compressed or encrypted data.

  • Tools: Detect It Easy (DIE), PEiD, or Pestudio.
  • Indicators: Unusual section names (UPX0, .aspack) and minimal imported functions.


2. Dynamic Analysis & The "Jump to OEP"

Dynamic analysis uses a debugger (like x64dbg) to watch the unpacking process. The goal is to reach the Original Entry Point (OEP)—the actual start of the malicious code.

  • The Tail Jump: Stubs usually end with a JMP or PUSH/RET that jumps to the OEP.
  • Memory Breakpoints: Setting a "Hardware Breakpoint on Execution" for the code section can catch the transition.


3. Unpacking and Dumping

Once you land at the OEP, the malware is "naked" in memory. To perform deep analysis, you must dump the process back to a file and fix the Import Address Table (IAT) so the dumped binary can function independently.



Conclusion

Packers are a double-edged sword. While they protect intellectual property, they also shield malicious intent. Mastering unpacking techniques allows an analyst to bypass these shells and see the true malicious logic underneath.



Happy hunting.