UPack's working principle and instance analysis (I)

UPack's working principle and instance analysis (I)

Everyone knows that the UPack is a common topic in Software Reverse Engineering. To understand the compression during runtime, You need to master the basic PE file format and basic knowledge of the operating system. It is best to have basic PE file knowledge and a certain understanding of PE file loaders. This article will introduce the basic knowledge of PE files, but the focus is not on this.

It is the structure of the PE file and the comparison between the disk and the loaded memory. The overall structure of the file has not changed, but the relative offset of the file in the disk and memory has changed.

1.1 Definition of the compressed file during running

For executable files, the executable file contains the decompressed code. The file is decompressed instantly in the memory and then executed.

Comparison Between Common compression and runtime Compression

The executable file is called the "RunTime compressed file", which is a dedicated compressed file for PE files.

1.2 purpose and type of the compressed file during running

The PE compressors are mainly used in two aspects:

Reduce PE File Size

Hide internal code and resources of PE files

Type of PE compressors:

• It is used only to compress common PE files, such as UPX and ASPack.

  Major deformation of source files (PE files), serious damage to the PE Header, non-pure intention compressors, such as for malicious programs (such as UPack, PESpin, etc.

  Exploring UPack compressed files

  The UPack producer has a deep understanding of the PE Header. UPack is famous for its unique deformation techniques. When UPack first appeared, many PE utilities could not run normally. As a result, many malicious code creators use UPack to compress and publish malicious code.

  This article takes UPack 0.3920.compressed notepad.exe as an example to introduce in detail the UPack compression process for PE files, especially the key technologies of PE Header and code resetting.

  Upackcompress notepad.exe during runtime, as shown in

  The original 66560 bytes of the zhinotepad.exe program have been changed to 44908 bytes, and the file size has changed. At the same time, the output information in the figure shows that the input table and resource information of the file have also changed.

  2.1 compressed file Detection

  The header and content of files compressed by UPack have changed. Many security software think that the compressed files may contain Virus Characteristics and report virus directly, when QQ is used to transmit the original notepad file and compress the notepad file, QQ self-check considers the file compressed by UPack to contain virus characteristics.

  Is to use the IE browser to download compressed files and normal files, the IE Plug-In prompts.

  
  

  The multi-Scan Engine is used to detect compressed files. Many domestic security vendors believe that files compressed by UPack contain virus characteristics.

  2.2 utility Identification

  Because UPack has specially processed the PE File Header, Some PE utilities cannot run normally. When PEView uses a tool to load and compress the notepad file and the original notepad file, file identification is also different. Because of the deformation of the notepad header in UPack, The PEView fails to load the file structure while parsing the compressed notepad.

   

  This figure shows the error message when the OD dynamic debugging tool loads the compressed notepad.

  We will analyze the UPack compression principle in depth in the next article.