UPX

From aldeid
Jump to navigation Jump to search

Description

UPX (Ultimate Packer for eXecutables) is one of the most famous packers for executables. Many malwares are packed using UPX.

UPX supports:

Format full name Format description
amd64-linux.elf Linux ELF
amd64-linux.kernel.vmlinux Linux kernel
arm-linux.elf Linux ELF
arm-linux.kernel.vmlinux Linux kernel
arm-wince.pe Windows CE executable or DLL
armeb-linux.elf Linux ELF
armeb-linux.kernel.vmlinux Linux kernel
fat-darwin.macho Mac OS X executable
i086-dos16.com DOS 16-bit .com file
i086-dos16.exe DOS 16-bit executable
i086-dos16.sys DOS 16-bit .sys file
i386-bsd.elf.execve BSD generic
i386-darwin.macho Mac OS X executable
i386-dos32.djgpp2.coff DOS 32-bit COFF
i386-dos32.tmt.adam DOS 32-bit executable
i386-dos32.watcom.le DOS 32-bit linear executable
i386-freebsd.elf FreeBSD ELF
i386-linux.elf Linux ELF
i386-linux.elf.execve Linux generic
i386-linux.elf.shell Linux shell script
i386-linux.kernel.bvmlinuz Linux kernel
i386-linux.kernel.vmlinux Linux kernel
i386-linux.kernel.vmlinuz Linux kernel
i386-netbsd.elf NetBSD ELF
i386-openbsd.elf OpenBSD ELF
i386-win32.pe Windows 32-bit executable or DLL
m68k-atari.tos Atari TOS/MiNT executable
mips-linux.elf Linux ELF
mipsel-linux.elf Linux ELF
mipsel.r3000-ps1 PlayStation 1 executable
powerpc-darwin.macho Mac OS X executable
powerpc-linux.elf Linux ELF
powerpc-linux.kernel.vmlinux Linux kernel

Installation

UPX supports following platforms:

  • Win32/i386
  • Linux/i386
  • Linux/AMD64
  • Linux/ARM
  • Linux/MIPS
  • Linux/PPC
  • DOS/i386
  • Atari TOS-MiNT/m68k

The above installation has been tested on Ubuntu 12.04 32 bits:

$ cd /data/src/
$ wget http://upx.sourceforge.net/download/upx-3.09-i386_linux.tar.bz2
$ bzip2 -cd upx-3.09-i386_linux.tar.bz2 | tar xvf -
$ cd upx-3.09-i386_linux/
$ ./upx --help

Usage

Syntax

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file

Options

Commands

-1
compress faster
-9
compress better
--best
compress best (can be slow for big files)
-d
decompress
-l
list compressed file
-t
test compressed file
-V
display version number
-h
give this help
-L
display software license

Options

-q
be quiet
-v
be verbose
-oFILE
write output to 'FILE'
-f
force compression of suspicious files
--no-color, --mono, --color, --no-progress
change look

Compression tuning options

--brute
try all available compression methods & filters [slow]
--ultra-brute
try even more compression variants [very slow]

Backup options

-k, --backup
keep backup files
--no-backup
no backup files [default]

Overlay options

--overlay=copy
copy any extra data attached to the file [default]
--overlay=strip
strip any extra data attached to the file [DANGEROUS]
--overlay=skip
don't compress a file with an overlay

Options for djgpp2/coff

--coff
produce COFF output [default: EXE]

Options for dos/com

--8086
make compressed com work on any 8086

Options for dos/exe

--8086
make compressed exe work on any 8086
--no-reloc
put no relocations in to the exe header

Options for dos/sys

--8086
make compressed sys work on any 8086

Options for ps1/exe

--8-bit
uses 8 bit size compression [default: 32 bit]
--8mib-ram
8 megabyte memory limit [default: 2 MiB]
--boot-only
disables client/host transfer compatibility
--no-align
don't align to 2048 bytes [enables: --console-run]

Options for watcom/le

--le
produce LE output [default: EXE]

Options for win32/pe, rtm32/pe & arm/pe

--compress-exports=0
do not compress the export section
--compress-exports=1
compress the export section [default]
--compress-icons=0
do not compress any icons
--compress-icons=1
compress all but the first icon
--compress-icons=2
compress all but the first icon directory [default]
--compress-icons=3
compress all icons
--compress-resources=0
do not compress any resources at all
--keep-resource=list
do not compress resources specified by list
--strip-relocs=0
do not strip relocations
--strip-relocs=1
strip relocations [default]

Options for linux/elf

--preserve-build-id
copy .gnu.note.build-id to compressed output

Example

Determine if executable is packed

Let's consider the example available in the "Practical Malware Analysis" book (Lab 1-2). The file seems to be packed with UPX:

$ ./pescanner.py /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe
################################################################################
Record 0
################################################################################

Meta-data
================================================================================
File:    /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe
Size:    3072 bytes
Type:    PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5:     8363436878404da0ae3e46991e355b83
SHA1:    5a016facbcb77e2009a01ea5c67b39af209c3fcb
ssdeep:  48:atUKzxRhvlNZEVtfbn4m3ZUJSSeJY8JTaIcLoBgs:0UKXktfb4KOJzcK
Date:    0x4D370D01 [Wed Jan 19 16:10:41 2011 UTC]
EP:      0x405410 UPX1 1/3 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x41f9 [SUSPICIOUS]

Signature scans
================================================================================

Clamav: /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe: Win.Trojan.Agent-328471 FOUND

Suspicious IAT alerts
================================================================================
CreateServiceA

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
UPX0       0x1000       0x4000       0x0          0.000000    [SUSPICIOUS]
UPX1       0x5000       0x1000       0x600        7.067181    [SUSPICIOUS]
UPX2       0x6000       0x1000       0x200        2.797804

The presence of the 2 highlighted imports is also a sign that the executable is likely to be packed:

$ strings /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe 
a\`Y
(23h
MalService
sHGL345
http://w
warean
ysisbook.co
om#Int6net Explo!r 8FEI
SystemTimeToFile
GetMo
*Waitab'r
Process
OpenMu$x
ZSB+
ForS
ObjectU4
[Vrtb
CtrlDisp ch
Xcpt
mArg
[email protected]_
t_fd
dlI37n
olfp
dW|6
lB`.rd
XPTPSW
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
WININET.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
CreateServiceA
exit
InternetOpenA

Unpack (success)

Now that we suspect that the file is packed (UPX), let's unpack it:

$ ./upx -o /data/tmp/Lab01-02_unpacked.exe -d /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16384 <-      3072   18.75%    win32/pe     Lab01-02_unpacked.exe

Unpacked 1 file.

Unpack (failure)

The following command fails because the executable seems not to be packed with UPX.

$ ./upx -o /data/tmp/Lab01-03_unpacked.exe -d /data/tmp/Lab01-03.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: /data/tmp/Lab01-03.exe: NotPackedException: not packed by UPX

Unpacked 0 files.

Comments

blog comments powered by Disqus