UPX

From aldeid
Jump to: navigation, search

Description

UPX (Ultimate Packer for eXecutables) is one of the most famous packers for executables. Many malwares are packed using UPX.

UPX supports:

Format full name Format description
amd64-linux.elf Linux ELF
amd64-linux.kernel.vmlinux Linux kernel
arm-linux.elf Linux ELF
arm-linux.kernel.vmlinux Linux kernel
arm-wince.pe Windows CE executable or DLL
armeb-linux.elf Linux ELF
armeb-linux.kernel.vmlinux Linux kernel
fat-darwin.macho Mac OS X executable
i086-dos16.com DOS 16-bit .com file
i086-dos16.exe DOS 16-bit executable
i086-dos16.sys DOS 16-bit .sys file
i386-bsd.elf.execve BSD generic
i386-darwin.macho Mac OS X executable
i386-dos32.djgpp2.coff DOS 32-bit COFF
i386-dos32.tmt.adam DOS 32-bit executable
i386-dos32.watcom.le DOS 32-bit linear executable
i386-freebsd.elf FreeBSD ELF
i386-linux.elf Linux ELF
i386-linux.elf.execve Linux generic
i386-linux.elf.shell Linux shell script
i386-linux.kernel.bvmlinuz Linux kernel
i386-linux.kernel.vmlinux Linux kernel
i386-linux.kernel.vmlinuz Linux kernel
i386-netbsd.elf NetBSD ELF
i386-openbsd.elf OpenBSD ELF
i386-win32.pe Windows 32-bit executable or DLL
m68k-atari.tos Atari TOS/MiNT executable
mips-linux.elf Linux ELF
mipsel-linux.elf Linux ELF
mipsel.r3000-ps1 PlayStation 1 executable
powerpc-darwin.macho Mac OS X executable
powerpc-linux.elf Linux ELF
powerpc-linux.kernel.vmlinux Linux kernel

Installation

UPX supports following platforms:

  • Win32/i386
  • Linux/i386
  • Linux/AMD64
  • Linux/ARM
  • Linux/MIPS
  • Linux/PPC
  • DOS/i386
  • Atari TOS-MiNT/m68k

The above installation has been tested on Ubuntu 12.04 32 bits:

$ cd /data/src/
$ wget http://upx.sourceforge.net/download/upx-3.09-i386_linux.tar.bz2
$ bzip2 -cd upx-3.09-i386_linux.tar.bz2 | tar xvf -
$ cd upx-3.09-i386_linux/
$ ./upx --help

Usage

Syntax

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file

Options

Commands

-1
compress faster
-9
compress better
--best
compress best (can be slow for big files)
-d
decompress
-l
list compressed file
-t
test compressed file
-V
display version number
-h
give this help
-L
display software license

Options

-q
be quiet
-v
be verbose
-oFILE
write output to 'FILE'
-f
force compression of suspicious files
--no-color, --mono, --color, --no-progress
change look

Compression tuning options

--brute
try all available compression methods & filters [slow]
--ultra-brute
try even more compression variants [very slow]

Backup options

-k, --backup
keep backup files
--no-backup
no backup files [default]

Overlay options

--overlay=copy
copy any extra data attached to the file [default]
--overlay=strip
strip any extra data attached to the file [DANGEROUS]
--overlay=skip
don't compress a file with an overlay

Options for djgpp2/coff

--coff
produce COFF output [default: EXE]

Options for dos/com

--8086
make compressed com work on any 8086

Options for dos/exe

--8086
make compressed exe work on any 8086
--no-reloc
put no relocations in to the exe header

Options for dos/sys

--8086
make compressed sys work on any 8086

Options for ps1/exe

--8-bit
uses 8 bit size compression [default: 32 bit]
--8mib-ram
8 megabyte memory limit [default: 2 MiB]
--boot-only
disables client/host transfer compatibility
--no-align
don't align to 2048 bytes [enables: --console-run]

Options for watcom/le

--le
produce LE output [default: EXE]

Options for win32/pe, rtm32/pe & arm/pe

--compress-exports=0
do not compress the export section
--compress-exports=1
compress the export section [default]
--compress-icons=0
do not compress any icons
--compress-icons=1
compress all but the first icon
--compress-icons=2
compress all but the first icon directory [default]
--compress-icons=3
compress all icons
--compress-resources=0
do not compress any resources at all
--keep-resource=list
do not compress resources specified by list
--strip-relocs=0
do not strip relocations
--strip-relocs=1
strip relocations [default]

Options for linux/elf

--preserve-build-id
copy .gnu.note.build-id to compressed output

Example

Determine if executable is packed

Let's consider the example available in the "Practical Malware Analysis" book (Lab 1-2). The file seems to be packed with UPX:

$ ./pescanner.py /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe
################################################################################
Record 0
################################################################################

Meta-data
================================================================================
File:    /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe
Size:    3072 bytes
Type:    PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5:     8363436878404da0ae3e46991e355b83
SHA1:    5a016facbcb77e2009a01ea5c67b39af209c3fcb
ssdeep:  48:atUKzxRhvlNZEVtfbn4m3ZUJSSeJY8JTaIcLoBgs:0UKXktfb4KOJzcK
Date:    0x4D370D01 [Wed Jan 19 16:10:41 2011 UTC]
EP:      0x405410 UPX1 1/3 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x41f9 [SUSPICIOUS]

Signature scans
================================================================================

Clamav: /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe: Win.Trojan.Agent-328471 FOUND

Suspicious IAT alerts
================================================================================
CreateServiceA

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
UPX0       0x1000       0x4000       0x0          0.000000    [SUSPICIOUS]
UPX1       0x5000       0x1000       0x600        7.067181    [SUSPICIOUS]
UPX2       0x6000       0x1000       0x200        2.797804

The presence of the 2 highlighted imports is also a sign that the executable is likely to be packed:

$ strings /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe 
a\`Y
(23h
MalService
sHGL345
http://w
warean
ysisbook.co
om#Int6net Explo!r 8FEI
SystemTimeToFile
GetMo
*Waitab'r
Process
OpenMu$x
ZSB+
ForS
ObjectU4
[Vrtb
CtrlDisp ch
Xcpt
mArg
[email protected]_
t_fd
dlI37n
olfp
dW|6
lB`.rd
XPTPSW
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
WININET.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
CreateServiceA
exit
InternetOpenA

Unpack (success)

Now that we suspect that the file is packed (UPX), let's unpack it:

$ ./upx -o /data/tmp/Lab01-02_unpacked.exe -d /data/documents/BinaryCollection/Chapter_1L/Lab01-02.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16384 <-      3072   18.75%    win32/pe     Lab01-02_unpacked.exe

Unpacked 1 file.

Unpack (failure)

The following command fails because the executable seems not to be packed with UPX.

$ ./upx -o /data/tmp/Lab01-03_unpacked.exe -d /data/tmp/Lab01-03.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: /data/tmp/Lab01-03.exe: NotPackedException: not packed by UPX

Unpacked 0 files.

Comments

blog comments powered by Disqus