Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement to the detection of multiple packers. #804

Merged
merged 15 commits into from
Jul 15, 2020
Merged

Improvement to the detection of multiple packers. #804

merged 15 commits into from
Jul 15, 2020

Conversation

tamaroth
Copy link
Contributor

@tamaroth tamaroth commented Jul 13, 2020
edited
Loading

This PR changes the following:

Added:

  • Added new version of Ste@lth packer.

Removed:

  • Ramnit was removed as a packer (it is a file-infector).
  • Several ambiguous YARA rules that were too generic and not specific to described packer (Themida, InstallShield, MEW, tElock, Ste@lth).
  • Redundant AHPack rule since AHPack and !EP ExeCrypt are the same product with different names.
  • Incorrect recognition of RLPack. It was detecting code that was generated by Themida

Improved:

  • Detecting UPX by section names now only detects when the very first section is zero-size.
  • UPX detection based on the magic block now only detects when this block is placed before the first section.
  • The detection of VMProtect is now more precise, lowering the number of false-positive detections.
  • Renamed WinUpack to Upack for consistency.
  • Renamed yoda's Crytper to yoda's Protector for consistency.
  • Renamed one ASPack rule to ASProtect as it was detecting the code that is only present in ASProtect.

Corresponding tests

@tamaroth
Improve UPX detection by section names.
b81eee5 
To prevent false positives, we should check whether the size of the very
first section of the file is zero. If it is not, then we either have a
modified packer, already unpacked file that has the packer's section
names, or a file that tries to pretend it is packed with UPX. This should
reduce the amount of false positives significantly.
@tamaroth
Improve UPX detection by ensuring the UPX block is before the first s…
d884728 
…ection.

The data block containing a magic value "UPX!" followed by an internal
structure must be placed before the first section. This check will
remove false positive detection of unpacked files dumped from memory that
retained that information.
@tamaroth
Remove Ramnit as a packer.
1ec38b5 
Ramnit is a file-infector and should not be detected as a tool.
@tamaroth
Prevent false detections of VMProtect.
79b6dbb 
By rigorously checking the imported API and the presence of the string
in only executable sections of the file we ensure that only truly packed
files are detected. Otherwise a false positive detection could occur when
a file was doubly packed and the byte pattern was stored in unmodified
form in the data section, or when a packed file was stored in resources
or overlay.
@tamaroth
Remove ambiguous Themida YARA rule.
ee81380 
The rule itself searches for a string "kernel32.dll" that sits in the
middle of zeroed bytes. This does not actually check for code/data from
Themida and can be easily present in regular files.
@tamaroth
Remove ambiguous InstallShield YARA rule.
881a94d 
This rule matches a common windows runtime code from older versions of
Visual Studio (6.0).
@tamaroth
Remove ambiguous MEW YARA rule.
6a96fe4 
This rule matches code that is not specific to MEW. If the entrypoint
starts with a E9 call and is followed by empty space. It will always
match.
@tamaroth
Remove ambiguous tElock YARA rule.
454e8bf 
This rule matches code that is not specific to tElock. If the entrypoint
starts with a E9 call and is followed by empty space. It will always
match.
@tamaroth
Remove ambiguous Ste@lth YARA rule.
fc70d2f 
The generic Ste@lth YARA rule was checking for the presence of a single
instruction. Not only it is slow, it is also highly inaccurate. The YARA
rule was replaced with a correct one and an old rule for version 1.1
was left behind for backwards compatibility.
@tamaroth
Add new version of Ste@lth packer.
6847005 
This version was previously covered by highly ambiguous YARA rule that
has been since removed. In its stead, this YARA rule was added.
@tamaroth
Rename WinUpack YARA rule to Upack.
4d229d5 
To keep things consistent, we should use the same name for cases where
there are historically two possibilities. Thus, we should rename WinUpack
to simply Upack.
@tamaroth
Unify naming between yoda's Crypter and yoda's Protector.
8c499c9 
For the sake of uniformity, we should use consistent naming.
@tamaroth
Rename ASPack YARA rule to ASProtect to accurately describe the detec…
c60774c 
…tion.

The code that this specific YARA rule detects belongs to ASProtect rather
than to ASPack and it should be detected as such.
@tamaroth
Remove redundant AHPack YARA rule.
6aa3fa3 
The !EP ExePack and AHPack are the same product under different names.
They both use the same code and therefore should be detected as with the
same name.
@tamaroth
Remove incorrect recognition of RLPack.
dd6a5e5 
The detected code was created by Themida, not by RLPack and should be
marked as such.
@tamaroth tamaroth requested a review from s3rvac July 13, 2020 13:30
@tamaroth tamaroth mentioned this pull request Jul 13, 2020
Merged
@s3rvac
Copy link
Member

s3rvac commented Jul 14, 2020

Let's run TC tests.

s3rvac
s3rvac approved these changes Jul 14, 2020
View reviewed changes
Copy link
Member

@s3rvac s3rvac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the improvements 👍 LGTM. The macOS build is failing because of the recent OS update on the TeamCity agent. This is being investigated and is not related to the present PR.

@s3rvac s3rvac merged commit cc24b12 into master Jul 15, 2020
@s3rvac s3rvac deleted the improvement-packer-detections branch July 15, 2020 05:16
s3rvac added a commit that referenced this pull request Jul 15, 2020
@s3rvac
Add a CHANGELOG entry for #804.
f5b7c71
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s3rvac s3rvac s3rvac approved these changes

Assignees

@s3rvac s3rvac

Labels
C-cpdetect enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tamaroth @s3rvac