Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan


Abstract: This paper presents a proof of concept executable packer that does not use any custom code to unpack binaries at execution time. This is different from typical packers which generally rely on packed executables containing code that is used to perform the inverse of the packing operation at runtime. Instead of depending on custom code, the technique described in this paper uses documented behavior of the dynamic loader as a mechanism for performing the unpacking operation. This difference can make binaries packed using this technique more difficult to signature and analyze, but only when presented to an untrained eye. The description of this technique is meant to be an example of a fun thought exercise and not as some sort of revolutionary packer. In fact, it's been used in the virus world many years prior to this paper.

Thanks: The author would like to thank Skywing, spoonm, deft, intropy, Orlando Padilla, nemo, Richard Johnson, Rolf Rolles, Derek Soeder, and Andre Protas for their discussions and feedback.

Challenge: Prior to reading this paper, the author recommends that the reader attempt to determine the behavior of the packer that was used on the binary included in the attached code sample. The binary itself is innocuous and just performs a few simple printf operations.

Previous Research: This technique has been used in the virus world far in advance of this writing. Examples that apply this technique include W95/Resurrel and W95/Silcer. Further research indicates that Peter Szor did a write-up on this technique entitled ``Tricky Relocations'' in the April 2001 edition of Virus Bulletin[2,3].