PDA

View Full Version : UPX compressed file and static scans



NewsArchive
06-30-2011, 01:14 AM
Friedrich,

I've added file compression (and obfuscator) with UPX which runs on successful
build of a project. Works fine.

When I use a static scan on the compressed executable, it won't work. Is this
because your scan requires non-obfuscated files?

--
Russell B. Eggen
www.radfusion.com

NewsArchive
06-30-2011, 01:14 AM
Russ,

> I've added file compression (and obfuscator) with UPX which runs on
> successful build of a project. Works fine.
>
> When I use a static scan on the compressed executable, it won't work. Is
> this because your scan requires non-obfuscated files?

First of all, it's a bad idea to use UPX on files. But that's another story
<g>.

You can't static scan those compressed executables because UPX modifies the
PE Header and makes a static scan impossible.

Friedrich

NewsArchive
06-30-2011, 01:23 PM
If you have some references, please tell <g>.

Thanks for confirming what I already suspected.

--
Russell B. Eggen
www.radfusion.com

NewsArchive
06-30-2011, 01:23 PM
Hi Russ,

> If you have some references, please tell <g>.
>
> Thanks for confirming what I already suspected.

There are quite a few potential problems with "packed" executables and
dynamic link libraries. Too many to mention all here <g>. I would never
ever send a "packed" application EXE or DLL to a customer.

First of all, the standard process to identify run-time library dependencies
does not work any longer because only the statically linked extractor STUB
is visible to the scanner. Another disadvantage is that packed EXEs and
DLLs are very often (and I mean VERY often <g>) detected by anti-virus and
anti-malware scanners. Most viruses are UPX-compressed and if you use an
unmodified UPX-packer for your files then this will definitely result in a
support nightmare sooner or later (especially if you have a larger user
base). A big disadvantage is that multiple instances of a packed binaries
create multiple instances of the code in memory. Say goodbye to the
wonderful Shared Memory feature in Windows <g>. And if your intention is to
obfuscate the contents of the executable with UPX, forget about it. UPX
does not eliminate the chance of reverse engineering.

My $.02 <g>

Friedrich

NewsArchive
06-30-2011, 01:24 PM
Friedrich,

Thanks. Just a little follow up on the anti-virus aspect, would that be true even
if the program is code signed?

--
Russell B. Eggen
www.radfusion.com

NewsArchive
06-30-2011, 01:25 PM
Hi Russ,

> Thanks. Just a little follow up on the anti-virus aspect, would that be
> true even if the program is code signed?

I fear, code-signing does not help here. Too many malware authors are using
UPX -- in most cases, heuristic detection and not the virus definitions flag
UPX packaged files. Heuristic detection does not care whether a file is
code-signed or not.

Friedrich

NewsArchive
06-30-2011, 01:25 PM
Friedrich,

Appreciate the information. I'm sure this would probably kill any chances of
getting logo certified too! <g>

I've cancelled the UPX compression and I've now got my static scans back! ;-)

--
Russell B. Eggen
www.radfusion.com

NewsArchive
07-01-2011, 01:11 AM
Thanks for the info Friedrich! I have been using UPX for awhile now. Not
now!

Don

NewsArchive
07-01-2011, 01:13 AM
Russ,

I use CHT to compress and code sign my apps. It uses UPX. Is this what
you are using?

Thanks,

Jeff

NewsArchive
07-02-2011, 12:33 AM
Friedrich,

Would that include the "Packing" that Armadillo does?

Kelly E Major

NewsArchive
07-02-2011, 12:34 AM
Hi Kelly,

>
> Would that include the "Packing" that Armadillo does?
>

Unfortunately, I don't know how Armadillo works behind-the-scenes. So I
can't answer this question :-(

Friedrich

NewsArchive
07-02-2011, 12:35 AM
Its what inspired me to look into it.

--
Russell B. Eggen
www.radfusion.com