Win32 EXE packers
minacrossJune 27th, 2004, 03:25 PMforgive my ignorance :-[ :-[
what are win32 EXE packers, how the AV scanners get more efficient by supporting more packers? ??? ::)RejZoRJune 27th, 2004, 04:06 PMEXE packers are for example UPX,ASPack,PECompact,NeoLite,PkLite and so on. They act similar to SFX archives using ZIP or RAR compression,but they work without any complications or need for external programs to unpack them for execution plus they are very fast(much faster then ZIP or RAR archives) at self-unpacking.
Supporting more packers means that you can extract and investigate more content of such packers before actual exxecution of packed program (the one which is inside). If you don't have support for that packer,the compressed executable must be executed in order to be detected. But doing this isn't always a good idea since the malicous program can bypass AV software at that state.
If its detected (unpacked) before execution (usually on create/copy/move actions) this cannot happen.AMRXJune 29th, 2004, 08:49 AMdear minacross, packers are different from SFX when it comes to decompressing a file. SFX archives DOESN'T use any external programs but decompresses in the disk. it can also run a file after decompression. packers decompress the file on-the-fly which means it deson't write anything on disk, it decompresses the file in the memory. so if the AV can't unpack the file, the malicious code will be loaded in the memory.RejZoRJune 29th, 2004, 11:12 AMI added SFX archives as comparison so its easier to understand.
what are win32 EXE packers, how the AV scanners get more efficient by supporting more packers? ??? ::)RejZoRJune 27th, 2004, 04:06 PMEXE packers are for example UPX,ASPack,PECompact,NeoLite,PkLite and so on. They act similar to SFX archives using ZIP or RAR compression,but they work without any complications or need for external programs to unpack them for execution plus they are very fast(much faster then ZIP or RAR archives) at self-unpacking.
Supporting more packers means that you can extract and investigate more content of such packers before actual exxecution of packed program (the one which is inside). If you don't have support for that packer,the compressed executable must be executed in order to be detected. But doing this isn't always a good idea since the malicous program can bypass AV software at that state.
If its detected (unpacked) before execution (usually on create/copy/move actions) this cannot happen.AMRXJune 29th, 2004, 08:49 AMdear minacross, packers are different from SFX when it comes to decompressing a file. SFX archives DOESN'T use any external programs but decompresses in the disk. it can also run a file after decompression. packers decompress the file on-the-fly which means it deson't write anything on disk, it decompresses the file in the memory. so if the AV can't unpack the file, the malicious code will be loaded in the memory.RejZoRJune 29th, 2004, 11:12 AMI added SFX archives as comparison so its easier to understand.