Labs
07: Malware Analysis II
Lab 1: Packed Program Analysis

Lab 1: Packed Program Analysis

Overview

๐Ÿ’ก

This lab is designed to show you how to use reverse engineering tools to figure out if a program is packed. Malware often uses packing to hide its code and make it harder for reverse engineers to understand what the program is doing.

Goals:

  • Understand indicators of a packed program
  • Learn how to use entropy analysis to decide if a program is packed
  • Practice using reverse engineering tools

Estimated Time: 45 Minutes

Instructions

Examine a non-packed file

Before you look at a packed file, lets try to get a sense of what a “normal” Windows executable looks like. To accomplish this, you will analyze the explorer.exe program located at C:\Windows\explorer.exe on your VM. Alternatively, you can download a copy of the program here:

explorer.exe

Open the “Detect it Easy” tool

Detect it Easy (die) is a popular tool to analyze Windows portable executable files in order to tell if it is packed or obfuscated in some way. It has many signatures and algorithms baked into it that it uses to analyze files.

Open the explorer program in die and then click the Advanded checkbox to get to the entropy settings.

Question
What is the overall entropy for this file? Does die think this program is packed/obfuscated?

Explain why you think the entropy graph is higher/lower in certain places.

Open explorer.exe in Binary Ninja

Next try opening the explorer.exe program in Binary Ninja. Navigate to the Triage Summary view and analyze the entropy section.

Question
Based on your previous analysis with die what do you think Binary Ninja’s entropy section is telling you?

Tip

Review the Binary Ninja Documentation for information about what the colors mean.

Notice how there are a lot of imported libraries and functions. This is a good indication that this program is not packed. Another good indication that a program is packed, is having few or strangely named sections. Open the Memory Map view in Binary Ninja.

Question
Do the sections of this binary seem strange to you?

Repeat this process with packed.exe

Repeat the analysis steps above using a packed file:

packed.exe
Question
What is the average entropy value? Does the entropy graph look different?
Question
Review the entropy graph in Binary Ninja. Explain how it is different from explorer.exe.
Question
Are the sections in this program different from what you normally see?

Run the program to see what it does

Important

This program was written by the instructors and is NOT malicious.

Question
Do you see any of the text in the program when looking at strings with Binary Ninja? What does this tell you about why malware authors might want to use a packer on their code?

Can you think of any valid reason(s) why legitimate software might use a packer?

Figure out how to unpack it

Your last challenge is to try and unpack this program. Googling strings or section names is a good way to figure out what packer was used. Detect it Easy certainly has some helpful information as well.

Question
What command (or any other method) did you use to unpack the program?

Optional: Advanced Packer Analysis

If you would like to look into more advanced examples of packed malware, this blog post by Intezer is a great example. The sample referenced in part one of the article can be found here.

Solutions

Click to reveal..

Analysis of explorer.exe

Analysis of packed.exe

To unpack the file you can run:

upx -d packed.exe

Submission

๐Ÿ“
Submit a markdown file with any code you wrote and the answers to questions to ELMS.
Lab 2: Explicit Linking & Function Hashing