malware analysis

Analyzing Packed Malware with UPX Unpacker

Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression. Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.

malwarepackingstatic-analysisunpackingupx
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • Static analysis reveals high entropy sections and minimal imports indicating the binary is packed
  • PEiD, Detect It Easy, or PEStudio identifies UPX or another known packer
  • The import table contains only LoadLibrary and GetProcAddress (runtime import resolution typical of packed binaries)
  • You need to recover the original binary for proper disassembly and decompilation in Ghidra or IDA
  • Automated UPX decompression fails because the malware author modified UPX magic bytes or headers

Do not use when dealing with custom packers, VM-based protectors (Themida, VMProtect), or samples where dynamic unpacking via debugging is more appropriate.

Prerequisites

  • UPX (Ultimate Packer for eXecutables) installed (apt install upx-ucl or download from https://upx.github.io/)
  • Detect It Easy (DIE) for packer identification
  • Python 3.8+ with pefile library for manual header repair
  • x64dbg or x32dbg for manual unpacking when automated tools fail
  • PE-bear or CFF Explorer for PE header inspection and repair
  • Isolated analysis VM without network connectivity

Workflow

Step 1: Identify the Packer

Determine if the sample is packed and identify the packer:

# Check with Detect It Easy
diec suspect.exe
 
# Check with UPX (test without unpacking)
upx -t suspect.exe
 
# Python-based entropy and packer detection
python3 << 'PYEOF'
import pefile
import math
 
pe = pefile.PE("suspect.exe")
 
print("Section Analysis:")
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    entropy = section.get_entropy()
    raw = section.SizeOfRawData
    virtual = section.Misc_VirtualSize
    print(f"  {name:8s} Entropy: {entropy:.2f}  Raw: {raw:>8}  Virtual: {virtual:>8}")
 
# Check for UPX section names
section_names = [s.Name.decode().rstrip('\x00') for s in pe.sections]
if 'UPX0' in section_names or 'UPX1' in section_names:
    print("\n[!] UPX section names detected")
elif '.upx' in [s.lower() for s in section_names]:
    print("\n[!] UPX variant section names detected")
 
# Check import count (packed binaries have very few)
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    total_imports = sum(len(e.imports) for e in pe.DIRECTORY_ENTRY_IMPORT)
    print(f"\nTotal imports: {total_imports}")
    if total_imports < 10:
        print("[!] Very few imports - likely packed")
else:
    print("\n[!] No import directory - heavily packed")
PYEOF

Step 2: Attempt Standard UPX Decompression

Try the built-in UPX decompression:

# Standard UPX decompress
upx -d suspect.exe -o unpacked.exe
 
# If UPX fails with "not packed by UPX" error, the headers may be modified
# Verbose output for debugging
upx -d suspect.exe -o unpacked.exe -v 2>&1
 
# Verify the unpacked file
file unpacked.exe
diec unpacked.exe

Step 3: Repair Modified UPX Headers

If standard decompression fails, repair tampered magic bytes:

# Repair modified UPX headers
import struct
 
with open("suspect.exe", "rb") as f:
    data = bytearray(f.read())
 
# UPX magic bytes: "UPX!" (0x55505821)
# Malware authors commonly modify these to prevent automatic unpacking
 
# Search for modified UPX signatures
upx_magic = b"UPX!"
modified_patterns = [b"UPX0", b"UPX\x00", b"\x00PX!", b"UPx!"]
 
# Find and restore section names
pe_offset = struct.unpack_from("<I", data, 0x3C)[0]
num_sections = struct.unpack_from("<H", data, pe_offset + 6)[0]
section_table_offset = pe_offset + 0x18 + struct.unpack_from("<H", data, pe_offset + 0x14)[0]
 
print(f"PE offset: 0x{pe_offset:X}")
print(f"Number of sections: {num_sections}")
print(f"Section table offset: 0x{section_table_offset:X}")
 
for i in range(num_sections):
    offset = section_table_offset + (i * 40)
    name = data[offset:offset+8]
    print(f"Section {i}: {name}")
 
# Restore UPX magic bytes in the binary
# Search for the UPX header signature location (typically near the end of packed data)
for i in range(len(data) - 4):
    if data[i:i+3] == b"UPX" and data[i+3] != ord("!"):
        print(f"Found modified UPX magic at offset 0x{i:X}: {data[i:i+4]}")
        data[i:i+4] = b"UPX!"
        print(f"Restored to: UPX!")
 
# Also restore section names if modified
for i in range(num_sections):
    offset = section_table_offset + (i * 40)
    name = data[offset:offset+8].rstrip(b'\x00')
    if name in [b"UPX0", b"UPX1", b"UPX2"]:
        continue  # Already correct
    # Check for common modifications
    if name.startswith(b"UP") or name.startswith(b"ux"):
        original = f"UPX{i}".encode().ljust(8, b'\x00')
        data[offset:offset+8] = original
        print(f"Restored section name at 0x{offset:X} to {original}")
 
with open("suspect_fixed.exe", "wb") as f:
    f.write(data)
 
print("\nFixed file written. Retry: upx -d suspect_fixed.exe -o unpacked.exe")

Step 4: Manual Unpacking with Debugger

When automated unpacking fails entirely, use dynamic unpacking:

Manual UPX Unpacking with x64dbg:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Load packed sample in x64dbg
2. Run to the entry point (system breakpoint then F9)
3. UPX unpacking stub pattern:
   a. PUSHAD (saves all registers)
   b. Decompression loop (processes packed sections)
   c. Resolves imports (LoadLibrary/GetProcAddress calls)
   d. POPAD (restores registers)
   e. JMP to OEP (original entry point)
4. Set hardware breakpoint on ESP after PUSHAD:
   - After PUSHAD, right-click ESP in registers -> Follow in Dump
   - Set hardware breakpoint on access at [ESP] address
   - Run (F9) - breaks at POPAD before JMP to OEP
5. Step forward (F7/F8) until you reach the JMP to OEP
6. At OEP: Use Scylla plugin to dump and fix imports:
   - Plugins -> Scylla -> OEP = current EIP
   - Click "IAT Autosearch" -> "Get Imports"
   - Click "Dump" to save unpacked binary
   - Click "Fix Dump" to repair import table

Step 5: Validate Unpacked Binary

Verify the unpacked sample is valid and complete:

# Verify unpacked PE is valid
python3 << 'PYEOF'
import pefile
 
pe = pefile.PE("unpacked.exe")
 
# Check sections are normal
print("Unpacked Section Analysis:")
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    entropy = section.get_entropy()
    print(f"  {name:8s} Entropy: {entropy:.2f}")
 
# Verify imports are resolved
print(f"\nImport count:")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    for entry in pe.DIRECTORY_ENTRY_IMPORT:
        dll = entry.dll.decode()
        count = len(entry.imports)
        print(f"  {dll}: {count} functions")
    total = sum(len(e.imports) for e in pe.DIRECTORY_ENTRY_IMPORT)
    print(f"  Total: {total} imports")
 
# Compare file sizes
import os
packed_size = os.path.getsize("suspect.exe")
unpacked_size = os.path.getsize("unpacked.exe")
print(f"\nPacked:   {packed_size:>10} bytes")
print(f"Unpacked: {unpacked_size:>10} bytes")
print(f"Ratio:    {unpacked_size/packed_size:.1f}x")
PYEOF

Key Concepts

Term Definition
Packing Compressing or encrypting executable code to reduce file size and hinder static analysis; the binary contains an unpacking stub that restores code at runtime
UPX Ultimate Packer for eXecutables; open-source executable packer commonly abused by malware authors because it is free and effective
Original Entry Point (OEP) The real starting address of the malware code before packing; the unpacking stub decompresses code then jumps to the OEP
Import Reconstruction Process of rebuilding the import address table after dumping an unpacked process from memory using tools like Scylla or ImpRec
PUSHAD/POPAD x86 instructions that save/restore all general-purpose registers; UPX uses this pattern to preserve register state during unpacking
Section Entropy Randomness measure of PE section data; packed sections show entropy > 7.0 while normal code sections average 5.0-6.5
Magic Bytes Signature bytes within a file identifying its format; UPX uses "UPX!" which malware authors modify to prevent automated decompression

Tools & Systems

  • UPX: Open-source executable packer with built-in decompression capability for properly packed files
  • Detect It Easy (DIE): Packer, compiler, and linker detection tool that identifies protection on PE, ELF, and Mach-O files
  • x64dbg/x32dbg: Open-source Windows debugger used for manual unpacking through dynamic execution and breakpoint-based OEP finding
  • Scylla: Import reconstruction tool integrated with x64dbg for rebuilding IAT after memory dumping
  • PE-bear: PE file viewer and editor for inspecting and repairing PE headers after unpacking

Common Scenarios

Scenario: Unpacking Malware with Modified UPX Headers

Context: A malware sample is identified as UPX-packed by section names (UPX0, UPX1) but upx -d fails with "CantUnpackException: header corrupted". The malware author modified the UPX magic bytes to prevent automated decompression.

Approach:

  1. Open the binary in a hex editor and search for the UPX header area (typically at the end of packed data)
  2. Identify the modified magic bytes (e.g., "UPX!" changed to "UPX\x00" or completely zeroed)
  3. Use the Python repair script to restore "UPX!" magic and correct section names
  4. Retry upx -d on the repaired binary
  5. If repair fails, fall back to manual unpacking with x64dbg (PUSHAD -> hardware BP on ESP -> POPAD -> JMP OEP)
  6. Validate the unpacked binary has proper imports and reasonable entropy values
  7. Import into Ghidra or IDA for full static analysis

Pitfalls:

  • Assuming UPX is the only packer; the binary may be double-packed (UPX + custom layer)
  • Modifying the original packed sample instead of working on a copy
  • Not reconstructing imports after manual memory dump (the dumped binary will crash without IAT fix)
  • Forgetting to check for overlay data appended after the UPX-packed PE sections

Output Format

UNPACKING ANALYSIS REPORT
===========================
Sample:           suspect.exe
SHA-256:          e3b0c44298fc1c149afbf4c8996fb924...
Packer:           UPX 3.96 (modified headers)
 
PACKED BINARY
Sections:         UPX0 (entropy: 0.00) UPX1 (entropy: 7.89) .rsrc (entropy: 3.45)
Imports:          2 (kernel32.dll: LoadLibraryA, GetProcAddress)
File Size:        98,304 bytes
 
UNPACKING METHOD
Method:           Header repair + UPX -d
Header Fix:       Restored UPX! magic at offset 0x1F000
Command:          upx -d suspect_fixed.exe -o unpacked.exe
Result:           SUCCESS
 
UNPACKED BINARY
Sections:         .text (entropy: 6.21) .rdata (entropy: 4.56) .data (entropy: 3.12) .rsrc (entropy: 3.45)
Imports:          147 (kernel32, user32, advapi32, wininet, ws2_32)
File Size:        245,760 bytes (2.5x expansion)
OEP:              0x00401000
 
VALIDATION
PE Valid:         Yes
Imports Resolved: Yes (147 functions across 8 DLLs)
Executable:       Yes (runs without crash in sandbox)
 
NEXT STEPS
- Import unpacked.exe into Ghidra for full disassembly
- Run YARA rules against unpacked binary
- Submit unpacked binary to VirusTotal for improved detection
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md3.1 KB

API Reference: Packed Malware and UPX Analysis

UPX - Ultimate Packer for eXecutables

Syntax

upx -d <packed_file>                    # Decompress/unpack
upx -d -o <output> <packed_file>        # Unpack to new file
upx -t <file>                           # Test if packed
upx -l <file>                           # List compression info
upx --version                           # Version info

Output Format

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    184320 <-     98304   53.33%   win32/pe      malware.exe

pefile - Python PE Analysis

Usage

import pefile
 
pe = pefile.PE("sample.exe")
 
# Section analysis
for section in pe.sections:
    name = section.Name.rstrip(b"\x00").decode()
    entropy = section.get_entropy()
    print(f"{name}: entropy={entropy:.2f}")
 
# Import analysis
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    dll = entry.dll.decode()
    for imp in entry.imports:
        print(f"{dll}: {imp.name}")
 
pe.close()

Packing Indicators

Indicator Threshold
Section entropy > 7.0 (high, likely packed/encrypted)
Import count < 10 (few imports suggest packing)
Virtual/Raw ratio > 5x (large in-memory expansion)
Section names UPX0, UPX1, .packed, .nsp

Detect It Easy (DIE) - Packer Identification

Syntax

diec <sample.exe>           # CLI scan
diec -j <sample.exe>        # JSON output

Output

PE32 executable
  Packer: UPX(3.96)[NRV2B_LE32,best]
  Compiler: MSVC(2019)

PEiD - Packer Identification (Legacy)

Packer Signatures Database

Packer Section Names Magic Bytes
UPX UPX0, UPX1, UPX2 UPX! at end of file
ASPack .aspack, .adata N/A
PECompact .pec1, .pec2 N/A
Themida Various Encrypted sections
VMProtect .vmp0, .vmp1 Virtualized code

PEStudio - Static PE Analysis

Key Indicators

Check Description
Entropy Section-level entropy analysis
Imports API import analysis
Strings Embedded string extraction
Signatures Packer/compiler identification
Virustotal Hash-based lookup

x64dbg / x32dbg - Dynamic Unpacking

Generic Unpacking Steps

1. Set breakpoint on VirtualAlloc / VirtualProtect
2. Run until breakpoint
3. Check memory map for new RWX regions
4. Step until original entry point (OEP) reached
5. Dump memory at OEP using Scylla plugin
6. Fix import table with Scylla

Key API Breakpoints

API Purpose
VirtualAlloc Memory allocation for unpacked code
VirtualProtect Change memory protection (RWX)
LoadLibraryA Load DLLs for import resolution
GetProcAddress Resolve API addresses
NtWriteVirtualMemory Write unpacked code to memory

Entropy Interpretation

Range Interpretation
0-1 Nearly empty/uniform data
1-5 Normal code/data
5-7 Compressed or obfuscated
7-8 Encrypted or packed (maximum ~8.0)

Scripts 1

agent.py8.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Packed malware analysis agent for UPX and generic packer detection and unpacking."""

import subprocess
import os
import sys
import hashlib
import math
from collections import Counter

try:
    import pefile
    HAS_PEFILE = True
except ImportError:
    HAS_PEFILE = False


def compute_hashes(filepath):
    """Compute file hashes."""
    md5 = hashlib.md5()
    sha256 = hashlib.sha256()
    with open(filepath, "rb") as f:
        for chunk in iter(lambda: f.read(65536), b""):
            md5.update(chunk)
            sha256.update(chunk)
    return {"md5": md5.hexdigest(), "sha256": sha256.hexdigest()}


def calculate_entropy(data):
    """Calculate Shannon entropy of binary data."""
    if not data:
        return 0.0
    counter = Counter(data)
    length = len(data)
    return round(-sum((c / length) * math.log2(c / length) for c in counter.values()), 4)


def detect_upx(filepath):
    """Check for UPX packing signatures in the binary."""
    indicators = []
    with open(filepath, "rb") as f:
        data = f.read()

    if b"UPX!" in data:
        indicators.append("UPX! magic string found in binary")
    if b"UPX0" in data:
        indicators.append("UPX0 section name found")
    if b"UPX1" in data:
        indicators.append("UPX1 section name found")
    if b"UPX2" in data:
        indicators.append("UPX2 section name found")

    # Check for corrupted/modified UPX headers
    upx_pos = data.find(b"UPX!")
    if upx_pos != -1:
        # UPX version info follows the magic
        if upx_pos + 24 <= len(data):
            version_byte = data[upx_pos + 4]
            indicators.append(f"UPX version byte: 0x{version_byte:02X}")
    return indicators


def detect_generic_packing(filepath):
    """Detect generic packing indicators using PE section analysis."""
    if not HAS_PEFILE:
        return {"error": "pefile not installed: pip install pefile"}
    try:
        pe = pefile.PE(filepath)
    except pefile.PEFormatError:
        return {"error": "Not a valid PE file"}

    indicators = []
    sections = []
    high_entropy_count = 0

    for section in pe.sections:
        name = section.Name.rstrip(b"\x00").decode("utf-8", errors="replace")
        entropy = section.get_entropy()
        raw_size = section.SizeOfRawData
        virtual_size = section.Misc_VirtualSize
        sections.append({
            "name": name,
            "entropy": round(entropy, 4),
            "raw_size": raw_size,
            "virtual_size": virtual_size,
            "ratio": round(virtual_size / raw_size, 2) if raw_size > 0 else 0,
        })
        if entropy > 7.0:
            high_entropy_count += 1
            indicators.append(f"High entropy section: {name} ({entropy:.2f})")
        if virtual_size > raw_size * 5 and raw_size > 0:
            indicators.append(f"Suspicious size ratio in {name}: virtual/raw = {virtual_size/raw_size:.1f}x")

    imports = []
    if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
            dll_name = entry.dll.decode("utf-8", errors="replace")
            func_count = len(entry.imports)
            imports.append({"dll": dll_name, "functions": func_count})

    total_imports = sum(i["functions"] for i in imports)
    if total_imports < 10:
        indicators.append(f"Very few imports ({total_imports}) - typical of packed binaries")

    # Check for LoadLibrary/GetProcAddress (runtime import resolution)
    import_names = []
    if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
            for imp in entry.imports:
                if imp.name:
                    import_names.append(imp.name.decode("utf-8", errors="replace"))
    if "LoadLibraryA" in import_names and "GetProcAddress" in import_names:
        indicators.append("LoadLibraryA + GetProcAddress present (runtime import resolution)")

    pe.close()
    return {
        "sections": sections,
        "imports": imports,
        "total_imports": total_imports,
        "high_entropy_sections": high_entropy_count,
        "indicators": indicators,
        "likely_packed": high_entropy_count > 0 or total_imports < 10,
    }


def unpack_upx(filepath, output_path=None):
    """Attempt to unpack a UPX-packed binary."""
    if output_path is None:
        output_path = filepath + ".unpacked"
    # First try standard UPX decompression
    cmd = ["upx", "-d", "-o", output_path, filepath]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode == 0:
        return True, "Standard UPX unpack succeeded", output_path

    # If standard fails, try fixing UPX headers
    return False, result.stderr.strip(), None


def fix_upx_headers(filepath, output_path):
    """Attempt to fix corrupted UPX magic bytes for unpacking."""
    with open(filepath, "rb") as f:
        data = bytearray(f.read())

    # Look for known UPX section names that might be renamed
    modified = False
    # Common modifications: UPX0/UPX1 renamed to something else
    for i in range(len(data) - 3):
        # Look for section header pattern near typical PE section table location
        if data[i:i+3] in [b"UP0", b"UP1", b"UX0", b"UX1"]:
            # Might be modified UPX section name
            pass

    # Fix UPX! magic if corrupted
    for i in range(len(data) - 4):
        if data[i:i+2] == b"UX" and data[i+2:i+4] == b"!\x00":
            data[i:i+3] = b"UPX"
            modified = True

    if modified:
        with open(output_path, "wb") as f:
            f.write(data)
        return True
    return False


def compare_packed_unpacked(packed_path, unpacked_path):
    """Compare packed vs unpacked binary properties."""
    if not HAS_PEFILE:
        return {}
    comparison = {}
    for label, path in [("packed", packed_path), ("unpacked", unpacked_path)]:
        try:
            pe = pefile.PE(path)
            imports = 0
            if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
                for entry in pe.DIRECTORY_ENTRY_IMPORT:
                    imports += len(entry.imports)
            sections = len(pe.sections)
            pe.close()
            comparison[label] = {
                "size": os.path.getsize(path),
                "sections": sections,
                "imports": imports,
                "sha256": compute_hashes(path)["sha256"],
            }
        except Exception as e:
            comparison[label] = {"error": str(e)}
    return comparison


if __name__ == "__main__":
    print("=" * 60)
    print("Packed Malware Analysis Agent")
    print("UPX detection, packer identification, automated unpacking")
    print("=" * 60)

    target = sys.argv[1] if len(sys.argv) > 1 else None

    if target and os.path.exists(target):
        print(f"\n[*] Analyzing: {target}")
        hashes = compute_hashes(target)
        print(f"[*] SHA-256: {hashes['sha256']}")
        print(f"[*] Size: {os.path.getsize(target)} bytes")

        print("\n--- UPX Signature Check ---")
        upx_indicators = detect_upx(target)
        for ind in upx_indicators:
            print(f"  [!] {ind}")

        print("\n--- Generic Packing Analysis ---")
        packing = detect_generic_packing(target)
        if "error" not in packing:
            print(f"  Likely packed: {packing['likely_packed']}")
            print(f"  Total imports: {packing['total_imports']}")
            print(f"  High entropy sections: {packing['high_entropy_sections']}")
            for ind in packing.get("indicators", []):
                print(f"  [!] {ind}")
            print("\n  Sections:")
            for s in packing.get("sections", []):
                flag = " [HIGH]" if s["entropy"] > 7.0 else ""
                print(f"    {s['name']:10s} entropy={s['entropy']:.2f} "
                      f"raw={s['raw_size']} virt={s['virtual_size']}{flag}")

        if upx_indicators:
            print("\n--- UPX Unpacking ---")
            success, msg, output = unpack_upx(target)
            if success:
                print(f"  [OK] {msg}")
                print(f"  [*] Unpacked file: {output}")
                print("\n--- Comparison ---")
                comp = compare_packed_unpacked(target, output)
                for label, data in comp.items():
                    if "error" not in data:
                        print(f"  {label}: size={data['size']}, "
                              f"sections={data['sections']}, imports={data['imports']}")
            else:
                print(f"  [FAIL] {msg}")
                print("  [*] Try fixing UPX headers or use dynamic unpacking with a debugger")
    else:
        print(f"\n[DEMO] Usage: python agent.py <packed_binary.exe>")
Keep exploring