npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Static analysis reveals high entropy sections and minimal imports indicating the binary is packed
- PEiD, Detect It Easy, or PEStudio identifies UPX or another known packer
- The import table contains only LoadLibrary and GetProcAddress (runtime import resolution typical of packed binaries)
- You need to recover the original binary for proper disassembly and decompilation in Ghidra or IDA
- Automated UPX decompression fails because the malware author modified UPX magic bytes or headers
Do not use when dealing with custom packers, VM-based protectors (Themida, VMProtect), or samples where dynamic unpacking via debugging is more appropriate.
Prerequisites
- UPX (Ultimate Packer for eXecutables) installed (
apt install upx-uclor download from https://upx.github.io/) - Detect It Easy (DIE) for packer identification
- Python 3.8+ with
pefilelibrary for manual header repair - x64dbg or x32dbg for manual unpacking when automated tools fail
- PE-bear or CFF Explorer for PE header inspection and repair
- Isolated analysis VM without network connectivity
Workflow
Step 1: Identify the Packer
Determine if the sample is packed and identify the packer:
# Check with Detect It Easy
diec suspect.exe
# Check with UPX (test without unpacking)
upx -t suspect.exe
# Python-based entropy and packer detection
python3 << 'PYEOF'
import pefile
import math
pe = pefile.PE("suspect.exe")
print("Section Analysis:")
for section in pe.sections:
name = section.Name.decode().rstrip('\x00')
entropy = section.get_entropy()
raw = section.SizeOfRawData
virtual = section.Misc_VirtualSize
print(f" {name:8s} Entropy: {entropy:.2f} Raw: {raw:>8} Virtual: {virtual:>8}")
# Check for UPX section names
section_names = [s.Name.decode().rstrip('\x00') for s in pe.sections]
if 'UPX0' in section_names or 'UPX1' in section_names:
print("\n[!] UPX section names detected")
elif '.upx' in [s.lower() for s in section_names]:
print("\n[!] UPX variant section names detected")
# Check import count (packed binaries have very few)
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
total_imports = sum(len(e.imports) for e in pe.DIRECTORY_ENTRY_IMPORT)
print(f"\nTotal imports: {total_imports}")
if total_imports < 10:
print("[!] Very few imports - likely packed")
else:
print("\n[!] No import directory - heavily packed")
PYEOFStep 2: Attempt Standard UPX Decompression
Try the built-in UPX decompression:
# Standard UPX decompress
upx -d suspect.exe -o unpacked.exe
# If UPX fails with "not packed by UPX" error, the headers may be modified
# Verbose output for debugging
upx -d suspect.exe -o unpacked.exe -v 2>&1
# Verify the unpacked file
file unpacked.exe
diec unpacked.exeStep 3: Repair Modified UPX Headers
If standard decompression fails, repair tampered magic bytes:
# Repair modified UPX headers
import struct
with open("suspect.exe", "rb") as f:
data = bytearray(f.read())
# UPX magic bytes: "UPX!" (0x55505821)
# Malware authors commonly modify these to prevent automatic unpacking
# Search for modified UPX signatures
upx_magic = b"UPX!"
modified_patterns = [b"UPX0", b"UPX\x00", b"\x00PX!", b"UPx!"]
# Find and restore section names
pe_offset = struct.unpack_from("<I", data, 0x3C)[0]
num_sections = struct.unpack_from("<H", data, pe_offset + 6)[0]
section_table_offset = pe_offset + 0x18 + struct.unpack_from("<H", data, pe_offset + 0x14)[0]
print(f"PE offset: 0x{pe_offset:X}")
print(f"Number of sections: {num_sections}")
print(f"Section table offset: 0x{section_table_offset:X}")
for i in range(num_sections):
offset = section_table_offset + (i * 40)
name = data[offset:offset+8]
print(f"Section {i}: {name}")
# Restore UPX magic bytes in the binary
# Search for the UPX header signature location (typically near the end of packed data)
for i in range(len(data) - 4):
if data[i:i+3] == b"UPX" and data[i+3] != ord("!"):
print(f"Found modified UPX magic at offset 0x{i:X}: {data[i:i+4]}")
data[i:i+4] = b"UPX!"
print(f"Restored to: UPX!")
# Also restore section names if modified
for i in range(num_sections):
offset = section_table_offset + (i * 40)
name = data[offset:offset+8].rstrip(b'\x00')
if name in [b"UPX0", b"UPX1", b"UPX2"]:
continue # Already correct
# Check for common modifications
if name.startswith(b"UP") or name.startswith(b"ux"):
original = f"UPX{i}".encode().ljust(8, b'\x00')
data[offset:offset+8] = original
print(f"Restored section name at 0x{offset:X} to {original}")
with open("suspect_fixed.exe", "wb") as f:
f.write(data)
print("\nFixed file written. Retry: upx -d suspect_fixed.exe -o unpacked.exe")Step 4: Manual Unpacking with Debugger
When automated unpacking fails entirely, use dynamic unpacking:
Manual UPX Unpacking with x64dbg:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Load packed sample in x64dbg
2. Run to the entry point (system breakpoint then F9)
3. UPX unpacking stub pattern:
a. PUSHAD (saves all registers)
b. Decompression loop (processes packed sections)
c. Resolves imports (LoadLibrary/GetProcAddress calls)
d. POPAD (restores registers)
e. JMP to OEP (original entry point)
4. Set hardware breakpoint on ESP after PUSHAD:
- After PUSHAD, right-click ESP in registers -> Follow in Dump
- Set hardware breakpoint on access at [ESP] address
- Run (F9) - breaks at POPAD before JMP to OEP
5. Step forward (F7/F8) until you reach the JMP to OEP
6. At OEP: Use Scylla plugin to dump and fix imports:
- Plugins -> Scylla -> OEP = current EIP
- Click "IAT Autosearch" -> "Get Imports"
- Click "Dump" to save unpacked binary
- Click "Fix Dump" to repair import tableStep 5: Validate Unpacked Binary
Verify the unpacked sample is valid and complete:
# Verify unpacked PE is valid
python3 << 'PYEOF'
import pefile
pe = pefile.PE("unpacked.exe")
# Check sections are normal
print("Unpacked Section Analysis:")
for section in pe.sections:
name = section.Name.decode().rstrip('\x00')
entropy = section.get_entropy()
print(f" {name:8s} Entropy: {entropy:.2f}")
# Verify imports are resolved
print(f"\nImport count:")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll = entry.dll.decode()
count = len(entry.imports)
print(f" {dll}: {count} functions")
total = sum(len(e.imports) for e in pe.DIRECTORY_ENTRY_IMPORT)
print(f" Total: {total} imports")
# Compare file sizes
import os
packed_size = os.path.getsize("suspect.exe")
unpacked_size = os.path.getsize("unpacked.exe")
print(f"\nPacked: {packed_size:>10} bytes")
print(f"Unpacked: {unpacked_size:>10} bytes")
print(f"Ratio: {unpacked_size/packed_size:.1f}x")
PYEOFKey Concepts
| Term | Definition |
|---|---|
| Packing | Compressing or encrypting executable code to reduce file size and hinder static analysis; the binary contains an unpacking stub that restores code at runtime |
| UPX | Ultimate Packer for eXecutables; open-source executable packer commonly abused by malware authors because it is free and effective |
| Original Entry Point (OEP) | The real starting address of the malware code before packing; the unpacking stub decompresses code then jumps to the OEP |
| Import Reconstruction | Process of rebuilding the import address table after dumping an unpacked process from memory using tools like Scylla or ImpRec |
| PUSHAD/POPAD | x86 instructions that save/restore all general-purpose registers; UPX uses this pattern to preserve register state during unpacking |
| Section Entropy | Randomness measure of PE section data; packed sections show entropy > 7.0 while normal code sections average 5.0-6.5 |
| Magic Bytes | Signature bytes within a file identifying its format; UPX uses "UPX!" which malware authors modify to prevent automated decompression |
Tools & Systems
- UPX: Open-source executable packer with built-in decompression capability for properly packed files
- Detect It Easy (DIE): Packer, compiler, and linker detection tool that identifies protection on PE, ELF, and Mach-O files
- x64dbg/x32dbg: Open-source Windows debugger used for manual unpacking through dynamic execution and breakpoint-based OEP finding
- Scylla: Import reconstruction tool integrated with x64dbg for rebuilding IAT after memory dumping
- PE-bear: PE file viewer and editor for inspecting and repairing PE headers after unpacking
Common Scenarios
Scenario: Unpacking Malware with Modified UPX Headers
Context: A malware sample is identified as UPX-packed by section names (UPX0, UPX1) but upx -d fails with "CantUnpackException: header corrupted". The malware author modified the UPX magic bytes to prevent automated decompression.
Approach:
- Open the binary in a hex editor and search for the UPX header area (typically at the end of packed data)
- Identify the modified magic bytes (e.g., "UPX!" changed to "UPX\x00" or completely zeroed)
- Use the Python repair script to restore "UPX!" magic and correct section names
- Retry
upx -don the repaired binary - If repair fails, fall back to manual unpacking with x64dbg (PUSHAD -> hardware BP on ESP -> POPAD -> JMP OEP)
- Validate the unpacked binary has proper imports and reasonable entropy values
- Import into Ghidra or IDA for full static analysis
Pitfalls:
- Assuming UPX is the only packer; the binary may be double-packed (UPX + custom layer)
- Modifying the original packed sample instead of working on a copy
- Not reconstructing imports after manual memory dump (the dumped binary will crash without IAT fix)
- Forgetting to check for overlay data appended after the UPX-packed PE sections
Output Format
UNPACKING ANALYSIS REPORT
===========================
Sample: suspect.exe
SHA-256: e3b0c44298fc1c149afbf4c8996fb924...
Packer: UPX 3.96 (modified headers)
PACKED BINARY
Sections: UPX0 (entropy: 0.00) UPX1 (entropy: 7.89) .rsrc (entropy: 3.45)
Imports: 2 (kernel32.dll: LoadLibraryA, GetProcAddress)
File Size: 98,304 bytes
UNPACKING METHOD
Method: Header repair + UPX -d
Header Fix: Restored UPX! magic at offset 0x1F000
Command: upx -d suspect_fixed.exe -o unpacked.exe
Result: SUCCESS
UNPACKED BINARY
Sections: .text (entropy: 6.21) .rdata (entropy: 4.56) .data (entropy: 3.12) .rsrc (entropy: 3.45)
Imports: 147 (kernel32, user32, advapi32, wininet, ws2_32)
File Size: 245,760 bytes (2.5x expansion)
OEP: 0x00401000
VALIDATION
PE Valid: Yes
Imports Resolved: Yes (147 functions across 8 DLLs)
Executable: Yes (runs without crash in sandbox)
NEXT STEPS
- Import unpacked.exe into Ghidra for full disassembly
- Run YARA rules against unpacked binary
- Submit unpacked binary to VirusTotal for improved detectionReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md3.1 KB
API Reference: Packed Malware and UPX Analysis
UPX - Ultimate Packer for eXecutables
Syntax
upx -d <packed_file> # Decompress/unpack
upx -d -o <output> <packed_file> # Unpack to new file
upx -t <file> # Test if packed
upx -l <file> # List compression info
upx --version # Version infoOutput Format
File size Ratio Format Name
-------------------- ------ ----------- -----------
184320 <- 98304 53.33% win32/pe malware.exepefile - Python PE Analysis
Usage
import pefile
pe = pefile.PE("sample.exe")
# Section analysis
for section in pe.sections:
name = section.Name.rstrip(b"\x00").decode()
entropy = section.get_entropy()
print(f"{name}: entropy={entropy:.2f}")
# Import analysis
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll = entry.dll.decode()
for imp in entry.imports:
print(f"{dll}: {imp.name}")
pe.close()Packing Indicators
| Indicator | Threshold |
|---|---|
| Section entropy | > 7.0 (high, likely packed/encrypted) |
| Import count | < 10 (few imports suggest packing) |
| Virtual/Raw ratio | > 5x (large in-memory expansion) |
| Section names | UPX0, UPX1, .packed, .nsp |
Detect It Easy (DIE) - Packer Identification
Syntax
diec <sample.exe> # CLI scan
diec -j <sample.exe> # JSON outputOutput
PE32 executable
Packer: UPX(3.96)[NRV2B_LE32,best]
Compiler: MSVC(2019)PEiD - Packer Identification (Legacy)
Packer Signatures Database
| Packer | Section Names | Magic Bytes |
|---|---|---|
| UPX | UPX0, UPX1, UPX2 | UPX! at end of file |
| ASPack | .aspack, .adata | N/A |
| PECompact | .pec1, .pec2 | N/A |
| Themida | Various | Encrypted sections |
| VMProtect | .vmp0, .vmp1 | Virtualized code |
PEStudio - Static PE Analysis
Key Indicators
| Check | Description |
|---|---|
| Entropy | Section-level entropy analysis |
| Imports | API import analysis |
| Strings | Embedded string extraction |
| Signatures | Packer/compiler identification |
| Virustotal | Hash-based lookup |
x64dbg / x32dbg - Dynamic Unpacking
Generic Unpacking Steps
1. Set breakpoint on VirtualAlloc / VirtualProtect
2. Run until breakpoint
3. Check memory map for new RWX regions
4. Step until original entry point (OEP) reached
5. Dump memory at OEP using Scylla plugin
6. Fix import table with ScyllaKey API Breakpoints
| API | Purpose |
|---|---|
VirtualAlloc |
Memory allocation for unpacked code |
VirtualProtect |
Change memory protection (RWX) |
LoadLibraryA |
Load DLLs for import resolution |
GetProcAddress |
Resolve API addresses |
NtWriteVirtualMemory |
Write unpacked code to memory |
Entropy Interpretation
| Range | Interpretation |
|---|---|
| 0-1 | Nearly empty/uniform data |
| 1-5 | Normal code/data |
| 5-7 | Compressed or obfuscated |
| 7-8 | Encrypted or packed (maximum ~8.0) |
Scripts 1
agent.py8.5 KB
#!/usr/bin/env python3
"""Packed malware analysis agent for UPX and generic packer detection and unpacking."""
import subprocess
import os
import sys
import hashlib
import math
from collections import Counter
try:
import pefile
HAS_PEFILE = True
except ImportError:
HAS_PEFILE = False
def compute_hashes(filepath):
"""Compute file hashes."""
md5 = hashlib.md5()
sha256 = hashlib.sha256()
with open(filepath, "rb") as f:
for chunk in iter(lambda: f.read(65536), b""):
md5.update(chunk)
sha256.update(chunk)
return {"md5": md5.hexdigest(), "sha256": sha256.hexdigest()}
def calculate_entropy(data):
"""Calculate Shannon entropy of binary data."""
if not data:
return 0.0
counter = Counter(data)
length = len(data)
return round(-sum((c / length) * math.log2(c / length) for c in counter.values()), 4)
def detect_upx(filepath):
"""Check for UPX packing signatures in the binary."""
indicators = []
with open(filepath, "rb") as f:
data = f.read()
if b"UPX!" in data:
indicators.append("UPX! magic string found in binary")
if b"UPX0" in data:
indicators.append("UPX0 section name found")
if b"UPX1" in data:
indicators.append("UPX1 section name found")
if b"UPX2" in data:
indicators.append("UPX2 section name found")
# Check for corrupted/modified UPX headers
upx_pos = data.find(b"UPX!")
if upx_pos != -1:
# UPX version info follows the magic
if upx_pos + 24 <= len(data):
version_byte = data[upx_pos + 4]
indicators.append(f"UPX version byte: 0x{version_byte:02X}")
return indicators
def detect_generic_packing(filepath):
"""Detect generic packing indicators using PE section analysis."""
if not HAS_PEFILE:
return {"error": "pefile not installed: pip install pefile"}
try:
pe = pefile.PE(filepath)
except pefile.PEFormatError:
return {"error": "Not a valid PE file"}
indicators = []
sections = []
high_entropy_count = 0
for section in pe.sections:
name = section.Name.rstrip(b"\x00").decode("utf-8", errors="replace")
entropy = section.get_entropy()
raw_size = section.SizeOfRawData
virtual_size = section.Misc_VirtualSize
sections.append({
"name": name,
"entropy": round(entropy, 4),
"raw_size": raw_size,
"virtual_size": virtual_size,
"ratio": round(virtual_size / raw_size, 2) if raw_size > 0 else 0,
})
if entropy > 7.0:
high_entropy_count += 1
indicators.append(f"High entropy section: {name} ({entropy:.2f})")
if virtual_size > raw_size * 5 and raw_size > 0:
indicators.append(f"Suspicious size ratio in {name}: virtual/raw = {virtual_size/raw_size:.1f}x")
imports = []
if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll_name = entry.dll.decode("utf-8", errors="replace")
func_count = len(entry.imports)
imports.append({"dll": dll_name, "functions": func_count})
total_imports = sum(i["functions"] for i in imports)
if total_imports < 10:
indicators.append(f"Very few imports ({total_imports}) - typical of packed binaries")
# Check for LoadLibrary/GetProcAddress (runtime import resolution)
import_names = []
if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name:
import_names.append(imp.name.decode("utf-8", errors="replace"))
if "LoadLibraryA" in import_names and "GetProcAddress" in import_names:
indicators.append("LoadLibraryA + GetProcAddress present (runtime import resolution)")
pe.close()
return {
"sections": sections,
"imports": imports,
"total_imports": total_imports,
"high_entropy_sections": high_entropy_count,
"indicators": indicators,
"likely_packed": high_entropy_count > 0 or total_imports < 10,
}
def unpack_upx(filepath, output_path=None):
"""Attempt to unpack a UPX-packed binary."""
if output_path is None:
output_path = filepath + ".unpacked"
# First try standard UPX decompression
cmd = ["upx", "-d", "-o", output_path, filepath]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
return True, "Standard UPX unpack succeeded", output_path
# If standard fails, try fixing UPX headers
return False, result.stderr.strip(), None
def fix_upx_headers(filepath, output_path):
"""Attempt to fix corrupted UPX magic bytes for unpacking."""
with open(filepath, "rb") as f:
data = bytearray(f.read())
# Look for known UPX section names that might be renamed
modified = False
# Common modifications: UPX0/UPX1 renamed to something else
for i in range(len(data) - 3):
# Look for section header pattern near typical PE section table location
if data[i:i+3] in [b"UP0", b"UP1", b"UX0", b"UX1"]:
# Might be modified UPX section name
pass
# Fix UPX! magic if corrupted
for i in range(len(data) - 4):
if data[i:i+2] == b"UX" and data[i+2:i+4] == b"!\x00":
data[i:i+3] = b"UPX"
modified = True
if modified:
with open(output_path, "wb") as f:
f.write(data)
return True
return False
def compare_packed_unpacked(packed_path, unpacked_path):
"""Compare packed vs unpacked binary properties."""
if not HAS_PEFILE:
return {}
comparison = {}
for label, path in [("packed", packed_path), ("unpacked", unpacked_path)]:
try:
pe = pefile.PE(path)
imports = 0
if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
imports += len(entry.imports)
sections = len(pe.sections)
pe.close()
comparison[label] = {
"size": os.path.getsize(path),
"sections": sections,
"imports": imports,
"sha256": compute_hashes(path)["sha256"],
}
except Exception as e:
comparison[label] = {"error": str(e)}
return comparison
if __name__ == "__main__":
print("=" * 60)
print("Packed Malware Analysis Agent")
print("UPX detection, packer identification, automated unpacking")
print("=" * 60)
target = sys.argv[1] if len(sys.argv) > 1 else None
if target and os.path.exists(target):
print(f"\n[*] Analyzing: {target}")
hashes = compute_hashes(target)
print(f"[*] SHA-256: {hashes['sha256']}")
print(f"[*] Size: {os.path.getsize(target)} bytes")
print("\n--- UPX Signature Check ---")
upx_indicators = detect_upx(target)
for ind in upx_indicators:
print(f" [!] {ind}")
print("\n--- Generic Packing Analysis ---")
packing = detect_generic_packing(target)
if "error" not in packing:
print(f" Likely packed: {packing['likely_packed']}")
print(f" Total imports: {packing['total_imports']}")
print(f" High entropy sections: {packing['high_entropy_sections']}")
for ind in packing.get("indicators", []):
print(f" [!] {ind}")
print("\n Sections:")
for s in packing.get("sections", []):
flag = " [HIGH]" if s["entropy"] > 7.0 else ""
print(f" {s['name']:10s} entropy={s['entropy']:.2f} "
f"raw={s['raw_size']} virt={s['virtual_size']}{flag}")
if upx_indicators:
print("\n--- UPX Unpacking ---")
success, msg, output = unpack_upx(target)
if success:
print(f" [OK] {msg}")
print(f" [*] Unpacked file: {output}")
print("\n--- Comparison ---")
comp = compare_packed_unpacked(target, output)
for label, data in comp.items():
if "error" not in data:
print(f" {label}: size={data['size']}, "
f"sections={data['sections']}, imports={data['imports']}")
else:
print(f" [FAIL] {msg}")
print(" [*] Try fixing UPX headers or use dynamic unpacking with a debugger")
else:
print(f"\n[DEMO] Usage: python agent.py <packed_binary.exe>")