Run Time Packers

Discussion in 'NOD32 version 2 Forum' started by gberns, Apr 23, 2005.

Thread Status:
Not open for further replies.
  1. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    I scan them but have no clue what they are. Could someone please tell me?

    Many thanks.

    Gary
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Runtime Packers are self-extracting executable compression algorithms.
    Most common are UPX,PE_Compact,PKLite,ASPack etc...
    Executables compressed with such runtime packers act exactly (ok almost exactly) as non-compressed executables. Main difference is only in final filesize which is much smaller in the packers case.
    Also many ppls mess packers with archives. They are clearly two different things. Archives are ZIP(Deflate),ACE,RAR,7z etc, while packers are those mentioned above.
     
  3. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    Thanks for the answer. I now have the technical names for that which I did not know. But if you asked me to explain them........

    At least I know I am protected from anything hidden in them and I guess that is what really matters to me.
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    If you want to know more about how they can be used..this might be of interest.

    More About Scanning Trojans


    http://forum.gladiator-antivirus.com/index.php?act=ST&f=4&t=344&st=0
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah,if antivirus can unpack such runtime packers it can use same signature for all same malware.

    For example:

    If malware (let say MyDoom-A) is packed with UPX,and another same malware with ASPack and third one with PE_Compact. If antivirus suppport all 3 packer types it can detect same malware with only 1 signature.

    If antivirus supports only UPX and not ASPack and PE_Compact it requires 1 signature for UPX and another 2 for unsupported packer types.
    Thats 3 signatures in total.

    This means more work for AV developer and much higher chance of missing certain malware just because it's compressed with different packer.
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    AH is able to scan many many types of runtime packers independet of the unpacke engine of NOD32. In other words, NOD32 has a generic unpacker.

     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Now, now...lets not forget the famous unpack engine of KAV and BD!
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    There is no such thing as generic unpacker. You can unpack all packers only at runtime point(when it's already in memory in unpacked form). But that may be very difficult to do.
     
  9. Happy Bytes

    Happy Bytes Guest

    You can emulate a lot of the packers. Some of them still need special unpack plugins (ASPack, ASProtect, Armadillo etc).

    UPX, FSG and the like having static unpack routines mainly for speed reasons.
    Emulating stuff is always slower than unpacking it with a dedicated unpacking
    function which is optimized for the used algo's (LZ, APLIB etc) , section handling, Bitin & Bitoutput Reading/Writing. With dedicated unpacking plugins you can also better handle the memory usage, cause you can unpack blockwise.
     
Thread Status:
Not open for further replies.