Skip to content

Latest commit

 

History

History
159 lines (84 loc) · 4.2 KB

T1045.md

File metadata and controls

159 lines (84 loc) · 4.2 KB

T1045 - Software Packing

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

Adversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Atomic Tests


Atomic Test #1 - Binary simply packed by UPX (linux)

Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
bin_path Packed binary Path PathToAtomicsFolder/T1045/bin/linux/test_upx

Attack Commands: Run with sh!

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

Cleanup Commands:

rm /tmp/packed_bin


Atomic Test #2 - Binary packed by UPX, with modified headers (linux)

Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.

The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
bin_path Packed binary Path PathToAtomicsFolder/T1045/bin/linux/test_upx_header_changed

Attack Commands: Run with sh!

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

Cleanup Commands:

rm /tmp/packed_bin


Atomic Test #3 - Binary simply packed by UPX

Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
bin_path Packed binary Path PathToAtomicsFolder/T1045/bin/darwin/test_upx

Attack Commands: Run with sh!

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

Cleanup Commands:

rm /tmp/packed_bin


Atomic Test #4 - Binary packed by UPX, with modified headers

Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.

The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more.

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
bin_path Packed binary Path PathToAtomicsFolder/T1045/bin/darwin/test_upx_header_changed

Attack Commands: Run with sh!

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

Cleanup Commands:

rm /tmp/packed_bin