Skip to content

Attack tool for altering packed samples so that they evade static packing detection

License

Notifications You must be signed in to change notification settings

packing-box/packer-masking-tool

Repository files navigation

NotPacked++

Adversarial tool for breaking static detection of packed executable

NotPacked++ Read The Docs Black Hat Arsenal Europe 2024 License: GPL v3 Status

NotPacked++, is an adversarial weaponized tool to alter a packed executable to evade static packing detection. It is designed to be used by malware analysts to test the effectiveness of their detection mechanisms and to improve their detection capabilities. It is also useful for red teamers to test the effectiveness of their evasion techniques, and highlight potential weaknesses of a target's security mechanisms.

See the Black Hat Arsenal presentation for a demonstration: NotPacked++: Evading Static Packing Detection

In the current version, the tool focuses on the PE file format and the most common packers used in the wild. The tool is designed to be modular and extensible, so that it can be easily extended to support other file formats and packers.

Installation

To install NotPacked++, you can either download the latest release from the releases page or build it from source.

Please refer to the documentation for a full guide to build the tool from source.

Usage

    _   __      __  ____             __            __          
   / | / ____  / /_/ __ \____ ______/ /_____  ____/ / __    __ 
  /  |/ / __ \/ __/ /_/ / __ `/ ___/ //_/ _ \/ __  __/ /___/ /_
 / /|  / /_/ / /_/ ____/ /_/ / /__/ ,< /  __/ /_/ /_  __/_  __/
/_/ |_/\____/\__/_/    \__,_/\___/_/|_|\___/\__,_/ /_/   /_/   
                                                               

 Authors      :   Jaber RAMHANI, Alexandre D'Hondt
 Version      :   0.1
 Copyright    :   © 2021-2024 Alexandre D'Hondt, Jaber Ramhani
 License      :   GNU General Public License v3.0
======================================================

Description: This program applies some alterations to a PE file. 
 Note that when no alteration is specified ALL of them will be applied, if at least one is specified only selected ones will be applied

Usage: ./notpacked++ <input_file> [OPTIONS]

    -o <output_file>  : Set the output file name. (default:<input_file>_out.exe)
    --help            : Display this help message.

Other options: (by default the behavior is --fill-sections --permissions)
    --fill-sections   : Fill sections with zeros from their raw size to their virtual size.
    --rename-sections : Rename packer sections to standard section names.
    --permissions      : Update the permissions of all sections to standard ones (rwx/rw-/..), moves the EP to a new section and renames sections.
    --raw-size    : Edit the raw size value in the header of sections having a 0 raw size (without adding real data bytes).


Example of usage

notpacked++ input.exe

<<snipped>>

[INFO]   Updating the permissions of all sections to standard ones (rwx/rw-/..), moving the entry point to a new section and Renaming sections to standard ones...
[+] Renaming section UPX0 to .data
[+] Renaming section UPX1 to .rdata

[INFO]   Editing the raw size value in the header of sections having a 0 raw size (without adding real data bytes)...
[+]  Section .data raw size updated to 0x9285
[+] Section raw size updated successfully!

[SUCCESS]  File saved as: input_out.exe

Detectors evasion

$ manalyze input_out.exe
-

$ peid input_out.exe
-

$ peframe input_out.exe
-

$ reminder input_out.exe
False

$ retdec input_out.exe
-

$ pepack input_out.exe
-

$ bintropy input_out.exe -b -v
[DEBUG] Average entropy criterion (>6.677): False (5.945434314305998)
[DEBUG] Highest entropy criterion (>7.199): True (7.222037048843471)
[DEBUG] Output:
False

False 0.030065735045354813

👏 Supporters

Stargazers repo roster for @packing-box/packer-masking-tool

Forkers repo roster for @packing-box/packer-masking-tool

Back to top