# Software Packing Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries mat create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. **Example:** Many software packers exist to make some of our payloads smaller and use some form of packing when needed to move to different places. Here I will use UPX a very well-known packer for binaries. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsTzO7eZ3aHq-gJsn%2Fimage.png?alt=media\&token=c3f4bc4e-b92c-4412-a8db-1efbe738a5bf) Now will work with our previous payload that was padded until the file size changed from 7 kb to 20MB ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsUw9NmKby64eLviA%2Fimage.png?alt=media\&token=5c36f026-adf9-4397-b256-d58cc8a22061) And packed Size now. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsVjWOvLZaIJNluMg%2Fimage.png?alt=media\&token=7a438485-7076-47b5-83e1-b92334a6b960) Functionality still stays the same ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsWW7leNXnL7WufIk%2Fimage.png?alt=media\&token=7de5cb44-d22b-4f55-8947-b7c3a4d8ca5a) Sometimes this technique is great as the binaries hash and strings change but are decrypted during run time. For more info on this tool do visit [UPX](https://github.com/upx/upx) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t0127-obfuscated-files-or-information/software-packing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.