Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries mat create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

Example:

Many software packers exist to make some of our payloads smaller and use some form of packing when needed to move to different places.

Here I will use UPX a very well-known packer for binaries.

Now will work with our previous payload that was padded until the file size changed from 7 kb to 20MB

And packed Size now.

Functionality still stays the same

Sometimes this technique is great as the binaries hash and strings change but are decrypted during run time. For more info on this tool do visit

UPX