# Software Packing Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries mat create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. **Example:** Many software packers exist to make some of our payloads smaller and use some form of packing when needed to move to different places. Here I will use UPX a very well-known packer for binaries. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsTzO7eZ3aHq-gJsn%2Fimage.png?alt=media\&token=c3f4bc4e-b92c-4412-a8db-1efbe738a5bf) Now will work with our previous payload that was padded until the file size changed from 7 kb to 20MB ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsUw9NmKby64eLviA%2Fimage.png?alt=media\&token=5c36f026-adf9-4397-b256-d58cc8a22061) And packed Size now. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsVjWOvLZaIJNluMg%2Fimage.png?alt=media\&token=7a438485-7076-47b5-83e1-b92334a6b960) Functionality still stays the same ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhs5rUvanR9TKAxQO7%2F-MRhsWW7leNXnL7WufIk%2Fimage.png?alt=media\&token=7de5cb44-d22b-4f55-8947-b7c3a4d8ca5a) Sometimes this technique is great as the binaries hash and strings change but are decrypted during run time. For more info on this tool do visit [UPX](https://github.com/upx/upx)