Thanks to Silvio Cesare and Felix Gröbert, I now have 44 species in my packer zoo. I tested TraceSurfer on these 44 packers, here are the full results and the visualizations.
(quick recap: TraceSurfer uses Pin to trace every instruction in target binaries, extracting a trace file. Then the trace is analysed (or surfed) to detect layers of self-modifying code (or code waves) and code protection patterns)
- only 35 binaries execute correctly on my machine
- Pin v. 31933 works on 30 of these binaries (success rate of 85.71%)
- some packers don’t seem to pack anything since they have only 1 code wave (!Epack Lite 1.4, Pepack, VmProtect). Either the binaries are indeed packed and I fail to detect the self-modifying code, or they’re not self-modifying at all. It’s probably the latter, since the trace sizes are very close to the original (unpacked) binary.
- very few packers seem to use code scrambling (supposedly an advanced anti-dumping technique): Acprotect, Petite and the Yoda family
- integrity checking seems to be more popular, it is used in Acprotect, Themida, Enigma, Pelock, NSPack…
- given the trace size, it seems that anti-emulation loops can be found in Morphine (164M instructions) and !Epack 1.0 (87M instructions)
- nice similarities between Yoda Crypter 1.3 and Yoda Protector 1.4
- the Monster Award is attributed to… Themida 18.104.22.168 (80M instructions, 31 code waves, 142890 decrypted bytes + integrity checking)
2 thoughts on “Packers, egg, sausage and packers”
I performed an evaluation against 809 malware collected from honeypots. Only 1 of that sample took a significantly longer time to unpack than the other malware. The reason it took so long was because it executed 163 or 164 million instructions. This seems to fit into line with your observation of the morphine packer. From my evaluation, it seems that anti-emulation loops are not very common. I may need to look at a larger sample size however.
antiemulation loops are not common in commercial packers/protectors because its plain stupid to slow down (even more) entire decompression/decryption process, but it might be a good option to include to annoy AVers :P hehe