(YARA) YARA_PACKER_antiunpack
Created the . Updated 9 months, 1 week ago.
rule upx_antiunpack_pe {
meta:
description = "Anti-UPX Unpacking technique about section renaming and zero padding against upx reference structure"
author = "hackeT"
strings:
$mz = "MZ"
$upx0 = {55 50 58 30 00 00 00} //section name UPX0
$upx1 = {55 50 58 31 00 00 00} //section name UPX1
$upx_sig = "UPX!" //UPX_MAGIC_LE32
$upx_sig2 = {A1 D8 D0 D5} //UPX_MAGIC2_LE32
$zero = {00 00 00 00}
condition:
$mz at 0 and ( $upx_sig at 992 or $upx_sig2 at 992 )
and
(
not ($upx0 in (248..984) or $upx1 in (248..984)) // section renaming: 248 is the minimum offset after pe optional header.
or
$zero in (992..1024) // zero padding against upx reference structure: pe header ends offset 1024.
)
}
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| UPX: Ultimate Packer for Executables | U1402 F0001.008 | |
| Anti-UPX Unpacking | U1008 |