Detect malware packers and cryptors with python (yara & pefile)
Packed or compressed executable files have a different structure from other exe files. In general, packers add a new header to the executable, they compress its body and then add a Loader to load the original executable into memory during execution. The new header points to the Loader which points to the compressed sections of the executable, the following diagram summarizes the mechanism of the packing.
This packing technique allows malware to escape from an antivirus by changing their signature and hiding their code. Several packing tools exist, however malware creators often use their own modified or improved versions of these tools.
In what follows, I will show you how to detect the packing of an exe file using YARA rules and Pefile in python.
1. PREPARING THE ENVIRONMENT
In this article, we will be using Pefile and YARA. Pefile is a parser for windows exe files written in python. For more details about Pefile please consider visiting the official GitHub repository:
For now, all you need to do is to install Pefile within your python environment. Usually, you need just to execute the following command:
But depending on your python version and your system, this might change.
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. For more details about YARA, please consider visiting the official GitHub page:
To install yara package in python you need just to run the following command:
If that command isn’t working for you, you might do a little research on how to install yara-python on your system.
One last thing with setting up YARA is to download packers definitions from the following links:
- https://github.com/Yara-Rules/rules/blob/master/packers/peid.yar
- https://github.com/Yara-Rules/rules/blob/master/packers/packer.yar
- https://github.com/Yara-Rules/rules/blob/master/crypto/crypto_signatures.yar
Keep these files, we will need them for later.
2. USING YARA RULES
Once you have set everything up, you can detect the protection technique used on an exe file by following those three steps:
- Import YARA
- Read (compile) downloaded rules
- Test for matches
The bellow snippet of code shows how to do those steps in python:
The code is quite simple, but you might notice that we didn’t use peid rules in the previous snippet. That’s because, peid rules match also with compilers, so if you have a match, it doesn’t mean that the file is packed or encrypted. To be able to use peid rules, we should differentiate between packers/cryptors and compilers. For that, I gathered a list of the most known packers and cryptors out there and used it to check if the matched element is a packer (cryptor) or not. The following snippet of code gives more details about the implementation of this:
3. DETECT PACKING WITHOUT YARA
Another way to detect packing is to use pefile, this way isn’t a 100% accurate. For some reason, packers and cryptors modify sections names to have some special names, usually the names of the packer itself. So, we will use this information to read sections names of an exe file and try to match them with some known packers/cryptors. Just to remind you again, this isn’t an accurate way. There could be some sections named after a packer but the exe file isn’t packed and vice-versa. But, let’s do it for fun anyway!
THE END!
