15

Recently I asked a question about detecting UPX compression. 0xC0000022L wanted to know if it was plain UPX. However until that point I only was aware of plain UPX. So my question is:

  • What versions/modifications of UPX exist?
  • How do they differ? What features do they have?
Community
  • 1
qbi
  • 527
  • 1
  • 4
  • 16

3 Answers3

16

First, let's see UPX structure.

UPX Structure

  1. Prologue

    1. CMP / JNZ for DLLs parameter checks

    2. Pushad, set registers

    3. optional NOP alignment

  2. Decompression algorithm

    • whether it's NRV or LZMA

  3. Call/Jumps restoring

    • UPX transform relative calls and jumps into absolute ones, to improve compression.

  4. Imports

    • load libraries, resolve APIs

  5. Reset section flags

  6. Epilogue

    • clean stack
    • jump to the original EntryPoint

For more details, here is a commented IDA (free version) IDB of a UPX-ed PE.

modified UPX variants

Simple parts like prologue/epilogue are easy to modify, and are consequently often modified:

  • basic polymorphism: replacing an instruction with an equivalent
  • moving them around with jumps

Complex parts like decompression, calls restoration, imports loading are usually kept unmodified, so usually, custom code is inserted between them:

  • an anti-debug
  • an extra xor loop (after decompression)
  • a marker that will be checked further in the unpacked code, so that the file knows it was unpacked.

faking

As the prologue doesn't do much, it's also trivial to copy it to the EntryPoint of a non UPX-packed PE, to fool identifiers and fake UPX packing.

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
Ange
  • 6,694
  • 3
  • 28
  • 62
12

I will ignore that there's multiple compression algorithms in UPX and that there's been multiple versions of UPX.

Generally when people ask if it's plain or vanilla UPX it's because malware and other software likes to take UPX and modify it slightly so that it can't be unpacked with the standard UPX executable and so that anti viruses will have a harder time unpacking it. It's not very effective at counteracting reverse engineering.

Peter Andersson
  • 5,701
  • 1
  • 32
  • 49
  • 1
    Spot on. You can't read minds, can you? ;) – 0xC0000022L Mar 23 '13 at 23:47
  • 1
    Can you include any example(s)/site(s) of how it's modified? Such info might further build a strong answer. :) – Lizz Apr 06 '13 at 05:20
  • And if a derivation of UPX is used as a protection mechanism, you can bet that it will yield false positives until you are blue in the face. UPX has been effectively classified as a malware tool by most security companies, a fate common to open source libraries and executable tools. – dyasta Apr 14 '13 at 13:17
5

I'm not sure if this is what you're asking, but UPX has multiple ways of compressing a given format. For example, an ELF - can be decompressed directly into memory - can be decompressed into /tmp and executed from there

By default the first option is preferred, but I don't think it's mandatory. See the UPX Manual for details.

EfForEffort
  • 638
  • 7
  • 12