2

I'm trying to figure out how to detect whether a binary has been compressed with UPX. I am using a simple CRC to detect whether my app was in any way changed and if the CRC failed on the size due to a packer I would like to detect that as OK.

Right now I am starting with UPX.

So, is there any marker on the binary? are there any specific JMP or other instructions that I should search?
This will mainly be tested in Windows, but in the future I might add it to Linux as well.

Any help (and code) is appreciated.

ADDED:

I found that in the 10 binaries I checked the

AddressOfEntryPoint
Import Directory RVA
Resouce Directory RVA

either point to UPX or have an offset that is set by UPX. Any information on this?

Thanks

Mr Aleph
  • 1,887
  • 5
  • 28
  • 44

2 Answers2

2

Download upx source code from UPX Homepage and open src/p_w32pe.cpp file; the function you are looking for is;

int PackW32Pe::canUnpack()

This function checks if the file is compressed with win32 upx.

ismail
  • 46,010
  • 9
  • 86
  • 95
  • Thank you for the tip but I am having a hard time following that code with the different objects and their constructors. For a win32 it calls `PackW32Pe` (in an .h file) but that in turns creates another call, etc... I'm a C programmer and objects are not very strong with me. Any specific you might add from reading that code? Thanks again – Mr Aleph Jan 03 '11 at 14:32
0

You might try checking the section names of the executable. UPX changes them to UPX0, UPX1, UPX2, I believe.

Willi Ballenthin
  • 6,444
  • 6
  • 38
  • 52
  • 1
    This method is unfortunately not reliable. The sections of some (packed/encrypted) images are renamed to "standard"/"traditional" sections names. The names of the sections is never "interpreted" by the Loader. The names of the sections are sometimes even missing (aka removed) by some tools. – mox May 04 '12 at 13:28
  • @mox, this response is specific to the UPX packer. Running additional packers or obfuscators may further modify the section names; however, by default, the UPX packer will change the section names described above. – Willi Ballenthin May 06 '12 at 05:35