AlushPacker is a reflective PE packer that enables in-memory execution of native .exe files. The packed file can hinder static analysis and reverse engineering with tools like IDA Pro or Ghidra.
The builder creates new .packed section header that stores the packed version of the original executable, that is, after it has been compressed with the LZAV compression library, and encrypted using a custom implementation of XTEA (eXtended Tiny Encryption Algorithm) block cypher.
At runtime, the reflective loader locates the base address of this section (which is embedded within itself), decrypts and decompresses those contents, and manually loads the executable entirely from memory, with no disk I/O or help from the Windows loader.
In the packed version, the original executable's data is stored, well.. packed, meaning that disassemblers like IDA are unable to extract any meaningful interpretation out of that packed data.
Detect-It-Easy has detected that our executable is packed due to the high entropy in the .packed section. However, this detection can be bypassed by placing the packed data inside payload.h instead of writing this packed data to a separate section header. You can do this by compiling from source, setting the DEBUG_STUB macro, and placing the packed data inside payload.h. But, this requires a more "hacky approach", so to make the build process more straightforward, we place the packed data inside a separate section header.
The packer can be downloaded here: latest release binaries.
To pack a program, you must specify its input path. Optionally, you can specify the output path, although this is not strictly required.
Example usage:
packer <input_file> <output_file>
Full usage:
> packer.exe
Usage:
C:\Users\tamar\Downloads\packed_files\Builder.exe [OPTIONS] <input_file> <output_file>
Options:
-l <key> Protect the packed file with a password. Example: -l mypassword
Example usage: packer.exe <input.exe> <output.exe>
C:\Users\tamar\Downloads\packed_files>
Visual Demo:
- x64 and x86 support
- Native console, GUI, and legacy EXE support
- File compression, encryption
- Payload locking (if built with
-loption, output file will request a password before executing)
- Section headers manual mapping
- Custom WinAPI / loader function implementations (e.g.
myGetProcAddress,myGetModuleHandle) - Resolving imports (normal / delay-loaded), by name and by ordinal.
- Fast export directory traversal using binary search. Forwarded exports specifically are resolved using a highly reliable recursion + parsing logic in
LdrpResolveProcedureAddress - Relocations (in case PE image is not loaded at base address)
- Structured Exception Handling (SEH), registering function table in
.pdata - Thread Local Storage (TLS callbacks) support
- Appropriate section memory protection (with
VirtualProtect) - Finally, PEB patching (e.g.
PPEB->pPeb->ImageBaseAddress = (PVOID)ntHeaders->OptionalHeader.ImageBase)
Contributions to the project are welcome!
You can improve parts of the code, report bugs, or just suggest features you think would be cool to add. I will review your suggestions and approve them if they step the project towards a better place :)