UM Virus Detecting: Part 3 - Packed

Good morning! It's me, seb here with Part 3. We already covered import and signature scanning focused on Easy SuperInfector stubs. Now let’s talk about packing detection. It’s a basic but useful technique for spotting packed malware.

First, packing means compressing or encrypting the executable to hide its real code. Packed files have high randomness in their data, so we can detect that using entropy.

Here’s how I calculate entropy:

double calc_entropy(const BYTE* data, size_t size) {
    if (size == 0) return 0.0;

If the section size is zero, entropy is zero, nothing to scan here.

unsigned int freq[256] = { 0 };
    for (size_t i = 0; i < size; i++)
        freq[data[i]]++;

Count how many times each byte value (0-255) appears in the data. This frequency distribution is the basis for entropy calculation.

double ent = 0.0;
    for (int i = 0; i < 256; i++) {
        if (freq[i] == 0) continue;
        double p = (double)freq[i] / size;
        ent -= p * log2(p);
    }
    return ent;
}

Calculate entropy using Shannon’s formula. It sums up the randomness based on byte frequency. Higher entropy means more randomness, likely packing or encryption.

Next, I open the file and map it to memory:

HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) { return false; }

No file, no scan.

DWORD fileSize = GetFileSize(hFile, NULL);
if (fileSize < 0x1000) { CloseHandle(hFile); return false; }

Ignore tiny files, usually irrelevant or corrupted.

HANDLE hMap = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (!hMap) { CloseHandle(hFile); return false; }

LPVOID baseAddress = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
CloseHandle(hMap);
CloseHandle(hFile);

if (!baseAddress) { return false; }

Memory mapping for faster access.

Then I grab the PE headers:

PIMAGE_NT_HEADERS ntHeaders = ntheaders(const_cast<BYTE*>(baseAddress), fileSize); 
if (!ntHeaders) { UnmapViewOfFile(baseAddress); return false; }

Without headers, no PE info, so no scanning.

PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
WORD numberOfSections = ntHeaders->FileHeader.NumberOfSections;

if (numberOfSections == 0) { UnmapViewOfFile(baseAddress); return false; }
if (numberOfSections > 96) { numberOfSections = 96; }

Cap sections scanned to 96 max, enough for anything reasonable.

For each section:

if (!validptr(baseAddress, fileSize, pSectionHeader, sizeof(IMAGE_SECTION_HEADER))) { break; }

Make sure section header is safe to read.

const BYTE* sectionData = baseAddress + pSectionHeader->PointerToRawData;
DWORD sectionSize = pSectionHeader->SizeOfRawData;

if (!validptr(baseAddress, fileSize, sectionData, sectionSize) || sectionSize == 0) { continue; }

Validate raw section data pointer and size.

Calculate entropy:

double entropy = calc_entropy(sectionData, sectionSize);

High entropy means packed or compressed.

if (entropy > threshold) {
    isPacked = true;
    break;
}

If any section is too random, flag file as packed.

Packing detection like this is rough but helpful. Most legit apps aren’t packed, so it filters suspicious files. Easy SuperInfector stubs usually aren’t packed (they did infact become packed later on to counter some of my methods), so this check just adds a safety net. I’ll improve this in future versions.

PreviousUM Virus Detecting: Part 2 - Sigs NextUM Virus Detecting: Part 4 - Goodnight

Last updated 1 month ago