From the perspective of static analysis tools (antivirus, YARA, disassemblers), only the stub and the encrypted blob are visible — not the original malicious logic. Packing originated in the 1990s for benign purposes: reducing file size (e.g., UPX, ASPack) and protecting intellectual property (e.g., Themida, Enigma Protector). Attackers quickly realized the security implications: packing a known malware sample changes its hash and structural signatures, causing signature-based AV to miss it.
Example: A simple anti-debug check in x86 assembly used inside a packer stub: malware pack
| Technique | Purpose | |-----------|---------| | | IsDebuggerPresent , NtQueryInformationProcess , int 2d , timing checks | | Anti-VM | Check for VMware/VirtualBox registry keys, MAC OUI, hardware strings, RDTSC timing | | API Hashing | Store hashes of API names (e.g., ROR13) instead of plain strings to avoid detection | | Junk/Polymorphic code | Insert NOPs, bogus jumps, or reorder instructions to evade signatures | | Dynamic imports | Resolve IAT at runtime, leaving no static import table | | Entry point obfuscation | Obfuscate the OEP location (e.g., hidden inside exceptions or TLS callbacks) | From the perspective of static analysis tools (antivirus,