X33FCON 2024

MALDEV: PACKER DEVELOPMENT

Fabian Mosch & Sven Rath

classification: confidential | © 2020 r-tec IT Security

00
AGENDA

x33fcon 2024 – Maldev Packer Development

classification: confidential | © 2020 r-tec IT Security

x33fcon 2024 – Maldev: Packer Development

AGENDA

Whoarewe

Motivation

How does a Packer work?

What can / should I pack?

Relevant features

Todos for this workshop

classification: confidential | © 2020 r-tec IT Security 3

3
01
WHOAREWE

x33fcon 2024 – Maldev Packer Development

classification: confidential | © 2020 r-tec IT Security

x33fcon 2024 – Maldev: Packer Development

WHOAREWE
Fabian Mosch / @S3cur3Th1sSh1t
Teamleader Pentest/Red-Team @r-tec
Breaking into company environments at work & escalating privileges
Inspired by the community, likes to share knowledge
Publishing Tools/Scripts on Github, Blogposts, YouTube-Videos
Special interest in AV/EDR Evasion topics

Sven Rath / @eversinc33

Pentest/Red-Team @r-tec
Malware development, windows internals and kernel rootkits
Blogging at https://eversinc33.com

classification: confidential | © 2020 r-tec IT Security 5

5
x33fcon 2024 – Maldev: Packer Development

Oh boy, a new project! Time to build my payload…

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 6
6
x33fcon 2024 – Maldev: Packer Development

MOTIVATION

If you
► …. have an unorganized collection of malware projects
► …. manually encrypt your payloads to copy paste them into a template
► …. manually compile your malware

This workshop is for you ☺

At the end of this workshop you will have a tool, that automatically creates parametrized loaders for
various input formats

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 7
7
02
HOW DOES A PACKER
WORK

x33fcon 2024 – Maldev Packer Development

classification: confidential | © 2020 r-tec IT Security

x33fcon 2024 – Maldev: Packer Development

HOW DOES A PACKER WORK

Benefits:

Dynamically change payload characteristics

Automate malware development

► Safe time

Easily adjust payloads depending on the

environment

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 9
9
x33fcon 2024 – Maldev: Packer Development

HOW DOES A PACKER WORK

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 10
10
03
WHAT CAN / SHOULD I
PACK?

x33fcon 2024 – Maldev Packer Development

classification: confidential | © 2020 r-tec IT Security

x33fcon 2024 – Maldev: Packer Development

WHAT CAN / SHOULD I PACK?

Anything, which is potentially known malicious

► Most typical use case: C2-Payloads
► Alternatively known Post Exploitation tooling itself

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 12
12
04
RELEVANT FEATURES

x33fcon 2024 – Maldev Packer Development

classification: confidential | © 2020 r-tec IT Security

x33fcon 2024 – Maldev: Packer Development

RELEVANT FEATURES

Encryption / Decryption routines

Modification of Open Source Packer Encryption /

Decryption routines to get rid of signatures

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 14
14
x33fcon 2024 – Maldev: Packer Development

RELEVANT FEATURES

String encryption & no debug/print information

„Malware doesnt need strings“

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 15
15
x33fcon 2024 – Maldev: Packer Development

RELEVANT FEATURES

Entropy reduction
► Bloating
► Staging / De-coupling the payload
► Encrypted payload encoding

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 16
16
x33fcon 2024 – Maldev: Packer Development

RELEVANT FEATURES

Anti-Sandbox

Anti-Analysis

Environmental Keying
https://research.checkpoint.com/2022/invisible-cuckoo-cape-
sandbox-evasion/

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 17
17
x33fcon 2024 – Maldev: Packer Development

RELEVANT FEATURES

Evasion

► AMSI Bypass

► ETW Bypass

► Indirect Syscalls

► …

► Whatever you can think of : )

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 18
18
x33fcon 2024 – Maldev: Packer Development

RELEVANT FEATURES

Output formats

► Executable

► DLL

► Service Executable

► Sideloading DLL

► Powershell, C# assembly, HTA, […]

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 19
19
05
TODOS IN THIS
WORKSHOP

x33fcon 2024 – Maldev Packer Development

classification: confidential | © 2020 r-tec IT Security

x33fcon 2024 – Maldev: Packer Development

TODOS IN THIS WORKSHOP

Choose your language:

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 21
21
x33fcon 2024 – Maldev: Packer Development

TODOS IN THIS WORKSHOP

Get an overview over the packer template file

Decide, which features to integrate first

Checkout the follow-up tasks from the README

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 22
22
x33fcon 2024 – Maldev: Packer Development

TODOS IN THIS WORKSHOP

Klassifizierung:
classification: Eingeschränkt
confidential | © 2020 r-tec IT Security 23
23
Let‘s go:

https://github.com/rtecCyberSec/Packer-Development

x33fcon – Maldev: Packer Development

classification: confidential | © 2020 r-tec IT Security 24

24