Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Detecting Armadillo packed PE?

Stylo
Stylo
in Software Security

Featured Replies

Posted

Are there any methods of detecting that a specific file was packed with armadillo?


Tried using PEiD but none of the scan levels detects it.


I also looked through it's sections and haven't found any suspicios section that give away any info that it was packed with it. (.text1, .data1 etc...)


 


Thanks


  • Author

what is protection id?


and the tool looks grate but i'd like to do it programmatically


is there any documentation about how armadillo packed PE looks like?


Edited by Stylo

  • Author

How he's detecting armadillo though?


what kind of marks does it leave on the packed file?


linker version in pe header is usually 'SR' (silicon realms)

and theres various strings and byte patterns, pdata000 and so on...

just compare some files

you could check for MajorLinkerVersion / MinorLinkerVersion in PE Header. Arma writes 0x52/53 there which is ASCII for SR which is short for SiliconRealms, company behind Arma.


 


Besides that, every?! arma protected exe should have the arma sections text1,data1,pdata etc..


 


Those are simple checks. Deeper checks would require heuristics and/or debugging.


    •
    • Like 1
    • Author

    Cool so i should point for the 'SR' at the LinkerVersion


    but for the sections (.text1, .data1, .pdata etc) i'm not sure that's the only packer that uses those sections


    what about asprotect?


    sections are a strong indicator. wouldnt rely on that tho as they can have any name or even none at all. use linker version + maybe debugging for pattern matching


    Edited by cypher

    if 'SR' is in the header, you can be pretty sure it's arma... As for the sections, the second-last (or the last in DLL files without a .rsrc section) should contain a zlib signature... http://stackoverflow.com/questions/9050260/what-does-a-zlib-header-look-like, this can however be modified...

    This section with the zlib-pattern also has a certain format, you could check for that as well.

    Don't bother section names, as there is an option called 'randomize section names', which simply renames the sections.

    • Author

    Yeah i'v figured that section names check isn't that effective since there's an option to change it


    but i believe that the Minor/MajorLinkerVersion is pretty absolute since no other packer or PE file have that signature.


    btw i'm also trying to detect if a file is packed by themida


    now i noticed that in every packing process it has a .rsrc and .idata sections and right after that 2 section with random names.


    i also noticed that the entry point is somewhere beyond my module space address :scratch:what's going on with that? is it hide the EP somehow?


    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.