Stylo Posted January 8, 2014 Posted January 8, 2014 Are there any methods of detecting that a specific file was packed with armadillo?Tried using PEiD but none of the scan levels detects it.I also looked through it's sections and haven't found any suspicios section that give away any info that it was packed with it. (.text1, .data1 etc...) Thanks
Dreamer Posted January 8, 2014 Posted January 8, 2014 use protection id or use http://forum.tuts4you.com/topic/30559-armadillo-tool/
Stylo Posted January 8, 2014 Author Posted January 8, 2014 (edited) what is protection id?and the tool looks grate but i'd like to do it programmaticallyis there any documentation about how armadillo packed PE looks like? Edited January 8, 2014 by Stylo
Dreamer Posted January 8, 2014 Posted January 8, 2014 http://forum.tuts4you.com/topic/8278-protection-id/
Stylo Posted January 8, 2014 Author Posted January 8, 2014 How he's detecting armadillo though?what kind of marks does it leave on the packed file?
evlncrn8 Posted January 8, 2014 Posted January 8, 2014 linker version in pe header is usually 'SR' (silicon realms)and theres various strings and byte patterns, pdata000 and so on...just compare some files
cypher Posted January 8, 2014 Posted January 8, 2014 you could check for MajorLinkerVersion / MinorLinkerVersion in PE Header. Arma writes 0x52/53 there which is ASCII for SR which is short for SiliconRealms, company behind Arma. Besides that, every?! arma protected exe should have the arma sections text1,data1,pdata etc.. Those are simple checks. Deeper checks would require heuristics and/or debugging. 1
Stylo Posted January 8, 2014 Author Posted January 8, 2014 Cool so i should point for the 'SR' at the LinkerVersionbut for the sections (.text1, .data1, .pdata etc) i'm not sure that's the only packer that uses those sectionswhat about asprotect?
cypher Posted January 8, 2014 Posted January 8, 2014 (edited) sections are a strong indicator. wouldnt rely on that tho as they can have any name or even none at all. use linker version + maybe debugging for pattern matching Edited January 8, 2014 by cypher
mrexodia Posted January 11, 2014 Posted January 11, 2014 if 'SR' is in the header, you can be pretty sure it's arma... As for the sections, the second-last (or the last in DLL files without a .rsrc section) should contain a zlib signature... http://stackoverflow.com/questions/9050260/what-does-a-zlib-header-look-like, this can however be modified... This section with the zlib-pattern also has a certain format, you could check for that as well. Don't bother section names, as there is an option called 'randomize section names', which simply renames the sections.
Stylo Posted January 13, 2014 Author Posted January 13, 2014 Yeah i'v figured that section names check isn't that effective since there's an option to change itbut i believe that the Minor/MajorLinkerVersion is pretty absolute since no other packer or PE file have that signature.btw i'm also trying to detect if a file is packed by themidanow i noticed that in every packing process it has a .rsrc and .idata sections and right after that 2 section with random names.i also noticed that the entry point is somewhere beyond my module space address :scratch:what's going on with that? is it hide the EP somehow?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now