Skip to main content
ClaudeWave
Skill15.5k repo starsupdated 11d ago

analyzing-packed-malware-with-upx-unpacker

This Claude Code skill provides methods for identifying and unpacking UPX-compressed and other packed malware samples to enable static analysis. Use it when static analysis reveals high entropy sections with minimal imports, packer identification tools detect UPX or known packers, or automated decompression fails due to modified headers. The workflow includes packer detection via Detect It Easy and entropy analysis, standard UPX unpacking with header repair, and manual debugging techniques for modified samples.

View sourceRepository: Anthropic-Cybersecurity-Skills
Install in Claude Code
Copy
git clone --depth 1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills /tmp/analyzing-packed-malware-with-upx-unpacker && cp -r /tmp/analyzing-packed-malware-with-upx-unpacker/skills/analyzing-packed-malware-with-upx-unpacker ~/.claude/skills/analyzing-packed-malware-with-upx-unpacker
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Analyzing Packed Malware with UPX Unpacker

## When to Use

- Static analysis reveals high entropy sections and minimal imports indicating the binary is packed
- PEiD, Detect It Easy, or PEStudio identifies UPX or another known packer
- The import table contains only LoadLibrary and GetProcAddress (runtime import resolution typical of packed binaries)
- You need to recover the original binary for proper disassembly and decompilation in Ghidra or IDA
- Automated UPX decompression fails because the malware author modified UPX magic bytes or headers

**Do not use** when dealing with custom packers, VM-based protectors (Themida, VMProtect), or samples where dynamic unpacking via debugging is more appropriate.

## Prerequisites

- UPX (Ultimate Packer for eXecutables) installed (`apt install upx-ucl` or download from https://upx.github.io/)
- Detect It Easy (DIE) for packer identification
- Python 3.8+ with `pefile` library for manual header repair
- x64dbg or x32dbg for manual unpacking when automated tools fail
- PE-bear or CFF Explorer for PE header inspection and repair
- Isolated analysis VM without network connectivity

## Workflow

### Step 1: Identify the Packer

Determine if the sample is packed and identify the packer:

```bash
# Check with Detect It Easy
diec suspect.exe

# Check with UPX (test without unpacking)
upx -t suspect.exe

# Python-based entropy and packer detection
python3 << 'PYEOF'
import pefile
import math

pe = pefile.PE("suspect.exe")

print("Section Analysis:")
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    entropy = section.get_entropy()
    raw = section.SizeOfRawData
    virtual = section.Misc_VirtualSize
    print(f"  {name:8s} Entropy: {entropy:.2f}  Raw: {raw:>8}  Virtual: {virtual:>8}")

# Check for UPX section names
section_names = [s.Name.decode().rstrip('\x00') for s in pe.sections]
if 'UPX0' in section_names or 'UPX1' in section_names:
    print("\n[!] UPX section names detected")
elif '.upx' in [s.lower() for s in section_names]:
    print("\n[!] UPX variant section names detected")

# Check import count (packed binaries have very few)
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    total_imports = sum(len(e.imports) for e in pe.DIRECTORY_ENTRY_IMPORT)
    print(f"\nTotal imports: {total_imports}")
    if total_imports < 10:
        print("[!] Very few imports - likely packed")
else:
    print("\n[!] No import directory - heavily packed")
PYEOF
```

### Step 2: Attempt Standard UPX Decompression

Try the built-in UPX decompression:

```bash
# Standard UPX decompress
upx -d suspect.exe -o unpacked.exe

# If UPX fails with "not packed by UPX" error, the headers may be modified
# Verbose output for debugging
upx -d suspect.exe -o unpacked.exe -v 2>&1

# Verify the unpacked file
file unpacked.exe
diec unpacked.exe
```

### Step 3: Repair Modified UPX Headers

If standard decompression fails, repair tampered magic bytes:

```python
# Repair modified UPX headers
import struct

with open("suspect.exe", "rb") as f:
    data = bytearray(f.read())

# UPX magic bytes: "UPX!" (0x55505821)
# Malware authors commonly modify these to prevent automatic unpacking

# Search for modified UPX signatures
upx_magic = b"UPX!"
modified_patterns = [b"UPX0", b"UPX\x00", b"\x00PX!", b"UPx!"]

# Find and restore section names
pe_offset = struct.unpack_from("<I", data, 0x3C)[0]
num_sections = struct.unpack_from("<H", data, pe_offset + 6)[0]
section_table_offset = pe_offset + 0x18 + struct.unpack_from("<H", data, pe_offset + 0x14)[0]

print(f"PE offset: 0x{pe_offset:X}")
print(f"Number of sections: {num_sections}")
print(f"Section table offset: 0x{section_table_offset:X}")

for i in range(num_sections):
    offset = section_table_offset + (i * 40)
    name = data[offset:offset+8]
    print(f"Section {i}: {name}")

# Restore UPX magic bytes in the binary
# Search for the UPX header signature location (typically near the end of packed data)
for i in range(len(data) - 4):
    if data[i:i+3] == b"UPX" and data[i+3] != ord("!"):
        print(f"Found modified UPX magic at offset 0x{i:X}: {data[i:i+4]}")
        data[i:i+4] = b"UPX!"
        print(f"Restored to: UPX!")

# Also restore section names if modified
for i in range(num_sections):
    offset = section_table_offset + (i * 40)
    name = data[offset:offset+8].rstrip(b'\x00')
    if name in [b"UPX0", b"UPX1", b"UPX2"]:
        continue  # Already correct
    # Check for common modifications
    if name.startswith(b"UP") or name.startswith(b"ux"):
        original = f"UPX{i}".encode().ljust(8, b'\x00')
        data[offset:offset+8] = original
        print(f"Restored section name at 0x{offset:X} to {original}")

with open("suspect_fixed.exe", "wb") as f:
    f.write(data)

print("\nFixed file written. Retry: upx -d suspect_fixed.exe -o unpacked.exe")
```

### Step 4: Manual Unpacking with Debugger

When automated unpacking fails entirely, use dynamic unpacking:

```
Manual UPX Unpacking with x64dbg:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Load packed sample in x64dbg
2. Run to the entry point (system breakpoint then F9)
3. UPX unpacking stub pattern:
   a. PUSHAD (saves all registers)
   b. Decompression loop (processes packed sections)
   c. Resolves imports (LoadLibrary/GetProcAddress calls)
   d. POPAD (restores registers)
   e. JMP to OEP (original entry point)
4. Set hardware breakpoint on ESP after PUSHAD:
   - After PUSHAD, right-click ESP in registers -> Follow in Dump
   - Set hardware breakpoint on access at [ESP] address
   - Run (F9) - breaks at POPAD before JMP to OEP
5. Step forward (F7/F8) until you reach the JMP to OEP
6. At OEP: Use Scylla plugin to dump and fix imports:
   - Plugins -> Scylla -> OEP = current EIP
   - Click "IAT Autosearch" -> "Get Imports"
   - Click "Dump" to save unpacked binary
   - Click "Fix Dump" to repair import table
```

### Step 5: Validate Unpacked Binary

Verify the unpacked sample is valid and complete:

```bash
# Verify unpacked PE is valid
python3 << 'P
More from this repository
Improve existing skillSkill
Add new skillSkill
acquiring-disk-image-with-dd-and-dcflddSkill

Create forensically sound bit-for-bit disk images using dd and dcfldd

analyzing-active-directory-acl-abuseSkill

Detect dangerous ACL misconfigurations in Active Directory using ldap3

analyzing-android-malware-with-apktoolSkill

Perform static analysis of Android APK malware samples using apktool

analyzing-api-gateway-access-logsSkill

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect

analyzing-apt-group-with-mitre-navigatorSkill

Analyze advanced persistent threat (APT) group techniques using MITRE

analyzing-azure-activity-logs-for-threatsSkill

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query