| Technique | Purpose | |-----------|---------| | | IsDebuggerPresent , NtQueryInformationProcess , int 2d , timing checks | | Anti-VM | Check for VMware/VirtualBox registry keys, MAC OUI, hardware strings, RDTSC timing | | API Hashing | Store hashes of API names (e.g., ROR13) instead of plain strings to avoid detection | | Junk/Polymorphic code | Insert NOPs, bogus jumps, or reorder instructions to evade signatures | | Dynamic imports | Resolve IAT at runtime, leaving no static import table | | Entry point obfuscation | Obfuscate the OEP location (e.g., hidden inside exceptions or TLS callbacks) |
By the mid-2000s, malware authors adopted and polymorphic packers (which change stub behavior or encryption keys per sample). Today, packers are an essential component of almost every modern malware family — from ransomware to loaders. malware pack
Packing originated in the 1990s for benign purposes: reducing file size (e.g., UPX, ASPack) and protecting intellectual property (e.g., Themida, Enigma Protector). Attackers quickly realized the security implications: packing a known malware sample changes its hash and structural signatures, causing signature-based AV to miss it. | Technique | Purpose | |-----------|---------| | |
:
Malware packers are a practical embodiment of the asymmetry between attackers and defenders. While packing does not remove malicious behavior, it raises the bar for detection and forces defenders to adopt dynamic, behavior-centric approaches. As packers evolve with anti-emulation and virtualization, the arms race continues — pushing malware analysis deeper into the realms of emulation, symbolic execution, and machine learning-based unpacking. and machine learning-based unpacking.