Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/alon-alush/alushpacker

Powerful PE executable packer for Windows - supports x86/64, compression, encryption, and much more
https://github.com/alon-alush/alushpacker

c compression file-compressor loader manual-mapper packer pe-format pe-packer portable-executable protector shellcode shellcode-loader thread-local-storage upx winapi windows

Last synced: 30 days ago
JSON representation

Powerful PE executable packer for Windows - supports x86/64, compression, encryption, and much more

Awesome Lists containing this project

README 

          


  

    AlushPacker logo

  



AlushPacker: Executable file packer for Windows




  

    License

  

  

    Top Language

  

  

    Latest Release

  

  

    GitHub Stars

  

  

    Open Source

  




## Introduction



*AlushPacker* is a reflective PE packer that enables in-memory execution of native `.exe` files. The packed file can hinder static analysis and reverse engineering with tools like IDA Pro or Ghidra.



# Demo



![Running the packed file](https://github.com/user-attachments/assets/40ce8bab-492e-4a7d-b8c2-3f8529ff5a50)



# How it works



The [builder](https://github.com/Alon-Alush/AlushPacker/blob/main/src/Builder/builder.c) creates new `.packed` section header that stores the packed version of the original executable, that is, after it has been compressed with the [LZAV](https://github.com/Alon-Alush/AlushPacker/blob/main/src/Builder/lzav.h) compression library, and encrypted using a [custom implementation](https://github.com/Alon-Alush/AlushPacker/blob/main/src/Builder/encrypt.h) of [XTEA](https://en.wikipedia.org/wiki/XTEA) (eXtended Tiny Encryption Algorithm) block cypher.



.packed section in CFF Explorer



At runtime, the [reflective loader](https://github.com/Alon-Alush/AlushPacker/blob/main/src/Packer/loader.c) locates  the base address of this section (which is embedded within itself), decrypts and decompresses those contents, and manually loads the executable entirely from memory, with no disk I/O or help from the Windows loader.



# Showcase



### Encrypted data (IDA Pro):



In the packed version, the original executable's data is stored, well.. packed, meaning that disassemblers like IDA are unable to extract any meaningful interpretation out of that packed data.



image



### Detect-It-Easy analysis:



*Detect-It-Easy* has detected that our executable is packed due to the high entropy in the `.packed` section. However, this detection can be bypassed by placing the packed data inside `payload.h` instead of writing this packed data to a separate section header. You can do this by compiling from source, setting the `DEBUG_STUB` macro, and placing the packed data inside `payload.h`. But, this requires a more "hacky approach", so to make the build process more straightforward, we place the packed data inside a separate section header.



image



# Installation and usage



The packer can be downloaded here: [latest release binaries](https://github.com/Alon-Alush/AlushPacker/releases/tag/v1.0.0).



## Usage



To pack a program, you must specify its *input path*. Optionally, you can specify the output path, although this is not strictly required.



Example usage:



```

packer  

```



**Full usage**:

```

> packer.exe

Usage:

   C:\Users\tamar\Downloads\packed_files\Builder.exe [OPTIONS]  

Options:

   -l     Protect the packed file with a password. Example: -l mypassword



    Example usage: packer.exe  

C:\Users\tamar\Downloads\packed_files>

```



**Visual Demo**:



![AlushPacker command line demonstration](https://github.com/user-attachments/assets/12f55d88-19a3-4982-86ab-1923825a539a)



# Features



* x64 and x86 support

* Native console, GUI, and legacy EXE support

* File compression, encryption

* Payload locking (if built with `-l` option, output file will request a password before executing)

# Technical features

* Section headers manual mapping

* Custom WinAPI / loader function implementations (e.g. `myGetProcAddress`, `myGetModuleHandle`)

* Resolving imports (normal / delay-loaded), by name and by ordinal.

* Fast export directory traversal using binary search. [Forwarded exports](https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473) specifically are resolved using a highly reliable recursion + parsing logic in `LdrpResolveProcedureAddress`

* Relocations (in case PE image is not loaded at base address)

* [Structured Exception Handling (SEH)](https://learn.microsoft.com/en-us/cpp/cpp/structured-exception-handling-c-cpp?view=msvc-170), registering function table in `.pdata`

* [Thread Local Storage](https://learn.microsoft.com/en-us/windows/win32/procthread/thread-local-storage) (TLS callbacks) support

* Appropriate section memory protection (with `VirtualProtect`)

* Finally, PEB patching (e.g. `PPEB->pPeb->ImageBaseAddress = (PVOID)ntHeaders->OptionalHeader.ImageBase`)



# Contributing



Contributions to the project are welcome!



You can improve parts of the code, report bugs, or just suggest features you think would be cool to add. I will review your suggestions and approve them if they step the project towards a better place :)