A forum for reverse engineering, OS internals and malware analysis 

PE32+ packers (x64 Windows)

Forum for announcements and questions about tools and software.

PE32+ packers (x64 Windows)

 #5251  by EP_X0FF
 Tue Mar 01, 2011 6:32 pm
Hello,

is there any available freeware packers for x64 Windows?

As you might know TDL4 uses MPRESS for it's C&C user mode library - cmd64.dll

Quick googling didn't revealed anything else, except Vmpotect which is out of my interest.

If you know something else, please post here.

Regards.

edit:

Armadillo x64 obtained :)

Re: PE32+ packers (x64 Windows)

 #5339  by EP_X0FF
 Sun Mar 06, 2011 7:45 am
IAPR64 Free does not working. Free version cannot pack any file, just throwing idiotic message "Unregistered".
Pro version simple not work without activation key.

PESpin x64 sucks with it two-processes :)

Re: PE32+ packers (x64 Windows)

 #5340  by ArkKup
 Sun Mar 06, 2011 9:57 am
had the same problem with IAPR64 :evil:
EP_X0FF wrote:PESpin x64 sucks with it two-processes :)
why does it suck ? looks pretty cool to me ;)

Re: PE32+ packers (x64 Windows)

 #5341  by EP_X0FF
 Sun Mar 06, 2011 10:05 am
Because it firstly strange to see two processes (packed and unpacked) in processes list. And secondary such behavior remembers classical malware cryptors :)

Re: PE32+ packers (x64 Windows)

 #5342  by ArkKup
 Sun Mar 06, 2011 11:09 am
strange or not but I guess the goal was to prevent attaching debugger to unpacked process. I saw this trick first time few years ago in Armadillo x86, but with Softice
it was not a problem to break into the unpacked process. Now there is only windbg and all exceptions are going firstly through user mode debugger (parent process), so its not so easy to overcome this type of protection. well, from AV point of view, use of any packing equals "its malware", but some people just want to protect there non malicious code against patching and disassembling.

Re: PE32+ packers (x64 Windows)

 #5344  by EP_X0FF
 Sun Mar 06, 2011 12:46 pm
Brookit wrote:eXPressor

"support for packing (not protecting) PE+ (64bit files); exe, dll, tls support; not yet .net;"
Thanks.
Well, it locks my Windows 7 x64 at startup. Hard reset the only way. Will try later in some virtual environment.

edit:
ok, worked fine in vm.
Last edited by EP_X0FF on Sun Mar 06, 2011 1:40 pm, edited 1 time in total. Reason: edit

Re: PE32+ packers (x64 Windows)

 #5348  by GamingMasteR
 Sun Mar 06, 2011 4:38 pm
EP_X0FF wrote: Well, it locks my Windows 7 x64 at startup. Hard reset the only way. Will try later in some virtual environment.
This happens when booting windows with "/debug" switch turned on only ?
 Return to “Tools/Software”