src/conf/packers.yml

# check out https://forum.tuts4you.com/files/file/1314-tuts-4-you-unpackme-collection-2016 for more packers
defaults:
  status: info


ACProtect:
  categories:
    - cryptor
    - protector
  description: ACProtect is an application that allows you to protect Windows executable files against piracy,using public keys encryption algorithms (RSA) to create and verify the registration keys and unlock some RSA key locked code,it has embedded cryptor against dump and unpacker.it also has many anti debug tricks. And you can use it to create evaluation and trial application versions. with specialized API system, mutual communication between loader and application is also can be achieved.
  formats:
    - PE32
  source: https://www.yaldex.com/Bestsoft/Utilities/acprotect.htm
  status: commercial

Aegis:
  description: #TODO
  formats:
    - PE
  references:
    - https://www.youtube.com/watch?v=uxlpRof1QWs

AinEXE:
  categories:
    - compressor
  description: DOS executable packer (part of the AIN Archiver suite).
  formats:
    - PE32
  source: https://defacto2.net/f/a520164?filename=packers.zip

Alienyze:
  categories:
    - compressor
    - cryptor
    - protector
  description: Alienyze is a software packer designed to do just that while offering the additional benefit of helping software developers to also compress the executable files, allowing them to reduce the file size of their software as much as possible.
  formats:
    - PE32
  source: https://alienyze.com/
  status: commercial

Alternate_EXE_Packer:
  categories:
    - compressor
  comment: Relies on UPX 3.96.
  description: This program is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.
  formats:
    - PE
  references:
    - https://www.alternate-tools.com/pages/c_exepacker.php
  source: https://www.alternate-tools.com/files/EXEPacker.exe
  status: useless

Amber:
  description: Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation SGN encoder. Amber uses CRC32_API and IAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE
  install:
    - wget: <<source>>:latest{linux_amd64}
    - unzip: $OPT/amber
    - ln: amber
  references:
    - https://pentest.blog/introducing-new-packing-method-first-reflective-pe-packer
    - https://securityonline.info/amber-reflective-pe-packer
  source: https://github.com/EgeBalci/amber
  status: ok
  steps:
    - amber -build -f {{executable}}
    - mv -f {{executable.stem}}_packed{{executable.extension}} {{executable}}

Andromeda:
  description: Andromeda uses various PE packers of different quality to avoid AV detections. Some packers also contain other anti-vm/emul/debug tricks. We’ve seen a packer very similar to Zbot (based on its source code), obfuscated Visual Basic and .NET binaries and even a few custom packers reminiscent of Dridex included in the Andromeda variant.
  formats:
    - PE
  references:
    - https://blog.avast.com/andromeda-under-the-microscope
    - https://blog.morphisec.com/andromeda-tactics-analyzed
  source: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/andromeda

APack:
  categories:
    - compressor
  description: 16-bit DOS executable compressor. aPACK compresses the file while keeping it executable. aPACK uses advanced compression heuristics and tricks to achieve the best compression ratio.
  formats:
    - MSDOS
  install:
    - wget: https://www.ibsensoftware.com/files/apack-1.00.zip
    - unzip: $OPT/apack
    - wine: apackw.exe
  source: https://www.ibsensoftware.com/download.html
  status: broken
  steps:
    - cp -f {{executable}} /root/.wine32/drive_c/users/root/Temp/
    - apack "c:\\users\\root\\Temp\\{{executable.filename}}"
    - mv -f /root/.wine32/drive_c/users/root/Temp/{{executable.filename}} {{executable}}

Armadillo:
  categories:
    - compressor
    - protector
  description: Incorporates both a license manager and wrapper system for protecting PE files.
  formats:
    - PE32
    - PE64
  source: https://web.archive.org/web/20030324043555/https://www.exetools.com/files/protectors/win/armd252b2.zip

ASPack:
  categories:
    - compressor
    - protector
  comment: Cannot run inside a virtualized environment unless cracked.
  description: ASPack is an advanced solution created to provide Win32 EXE file packing and to protect them against non-professional reverse engineering.
  formats:
    - PE32
  references:
    - https://github.com/fireeye/capa-rules/blob/master/anti-analysis/packer/aspack/packed-with-aspack.yml
  related:
    - https://attack.mitre.org/techniques/T1027/002
  source: http://www.aspack.com/aspack.html
  status: broken

ASProtect:
  description: Multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.
  formats:
    - PE32
  source: http://www.aspack.com/asprotect32.html
  status: commercial
  variants:
    ASProtect64:
      description: Designed for professional protection against unauthorized use, industrial and home copying, professional hacking and analysis of software products distributed over the Internet and on any physical media. The distinctive feature of the product is support of only 64-bit applications and .NET applications for Windows.
      formats:
        - .NET
        - PE64
      source: http://www.aspack.com/asprotect64.html

AtomPePacker:
  categories:
    - compressor
    - protector
  comment: The target executable becomes not runnable when packed.
  description: A highly capable PE32+ packer using LZMA compression and protection tricks.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE64
  install:
    - wget: <<source>>:latest{Release.zip}
    - unzip: $OPT/atompepacker infected
    - lwine64: PePacker.exe
  source: https://github.com/ORCx41/AtomPePacker
  steps:
    - atompepacker {{executable}}
    - mv -f $OPT/atompepacker/PP64Stub.exe {{executable}}
  status: ok

AxProtector:
  categories:
    - cryptor
    - protector
  description: AxProtector is the ideal solution to save time and effort when it comes to integrating protection in your software. With AxProtector you can protect your software against piracy and reverse engineering in a fully automated fashion.
  formats:
    - PE
  source: https://www.wibu.com/us/products/protection-suite/axprotector.html
  status: commercial

BeRo:
  aliases:
    - BeRoEXE
    - BeRoEXEPackerV?
  categories:
    - compressor
  description: BeRoEXEPacker, or short BEP, is a executable packer for 32-bit windows executables that can compress win32 EXEs and DLLs and offers LZBRS, LZBRR, LZBRA, LZMA, LZBRCM and CTX1 compression.
  formats:
    - PE32
  install:
    - copy: bep.exe $OPT/bero/beroexepacker.exe
    - wine: beroexepacker.exe
  source: https://blog.rosseaux.net/page/875fbe6549aa072b5ee0ac9cefff4827/BeRoEXEPacker

BurnEye:
  categories:
    - cryptor
  description: Burneye is an executable encryption program, which is suited to protect ELF binaries on the Intel x86 Linux operating system. It supports a variety of options to wrap an arbitrary executable with multiple encryption layers.
  formats:
    - ELF32
  references:
    - https://docplayer.net/86668430-Modern-linux-malware-exposed.html
    - https://github.com/packz/binary-encryption/tree/master/binary-encryption/burneye-stripped
    - https://packetstormsecurity.com/files/29691/burneye-1.0-linux-static.tar.gz.html
    - https://packetstormsecurity.com/files/30648/burneye-1.0.1-src.tar.bz2.html
  source: https://dl.packetstormsecurity.net/groups/teso/burneye-1.0.1-src.tar.bz2
  status: broken

BZEXE:
  categories:
    - compressor
  comment: (FIXME) This utility converts ELF's to a POSIX shell script executable embedding the compressed binary data. This is unsuitable at the moment as it breaks the rule of packing an executable of a given format to a new executable of the same format.
  description: The bzexe utility allows you to compress executables in place and have them automatically uncompress and execute when you run them (at a penalty in performance).
  formats:
    - ELF
  install:
    - apt: bzip2
  references:
    - https://www.commandlinux.com/man-page/man1/bzexe.1.html
    - https://www.unix.com/man-page/linux/1/bzexe
  silent:
    - "{{executable}}"
  source: http://www.bzip.org
  status: ok
  steps:
    - bzexe {{executable}}
    - rm -f {{executable}}~

CCG_Packer:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

Conficker:
  description: Worm targeting Microsoft Windows operations systems propagated as a DLL packed using UPX.
  formats:
    - PE
  references:
    - https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/conficker.md

ConfuserEx:
  categories:
    - protector
  description: ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project.
  formats:
    - .NET
  install:
    - wget: <<source>>:latest{ConfuserEx-CLI}
    - unzip: $OPT/confuserex
    - mono: Confuser.CLI.exe
  references:
    - https://github.com/yck1509/ConfuserEx
    - https://opencollective.com/confuserex
  related:
    - https://attack.mitre.org/techniques/T1027/002
    - https://attack.mitre.org/software/S0628
  source: https://github.com/mkaring/ConfuserEx

Crinkler:
  categories:
    - compressor
  comment: This tool is used for working with Visual Studio projects.
  description: Crinkler is an executable file compressor (or rather, a compressing linker) for Windows for compressing small demoscene executables. As of 2020, it is the most widely used tool for compressing 1k/4k/8k intros.
  formats:
    - PE
  source: https://github.com/runestubbe/Crinkler

Crunch:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

DarkComet:
  description: RAT that allows a user to control the system via a GUI ; it features packing payloads with UPX or MPRESS.
  formats:
    - PE
  references:
    - https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/dark-comet.md

DotNetZ:
  categories:
    - bundler
    - compressor
  description: .NETZ is a straightforward and lightweight, command-line piece of software written in C that allows you to compress and pack Microsoft .NET Framework executable files to ensure they consume as little space on your computer's hard drive as possible.
  formats:
    - .NET
  install:
    - unzip: $OPT
    - wine: netz-bin/netz.exe
  references:
    - https://mindlocksite.wordpress.com/2017/01/19/analyse-netz-packer/
    - https://mindlocksite.wordpress.com/2017/01/22/netz-packer-unpack-avec-windbg/
    - https://ltops9.wordpress.com/2012/12/02/191/
  source: https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/NETZ.shtml

Dragon_Armor:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

ELF-Cryptor:
  description: Simple Polymorphic x86_64 Runtime Code Segment Cryptor.
  formats:
    - ELF
  install:
    - copy: elf_cryptor.py elf-cryptor
    - pip: pwn --no-deps
  source: https://github.com/glen-mac/ELF-Packer
  status: ok

ELF-Packer:
  description: Encrypts 64-bit ELF files that decrypt at runtime.
  formats:
    - ELF64
  install:
    - git: <<source>>
    - make: packer
    - copy: packer elf-packer
  silent:
    - /usr/bin/ld
  source: https://github.com/telepath9000/elf-packer
  status: broken

ELFuck:
  categories:
    - compressor
    - protector
  description: ELF packer for i386 original version from sk2 by sd.
  formats:
    - ELF32
  references:
    - https://docplayer.net/86668430-Modern-linux-malware-exposed.html
  source: https://github.com/timhsutw/elfuck
  status: broken

EXE32Pack:
  categories:
    - compressor
  description: Compresses Win32 EXEs, DLLs, etc and dynamically expands them upon execution.
  formats:
    - PE32
  install:
    - wget: http://www.magicnotes.com/steelbytes/exe32pack.zip
    - unzip: $OPT/exe32pack
    - chmod: exe32pack.exe
    - wine: exe32pack.exe
  source: https://exe32pack.apponic.com

EXE_Bundle:
  categories:
    - bundler
    - compressor
    - protector
  comment: Trial version.
  description: EXEBundle acts as one source for a file joiner (exe binder), protector and compressor, thus making the tasks of its application users easy and highly effective.
  formats:
    - PE
  references:
    - https://www.webtoolmaster.com/index.htm#ExeBundle
    - https://www.softpedia.com/get/Security/Security-Related/EXE-Stealth-Packer.shtml
  source: https://www.webtoolmaster.com/download/EBundle.exe
  status: commercial

EXE_Stealth:
  categories:
    - protector
  comment: Trial version ; does not allow to protect executables.
  description: EXE Stealth can protect most of the executable files that are compatible with PE format. However, not every executable file is compatible with EXEStealth and other PE protectors. A problem can enter the compiler or if it uses a loader with data submitted after the loader.
  formats:
    - PE
  install:
    - copy: exestealth.exe $OPT/exestealth/exestealth.exe
    - wine: exestealth.exe
  references:
    - https://www.webtoolmaster.com/index.htm#ExeStealth
    - http://www.webtoolmaster.com/exestealth-tutorial.htm
  source: https://www.webtoolmaster.com/download/ExeStealth.exe
  status: commercial

ElecKey:
  categories:
    - protector
  description: ElecKey offers the copy protection technology against software piracy, illegal use, and reverse engineering. So you can assure that your software distribution is always secure. ElecKey supports a variety of software licensing methods. You can choose from node-locked, USB dongle, network licenses, as well as different combinations.
  formats:
    - PE
    - Mach-O
  source: https://www.sciensoft.com/products/eleckey
  status: commercial

Emotet:
  description: Banking Trojan using custom packers which first decrypt the loaders, and then the loaders decrypt and load Emotet's main payloads.
  formats:
    - PE
  references:
    - https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/emotet.md

Enigma_Protector:
  categories:
    - protector
  description: A professional system for licensing and protecting executable files for Windows. The Enigma Protector is an essential tool for every developer of commercial software and shareware for Windows.
  formats:
    - PE32
    - PE64
  related:
    - https://attack.mitre.org/techniques/T1027/002
  source: https://www.enigmaprotector.com/
  status: commercial

Enigma_Virtual_Box:
  aliases:
    - (?i)Enigma Protector
  categories:
    - bundler
    - virtualizer
  description: Application virtualization system for Windows. Enigma Virtual Box enables application files and registry to be consolidated in a single executable file, without loss of efficiency and without virtualized files having to be extracted to the HDD. Enigma Virtual Box is a free application that supports both x86 and x64 binaries.
  formats:
    - PE32
    - PE64
  references:
    - https://github.com/dhondta/dataset-packed-pe/wiki/Automate-packing-with-Enigma-Virtual-Box
  source: https://www.enigmaprotector.com/en/aboutvb.html

Eronana_Packer:
  categories:
    - compressor
  comment: This relies on a compression library (see Ref) using LZ77 and Huffman.
  description: This is a packer for exe under win32. You can use it to pack any 32-bit exe file.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE32
  install:
    - wget: <<source>>/releases/download/packer/packer.zip
    - unzip: $OPT/eronana-packer
    - wine: packer.exe
  references:
    - https://github.com/Eronana/compressor/tree/d6f5d893d8296823bb265830f8f451e5cd43b285
  silent:
    - __telemetry_main_return_trigger
  source: https://github.com/Eronana/packer
  status: ok
  steps:
    - eronana-packer {{executable}}
    - mv -f {{executable.stem}}.packed{{executable.extension}} {{executable}}

eXPressor:
  categories:
    - compressor
    - protector
  description: Used as a compressor this tool can compress EXE files to half their normal size. Once compressed, the files execute just like normal. As a protector It is designed to protect applications against crackers ; also can help developers in creation of uncrackable registration keys, and implementation of trial version for protected software.
  formats:
    - PE32
    - PE64
  install:
    - wget: <<source>>/zip/eXPressor.zip
    - unzip: $OPT/expressor
    - wine: packer.exe
  references:
    - https://github.com/chesvectain/PackingData
  source: http://www.cgsoftlabs.ro
  status: commercial

Ezuri:
  categories:
    - cryptor
  description: A Simple Linux ELF Runtime Crypter. An unpacker by f0wl can be found at f0wl/ezuri_unpack.
  formats:
    - ELF
  install:
    - wget: <<source>>/archive/master.zip
    - unzip: $OPT
    - go: github.com/guitmz/ezuri
    - lsh: ezuri
  references:
    - https://www.guitmz.com/linux-elf-runtime-crypter/
    - https://github.com/f0wl/ezuri_unpack
  related:
    - https://attack.mitre.org/techniques/T1027/002
    - https://attack.mitre.org/groups/G0139
  source: https://github.com/guitmz/ezuri
  status: ok

FSG:
  categories:
    - compressor
  description: FSG states for Fast Small Good and is a Windows executable packer.
  formats:
    - PE32
  gui:
    # be sure to focus on the input text box
    - click 110 215 (.5)
    # type the path to the target executable (C:)
    - type "$FILE" (.1)
    # click on "Open" (this starts packing)
    - click 380 210 (3)
  install:
    - copy: fsg.exe $OPT/fsg/fsg.exe
    - wine: fsg.exe
  references:
    - https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/FSG
    - http://beatrix2004.free.fr/FSG.pdf
  source: https://in4k.github.io/wiki/exe-packers-tweakers-and-linkers
  status: broken

GoPacker:
  categories:
    - compressor
  description: UPX-like packer to shrink executables written in Go.
  formats:
    - PE
  install:
    - wget: <<source>>/archive/refs/heads/master.zip
    - unzip: $OPT
    - go: github.com/nirhaas/gopacker
    - lsh: gopacker
  source: https://github.com/nirhaas/gopacker

GZEXE:
  categories:
    - compressor
  comment: (FIXME) This utility converts ELF's to a POSIX shell script executable embedding the compressed binary data. This is unsuitable at the moment as it breaks the rule of packing an executable of a given format to a new executable of the same format.
  description: The gzexe utility allows you to compress executables in place and have them automatically uncompress and execute when you run them (at a penalty in performance). Note that the compressed executable is a shell script. This may create some security holes. In particular, the compressed executable relies on the PATH environment variable to find gzip and some standard utilities (basename, chmod, ln, mkdir, mktemp, rm, sleep, and tail).
  formats:
    - ELF
  install:
    - apt: gzip
  references:
    - https://linux.die.net/man/1/gzexe
    - https://www.gnu.org/software/gzip
    - https://savannah.gnu.org/projects/gzip
  silent:
    - "{{executable}}"
  source: https://git.savannah.gnu.org/cgit/gzip.git
  status: ok
  steps:
    - gzexe {{executable}}
    - rm -f {{executable}}~

Huan:
  categories:
    - cryptor
  description: Encrypted PE Loader Generator that I developed for learning PE file structure and PE loading processes. It encrypts the PE file to be run with different keys each time and embeds it in a new section of the loader binary.
  formats:
    - PE64
  references:
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/huan/packed-with-huan.yml
  source: https://github.com/frkngksl/Huan

hXOR-Packer:
  categories:
    - compressor
    - cryptor
  description: A PE (Portable Executable) packer with Huffman Compression and Xor encryption.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  failure:
    hash: 1cc82b2855df0c2fb3c30dffe9f02512aebd79d7df8b00ce69aa0790aa60297e
  formats:
    - PE
  install:
    - wget: <<source>>:latest{hXOR-Packer}
    - unzip: $OPT
    - chmod: packer.exe
    - lwine: packer.exe
  references:
    - https://github.com/rurararura/hXOR-Packer
  source: https://github.com/rurararura/hXOR-Packer
  status: ok
  steps:
    - hxor-packer {{executable}} {{executable}} -ce {{key[randint]}}
  variants:
    hXOR-Compressor:
      categories:
        - compressor
      description: A PE (Portable Executable) packer with Huffman Compression.
      steps:
        - hxor-packer {{executable}} {{executable}} -c
    hXOR-Crypter:
      categories:
        - cryptor
      description: A PE (Portable Executable) packer with Xor encryption.
      steps:
        - hxor-packer {{executable}} {{executable}} -e {{key[randint(0,16777215)]}}

JDPack:
  description: N/A
  formats:
    - PE32
  source: http://www.tlzj18.com

Kkrunchy:
  categories:
    - compressor
  description: Kkrunchy is a small exe packer primarily meant for 64k intros.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE32
  install:
    - wget: <<source>>/kkrunchy_023a2.zip
    - unzip: $OPT/kkrunchy
    - wine: kkrunchy_k7.exe
  references:
    - https://github.com/fireeye/capa-rules/blob/master/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml
  source: http://www.farbrausch.de/~fg/kkrunchy
  status: ok
  steps:
    - kkrunchy --good {{executable}} --out {{executable}}

Kovter:
  description: Trojan that performs click-fraud which comes packed by a crypter/FUD.
  formats:
    - PE
  references:
    - https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/kovter.md

Laturi:
  description: Laturi is a linker and compression front-end intended to be used for Mac OS X 1k, 4k (and perhaps 8K) intros.
  formats:
    - Mach-O
  source: http://laturi.haxor.fi
  status: info

LM-X_License_Manager:
  categories:
    - protector
  description: LM-X License Manager lets you protect your products against piracy by enforcing various levels of security, save time, and reduce business risks. When coupled with License Activation Center (LAC), LM-X provides a complete license management solution that greatly simplifies license creation and activation. With one of the widest ranges of platform and language support, LM-X License Manager allows ISVs to quickly and effortlessly reach new markets and customers, driving sales and increasing revenue.
  formats:
    - All
  source: https://www.x-formation.com/lm-x-license-manager/
  status: commercial

M0dern_P4cker:
  categories:
    - cryptor
  description: Just a modern packer for Elf binaries.
  exclude:
    - o
  formats:
    - ELF64
  install:
    - apt: libcapstone-dev
    - exec: rm -rf $OPT/m0dern_p4cker-e24a1d47dae1acb0cc3dc4d2fb42a61662bc210c $OPT/m0dern_p4cker
    - wget: <<source>>/archive/e24a1d47dae1acb0cc3dc4d2fb42a61662bc210c.zip
    - unzip: $OPT
    - cd: packer@git
    - make: main
    - lsh: $OPT/m0dern-p4cker/packer@git main
  source: https://github.com/n4sm/m0dern_p4cker
  status: ok
  steps:
    - m0dern-p4cker {{executable}} {{stub[not|xorp]}}

MaskPE:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names
    - https://github.com/mandiant/capa-rules/blob/65eae8a7d67af66a1a9f3a3bdc95cb347cc9b5e1/nursery/packed-with-maskpe.yml

MEW:
  categories:
    - compressor
  description: MEW is an EXE compression tool that was specifically designed to handle small files, but does a pretty good job when working with larger files too.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE32
  gui:
    # click on "..." to open a target executable
    - click 675 425 (.1)
    # type the path to the target executable (C:)
    - type "$FILE" (.1)
    # click on "Open" (this requires a bit of time to return to the main window)
    - click 700 450 (2)
    # click on "DO IT!"
    - click 550 520 (.5)
    # wait for the packing process to finish
    - export DST
    - timeout 60s bash -c 'while [ -f "${DST%/*}/temp" ]; do sleep .1; done'
  install:
    - unzip: $OPT/mew
    - wine: mew11.exe
  references:
    - https://webscene.ir/tools/show/Mew-packer-11-SE-1.2
  source: https://in4k.github.io/wiki/exe-packers-tweakers-and-linkers
  status: ok

MidgetPack:
  categories:
    - protector
  description: "Midgetpack is a binary packer for ELF binaries, such as burneye, upx or other tools. Its goal is to protect your assets (tools, exploits) when using them on untrusted systems (e.g on a monitored customer's system during a pentest). Midgetpack contains two modes of operation: password and curve25519 key exchange."
  exclude:
    ELF32:
      - o
      - so
  formats:
    - ELF
  install:
    - copy: midgetpack
  references:
    - https://docplayer.net/86668430-Modern-linux-malware-exposed.html
  source: https://github.com/arisada/midgetpack
  status: ok
  steps:
    - midgetpack -P {{password}} -o {{executable}} {{executable}}

MoleBox:
  categories:
    - virtualizer
  description: MoleBox Virtualization Solution (VS) creates a private and secure virtual environment for your software applications, isolating them from the underlying operating system and other software installed and running on the host device.
  formats:
    - PE
  source: https://www.molebox.com/
  status: commercial

Morphine:
  categories:
    - cryptor
  description: Morphine is very unique application for PE files encryption. Unlike other PE encryptors and compressors Morphine includes own PE loader which enables it to put whole source image to the .text section of new PE file. This one is very powerful because you can compress source file with your favourite compressor like UPX and then encrypt its output with Morphine. Another powerful thing here is polymorphic engine which always creates absolutely different decryptor for the new PE file.
  formats:
    - MSDOS
    - PE32
  source: https://github.com/bowlofstew/rootkit.com/tree/master/hf/Morphine27

MPRESS:
  categories:
    - compressor
  description: MPRESS is a free, high-performance executable packer for PE32/PE32+/.NET/MAC-DARWIN executable formats.
  exclude:
    PE:
      - ds
  formats:
    - .NET
    - PE
    - Mach-O
  install:
    - unzip: $OPT/mpress
    - wine: mpress.exe
  references:
    - https://www.autohotkey.com/mpress/mpress_web.htm
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/dotNET/MPress%%200.71.rar
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE32/MPress%%200.77.rar
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE32/MPress%%201.27.rar
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE32/MPress%%202.12.rar
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE64/MPress%%201.07%%20x64.rar
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE64/MPress%%202.12%%20x64.rar
  related:
    - https://attack.mitre.org/techniques/T1027/002
  silent:
    - Warning!
  source: https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MPRESS.shtml
  status: ok
  steps:
    - mpress {{executable}} {{compressed[|-r]}} {{lzmat[|-m]}}

Muncho:
  comment: (TODO) this is a Mac OS X executable ; requires Darling installed.
  description: Mac OS X executable packer.
  formats:
    - Mach-O
  install:
    - wget: ftp://ftp.untergrund.net/users/irokos/titan/titan-muncho-0.01b.zip
    - unzip: $OPT/muncho
  references:
    - https://www.pouet.net/prod.php?which=51324
  source: https://demozoo.org/productions/175774/

NeoLite:
  categories:
    - compressor
  description: NeoLite compresses Windows 32-bit .EXE files and DLLs. It compresses them in such a manner that they are still executed normally. No additional software is required to run the compressed software, it is completely transparent. There is no speed penalty incurred.
  formats:
    - PE32
  references:
    - http://www.neoworx.com
    - http://www.neoworx.com/download/NeoLte20.exe
  source: http://protools.narod.ru/packers.htm

NetCrypt:
  categories:
    - compressor
  description: A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.
  formats:
    - .NET
  install:
    - wget: <<source>>:latest{netcrypt}
    - unzip: $OPT/netcrypt
    - wine: SimplePacker.exe
  source: https://github.com/friedkiwi/netcrypt

NSPack:
  categories:
    - compressor
  description: NsPack is a wonderful tool which can compress 32bits and 64bits exe, dll, ocx, scr files. Application supports also windows programs as well as C#.net program.
  formats:
    - PE32
    - PE64
  source: https://webscene.ir/tools/show/NsPack-and-crack-3.7

Obsidium:
  categories:
    - protector
  description: Obsidium is a feature-rich professional software protection and licensing system that was designed as a cost effective and easy to implement, yet reliable and non-invasive way to protect your 32- and 64-bit Windows software applications and games from reverse engineering, unauthorized modifications ("cracking") and redistribution ("software piracy") while providing a secure and flexible licensing/registration system.
  formats:
    - PE32
    - PE64
  related:
    - https://attack.mitre.org/techniques/T1027/002
  source: https://www.obsidium.de
  status: commercial

Origami:
  categories:
    - compressor
    - cryptor
  description: Packer compressing .net assemblies, (ab)using the PE format for data storage. The assembly supplied to origami will be compressed and encrypted with a simple xor operation, the encrypted and compressed data (payload) will be inserted into a stub executable which will invoke its payload on runtime.
  formats:
    - .NET
  source: https://github.com/dr4k0nia/Origami

PackELF:
  comment: Simple script relying on PatchELF.
  categories:
    - bundler
  description: Packing Linux ELF program and its dependencies libraries into standalone executable.
  formats:
    - ELF
  source: https://github.com/yzfedora/packelf
  status: info

Packman:
  categories:
    - compressor
  description: Packman is a Windows EXE/DLL packer. It takes an existing EXE/DLL and compresses it into a form that runs exactly like the original, with detailed control over resource filtering, compression algorithm and packing process.
  formats:
    - PE32
  source: https://www.portablefreeware.com/?id=847

Pakkero:
  categories:
    - cryptor
    - protector
  comment: This relies on UPX and does not support running with UPX 4.01.
  description: Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and intrusion.
  formats:
    - ELF
  install:
    - wget: <<source>>/releases/download/0.7.0/pakkero_linux_amd64
    - copy: pakkero
  source: https://github.com/89luca89/pakkero
  status: broken
  steps:
    - pakkero --file {{executable}} -o {{executable}}
  variants:
    Pakkero-Compressed:
      categories:
        - compressor
        - cryptor
        - protector
      steps:
        - pakkero --file {{executable}} -o {{executable}} -c

Pakr:
  description: Pakr is an in-memory packer for macOS Mach-O bundles.
  formats:
    - Mach-O
  source: https://github.com/iangcarroll/pakr
  status: info

Papaw:
  categories:
    - compressor
    - protector
  description: Papaw is a permissively-licensed packer for executables which contain statically linked, third-party components of various licenses and run on various devices, with limited disk space. It reduces the size of executables and makes them capable of replacing themselves on disk, while optionally providing very basic anti-debugging protection to discourage those attempting some trivial reverse-engineering techniques.
  formats:
    - ELF
  source: https://github.com/dimkr/papaw

PatchELF:
  categories:
    - bundler
  description: A small utility to modify the dynamic linker and RPATH of ELF executables.
  formats:
    - ELF
  source: https://github.com/NixOS/patchelf
  status: info

PE-Packer:
  categories:
    - cryptor
  description: Simple packer for Windows 32-bits PE files. The new PE file after packing can obstruct the process of reverse engineering. It will transform the original import table, encrypt sections, clear section names and installing the shell-entry. When running a packed PE file, the shell-entry will decrypt and load the original program by decrypting sections, initializing the original import table and relocation.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE32
  install:
    - wget: <<source>>:41583213{beta-win}
    - unzip: $OPT/pepacker
    - wine: PE-Packer.exe
  references:
    - https://zenodo.org/record/4698355
  source: https://github.com/czs108/PE-Packer
  status: ok
  steps:
    - pepacker {{executable}} {{executable.stem}}_new{{executable.extension}}
    - mv -f {{executable.stem}}_new{{executable.extension}} {{executable}}

PE-Toy:
  description: A PE file packer.
  formats:
    - PE32
  source: https://github.com/r0ngwe1/petoy

PECompact:
  categories:
    - compressor
  description: PECompact v2 is a next generation win32 portable executable compressor. Runewritten from the ground up, PECompact v2 is designed to be the ultimate solution to executable compression.
  formats:
    - PE32
  source: https://bitsum.com/pecompact.htm
  status: commercial

PELock:
  categories:
    - protector
  comment: Demo version.
  description: PELock is a software security solution designed for protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE32
  gui:
    # click on "OK" when the intro window is displayed
    - click 630 570 (.5) [x3]
    # click on "Remove all" to reset the list of files to be protected
    - click 610 620 (.2)
    # click on "Add file" to open the file dialog box
    - click 280 590 (.3)
    # type the path to the executable
    - type "$FILE" (.1)
    # click "Open"
    - click 580 380 (2)
    # click "Protect file"
    - click 380 590 (2)
  install:
    - unzip: /root/.wine32/drive_c/Program\ Files\ (x86)/pelock
    - lwine: PELock.exe
  references:
    - https://github.com/PELock/PELock-Software-Protection-and-Licensing-SDK
  source: https://www.pelock.com/products/pelock
  status: broken

PErplex:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

PEShield:
  categories:
    - cryptor
  comment: The provided executable does not run.
  description: PE-SHiELD is a program, which encrypts 32-bit Windows EXE files, leaving them still executable. The previous version was over a year in the wild and there is still no unpacker for it.
  formats:
    - PE32
  install:
    - unzip: $OPT/peshield
    - wine: peshield.exe
  references:
    - http://protools.narod.ru/packers.htm
  source: https://webscene.ir/tools/show/PE-SHIELD-0.25
  status: broken

PESpin:
  categories:
    - compressor
    - protector
  description: PESpin is a Windows executable files protector, compressor coded in pure Win32ASM using MASM. Overall, this application will enable the compression of the entire executable - code, data and resources, thus leaving the file protected against patching or disassembling.
  formats:
    - PE32
  references:
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/pespin/packed-with-pespin.yml
  source: http://downloads.fyxm.net/PESpin-95477.html

PEtite:
  categories:
    - compressor
  description: Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor.
  exclude:
    - ds
  formats:
    - PE32
  install:
    - wget: https://www.un4seen.com/files/petite24.zip
    - unzip: $OPT/petite
    - wine: petite.exe
  references:
    - https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/Petite
    - https://github.com/fireeye/capa-rules/blob/master/anti-analysis/packer/petite/packed-with-petite.yml
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/petite/packed-with-petite.yml
  source: https://www.un4seen.com/petite
  status: ok
  steps:
    - petite -5 -o {{executable}} {{executable}}

PEzor:
  description: Open-Source Shellcode & PE Packer.
  formats:
    - PE
  install:
    - git: <<source>>.git
    - exec: sudo bash $TMP/pezor/install.sh
  references:
    - https://iwantmore.pizza/posts/PEzor.html
    - https://iwantmore.pizza/posts/PEzor2.html
    - https://iwantmore.pizza/posts/PEzor3.html
    - https://iwantmore.pizza/posts/PEzor4.html
  source: https://github.com/phra/PEzor

ProCrypt:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

Redhip:
  description: Information stealer packed with different custom packers.
  formats:
    - PE
  references:
    - https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/redhip.md

RLPack:
  categories:
    - compressor
  description: RLPack is a tiny application which compresses executable files but still allows you to run them under normal conditions. Its features can be seamlessly figured out.
  exclude:
    - DLL: PE32\+? executable \(DLL\)
  formats:
    - PE
  gui:
    # click on checkbox "Make Backup" (to prevent it from copying the binary)
    - click 285 580
    # click on "Browse"
    - click 700 265 (.1)
    # type the path to the target executable (C:)
    - type "$FILE" (.1)
    # click on "Open" (this requires a bit of time to return to the main window)
    - click 375 215 (2)
    # click on "Pack"
    - click 480 580 (.1)
    # click on "OK" if a dialog box is displayed telling that the security certificate will be stripped
    - click 510 420 (3)
  install:
    - unzip: $OPT/rlpack
    - wine: RLPack.exe
  references:
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/Unpacking%%20Tutorials/RLPack%%201.21%%20%%28Unpacking%%29.rar
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/rlpack/packed-with-rlpack.yml
  source: https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml

RPCrypt:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

SEPacker:
  categories:
    - compressor
  description: Simple Executable Packer is a simple windows .exe/.dll packer. (Compresses code section and your compiled binaries waste less space) Almost whole codes written in pure C and very minimal also understandable (which makes modifying very easy; like debugger traps, encryption etc.)
  formats:
    - PE32
  source: https://sourceforge.net/projects/sepacker

Shiva:
  categories:
    - cryptor
    - protector
  description: Shiva is a tool to encrypt ELF executables under Linux. Shiva can be used to wrap an executable in such a way that though it continues to run as it did before it is very difficult to debug or reverse engineer. Shiva can be used to password protect critical programs, including setuid programs, or simply to obfuscate sensitive data stored within programs.
  formats:
    - ELF
  install:
    - wget: https://dl.packetstormsecurity.net/crypt/linux/shiva-0.95.tar.gz
    - untar: $OPT
    - ln: shiva
  references:
    - https://docplayer.net/86668430-Modern-linux-malware-exposed.html
    - https://blackhat.com/presentations/bh-federal-03/bh-federal-03-eagle/bh-fed-03-eagle.pdf
  source: https://packetstormsecurity.com/files/31087/shiva-0.95.tar.gz.html
  status: broken

Silent_Packer:
  categories:
    - cryptor
  description: Silent_Packer is an ELF / PE packer written in pure C. This program can be used to obfuscate a binary. This packer supports PIE binaries. It currently supports XOR and AES-128-ECB as cipher methods.
  formats:
    - ELF
    - PE
  install:
    - wget: <<source>>/releases/download/v0.1/Silent_Packer
    - copy: silent-packer
  source: https://github.com/SilentVoid13/Silent_Packer

SimpleDpack:
  categories:
    - compressor
  formats:
    - PE32
  install:
    - wget: <<source>>:latest{SimpleDpack.exe} SimpleDpack.exe
    - copy: $OPT/simpledpack/
    - lwine: SimpleDpack.exe
    - wget: <<source>>:latest{simpledpackshell.dll} simpledpackshell.dll
    - copy: $OPT/simpledpack/
    - rm: $TMP/simpledpack*
  source: https://github.com/YuriSizuku/SimpleDpack
  status: ok
  steps:
    - simpledpack {{executable}}
    - mv -f {{executable.stem}}_dpack{{executable.extension}} {{executable}}
  variants:
    SimpleDpack64:
      formats:
        - PE64
      install:
        - wget: <<source>>:latest{SimpleDpack64.exe} SimpleDpack64.exe
        - copy: $OPT/simpledpack/
        - lwine: SimpleDpack64.exe
        - wget: <<source>>:latest{simpledpackshell64.dll} simpledpackshell64.dll
        - copy: $OPT/simpledpack/
        - rm: $TMP/simpledpack*
      steps:
        - simpledpack64 {{executable}}
        - mv -f {{executable.stem}}_dpack{{executable.extension}} {{executable}}

SmartPacker:
  categories:
    - bundler
    - protector
    - virtualizer
  description: Packs 32 & 64bit applications with DLLs, data files, 3rd party run-time into one single executable that runs instantly, with no installs or hassles. Featuring virtual filesystem, drag & drop files/folders, icon support, password protection, commandline parameters, plug-in support, customizable storage locations etc. [DISCONTINUED]
  formats:
    - PE32
    - PE64
  maintained: false
  source: https://www.smartpacker.nl
  status: commercial

Squishy:
  categories:
    - compressor
  description: Modern packer developed for 64kb demoscene productions, targets 32bit and 64bit executables.
  formats:
    - PE64
  install:
    - wget: <<source>>/releases/squishy-0.2.0.zip
    - unzip: $OPT/squishy
    - wine64: squishy-x64.exe
  silent:
    - environment variable to display a backtrace
  source: https://logicoma.io/squishy
  status: ok
  steps:
    - squishy -i {{executable}} -o {{executable}}
  timeout: 20
  variants:
    Squishy-x86:
      formats:
        - PE32
      install:
        - wget: <<source>>/releases/squishy-0.1.3.zip
        - unzip: $OPT/squishy-x86
        - wine: squishy-x86.exe
      steps:
        - squishy-x86 -i {{executable}} -o {{executable}}

SVKP:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names

Telock:
  categories:
    - compressor
    - protector
  description: Telock is a practical tool that intends to help developers who want to protect their work and reduce the size of the executable files. The application is designed to encode your files in order to make them impossible or at least hard to reverse engineer.
  formats:
    - PE
  gui:
    # click on "Lock File"
    - click 280 545 (.5)
    # click on the "File name" field
    - click 330 420 (.1)
    # type the path to the target executable (C:)
    - type "$FILE" (.1)
    # click on "Open"
    - click 580 420 (.2)
    # click on "OK" (e.g. when getting "The file has already been compressed."
    - click 520 410 (.1) [x3]
    # sleep in function of the target's size
    - sleep-per-KB .001
  install:
    - unzip: $OPT/telock
    - wine: telock.exe
  references:
    - http://beatrix2004.free.fr/TELOCK98.pdf
    - http://beatrix2004.free.fr/Comprendre%%20tElock%%200.51.pdf
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/Unpacking%%20Tutorials/tElock%%200.98%%20%%28Unpacking%%29.rar
  source: https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/Telock.shtml
  status: gui

TheArk:
  categories:
    - compressor
  description: Windows x86 PE Packer In C++.
  formats:
    - PE32
  install:
    - wget: <<source>>:latest{Release}
    - unzip: $OPT/theark
    - wine: theArk.exe
  source: https://github.com/aaaddress1/theArk

Themida:
  categories:
    - protector
    - virtualizer
  description: Advanced Windows software protection system, developed for software developers who wish to protect their applications against advanced reverse engineering and software cracking.
  formats:
    - PE32
    - PE64
  references:
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/themida/packed-with-themida.yml
  related:
    - https://attack.mitre.org/techniques/T1027/002
  source: https://www.oreans.com/themida.php
  status: commercial

Thinstall:
  categories:
    - bundler
    - virtualizer
  description: ThinApp accelerates application deployment and simplifies application migration by isolating applications from their underlying operating systems to eliminate application conflict and streamline delivery and management.
  formats:
    - PE
  source: https://www.vmware.com/products/thinapp
  status: commercial

TrickBot:
  description: Trojan spyware written in C++ mainly used for targeting banking sites, using a custom packer to obfuscate itself.
  formats:
    - PE
  references:
    - https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/trickbot.md

Upack:
  categories:
    - compressor
  description: Upack can pack executable files of Windows PE format files with almost the best compression ratio. Whereas DOS-EXEs(MZ), Win3.x-EXE/DLLs(NE), and any other platform programs are not supported by Upack. It is only for compression, not for protection mainly.
  formats:
    - PE
  references:
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/upack/packed-with-upack.yml
  source: https://www.sac.sk/download/pack/upack399.rar

UPX:
  categories:
    - compressor
  description: UPX is a free, portable, extendable, high-performance executable packer for several executable formats.
  exclude:
    ELF:
      - o
      - so
    PE:
      - ds
  formats:
    - ELF
    - Mach-O
    - MSDOS
    - PE32
    - PE64
  install:
    - wget: <<source>>:latest{amd64_linux}
    - untar: $TMP
    - ln: upx
  references:
    - https://upx.github.io
    - https://linux.die.net/man/1/upx
    - https://github.com/fireeye/capa-rules/blob/master/anti-analysis/packer/upx/packed-with-upx.yml
    - https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/UPX
    - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/Unpacking%%20Tutorials/UPX%%20%%28Unpacking%%29.rar
  related:
    - https://attack.mitre.org/techniques/T1027/002
  silent:
    - AlreadyPackedException
    - CantPackException
    - IOException
    - NotCompressibleException
  source: https://github.com/upx/upx
  status: ok
  variants:
    _template:
      _version: ["3.91", "3.92", "3.93", "3.94", "3.95", "3.96", "4.0.0", "4.0.1", "4.0.2", "4.1.0", "4.2.0", "4.2.1", "4.2.2", "4.2.3", "4.2.4"]
      install:
        - wget: <<source>>/releases/download/v<<version>>/upx-<<version>>-amd64_linux.tar.xz
        - untar: $OPT
        - ln: $OPT/upx-<<version>>/upx
    UPX-1.25:
      references:
        - <from-parent>
        - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE32/UPX%%201.25.rar
      source: https://www.sac.sk/download/pack/upx125l.tgz
      status: info
    UPX-2.03:
      source: https://www.sac.sk/download/pack/upx203l.tgz
      status: info
    UPX-3.00:
      install:
        - copy: upx-3.00
    UPX-3.04:
      references:
        - <from-parent>
        - https://storage.ey.md/Technology%%20Related/Programming%%20%%26%%20Reversing/Tuts4You%%20Collection/UnPackMe%%20Collection/PE32/UPX%%203.04.rar
      source: https://www.sac.sk/download/pack/upx203l.tgz
      status: info
    UPX-3.91:
      formats:
        - PE32
        - PE64
    UPX-3.92:
      formats:
        - PE32
        - PE64
    UPX-3.93:
      formats:
        - PE32
        - PE64
    UPX-3.94:
      formats:
        - ELF32
        - ELF64
        - PE32
        - PE64
    UPX-3.99:
      install:
        - wget: <<source>>/releases/download/v3.99/upx-3.99-src.tar.xz
        - make: upx
        - lsh: $OPT/upx-3.99/upx upx-3.99
  xflag: true

VMProtect:
  categories:
    - protector
    - virtualizer
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names
  related:
    - https://attack.mitre.org/techniques/T1027/002
  source: https://vmpsoft.com/products/vmprotect
  status: commercial

VProtect:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml

Ward:
  categories:
    - compressor
    - protector
  description: This is a simple implementation of an ELF packer that creates stealthy droppers for loading malicious ELFs in-memory. Useful for red teamers trying to proliferate a payload while evading detection.
  formats:
    - ELF
  install:
    - exec: rm -rf $OPT/ward-master
    - wget: https://github.com/ex0dus-0x/ward/archive/refs/heads/master.zip
    - unzip: $OPT/
    - make: ward cli
    - ln: $OPT/ward/ward
  silent:
    - "go:"
  source: https://github.com/ex0dus-0x/ward
  status: ok
  steps:
    - cd {{executable.dirname}}
    - ward ./{{executable.filename}} 2>/dev/null
    - rm -f {{executable.filename}}
    - mv {{executable.filename}}.packed {{executable.filename}}

Windows-PE-Packer:
  categories:
    - cryptor
  description: A packer for Windows x86 executable files written in C and Intel x86 Assembly.
  formats:
    - PE32
  source: https://github.com/czs108/Windows-PE-Packer

WinUPack:
  aliases:
    - (?i)upack
  categories:
    - compressor
  description: WinUpack is the frontend version of Upack. Upack is a packer that can compress Windows PE file, which may self-decompress and run normally without any other decompresser. It can pack executable files of Windows PE format files with almost the best compression ratio. Whereas DOS-EXEs(MZ), Win3.x-EXE/DLLs(NE), and any other platform programs are not supported by Upack. Upack is only for compression, not for protection mainly.
  formats:
    - MSDOS
    - PE32
  source: http://downloads.fyxm.net/Portable-WinUpack-13975.html

WWPack:
  formats:
    - PE
  references:
    - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names
    - https://github.com/mandiant/capa-rules/blob/65eae8a7d67af66a1a9f3a3bdc95cb347cc9b5e1/nursery/packed-with-wwpack.yml

Xor_Packer:
  categories:
    - cryptor
  description: A simple packer working with all PE files which cipher your exe with a XOR implementation.
  formats:
    - PE
  install:
    - wget: https://github.com/nqntmqmqmb/xorPacker/raw/master/xorPacker/bin/Debug/xorPacker.exe
    - exec: mv /tmp/xor-packer.exe $OPT/
    - cd: $OPT
    - mono: xor-packer.exe
  source: https://github.com/nqntmqmqmb/xorPacker
  status: broken

Yoda_Crypter:
  aliases:
    - yC
    - (?i)Yoda'?s[_\s]Crypter
  categories:
    - cryptor
    - protector
  description: This is a small PE crypter with some nice protection options.
  exclude:
    - ds
  formats:
    - PE32
  gui:
    # click on "..." to open a target executable
    - click 580 330 (.1)
    # type the path to the target executable (C:)
    - type "$FILE" (.1)
    # click on "Open" (this requires a bit of time to return to the main window)
    - click 720 500 (2)
    # click on "Protect!"
    - click 630 330 (.5)
    # FIXME: .5 second may surely be too few for bigger executables
    - key Return (.1) [x3]
  install:
    - unzip: $OPT
    - wine: yC.exe
  source: https://sourceforge.net/projects/yodap
  status: gui

Yoda_Protector:
  aliases:
    # output by Manalyze when matching section name "\\.y(P|0da)"
    - yP
    - (?i)Y0da
    - (?i)Yodas[_\s]Protector
  categories:
    - compressor
    - cryptor
    - protector
  description: Yoda's Protector is a free, open source, Windows 32-bit software protector. It performs string & resource encryption, resource compression, uses Microsoft Crypto API, program compression, program optimization, polymorphic encryption, API redirection, anti-debugging tricks, removes debug information and relocation table, optimizes and removes DOS header.
  exclude:
    - ds
  formats:
    - PE32
  install:
    - unzip: $OPT/yoda-protector
    - wine: yP.exe
  references:
    - https://github.com/mandiant/capa-rules/blob/master/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml
  source: http://yodap.sourceforge.net
  status: gui

Zprotect:
  categories:
    - protector
  description: Zprotect goes beyond traditional obfuscation methods. In addition to renaming your metadata entities, it also supports advanced obfuscation methods that will harden your overall protection scheme and foil reverse engineering altogether.
  formats:
    - .NET
  source: http://www.jiami.net
  status: commercial