initial UPX obfuscator tool

2024-07-27 07:50:04 +02:00 · 2024-07-27 07:50:04 +02:00 · d858b458e8
parent 542abff250
commit d858b458e8
2 changed files with 39 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -75,3 +75,5 @@ Following detections have been tested:
 * <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
 * <https://github.com/weak1337/Alcatraz>
 * <https://github.com/burrowers/garble?tab=readme-ov-file#mechanism>>
+* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
+* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>
--- a/cmd/upx_obfuscator/main.go
+++ b/cmd/upx_obfuscator/main.go
@ -0,0 +1,37 @@
+package main
+
+import (
+	"os"
+	"bytes"
+	"log"
+)
+
+var originalIdentifier = []byte("UPX0")	 
+var obfuscatedIdentifier = []byte("GSP7")	 
+
+func main() {
+	if len(os.Args) != 2 {
+		log.Fatalln("Specify exe file to obfuscate")
+	}
+
+	filename := os.Args[1]
+
+	log.Println("Obfuscating UPX compressed executable file")
+	log.Println("\t", filename)	
+
+	data, _ := os.ReadFile(filename)
+
+	foundIndex := bytes.Index(data, originalIdentifier)
+	if foundIndex > -1 {
+		// Found it!
+		log.Println("Found UPX identifier at offset", foundIndex)
+	} else {
+		log.Fatalln("Error file is not UPX packed")
+	}
+
+
+	obfuscatedData := bytes.Replace(data, originalIdentifier, obfuscatedIdentifier, 1)
+	_ = os.WriteFile(filename, obfuscatedData, 0666)
+
+	log.Println("done")
+}