From 6d2ad30f7d0e747b3aa70440e61bd4735775fd64 Mon Sep 17 00:00:00 2001 From: dhondta Date: Sat, 30 Sep 2023 08:36:24 +0200 Subject: [PATCH] Improved runtime-packers --- runtime-packer/machinetag.json | 476 +++++++++++++++++++-------------- 1 file changed, 274 insertions(+), 202 deletions(-) diff --git a/runtime-packer/machinetag.json b/runtime-packer/machinetag.json index f8e91d6..8df5dd2 100644 --- a/runtime-packer/machinetag.json +++ b/runtime-packer/machinetag.json @@ -1,202 +1,274 @@ -{ - "namespace": "runtime-packer", - "description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.", - "version": 1, - "predicates": [ - { - "value": "portable-executable", - "expanded": "Portable Executable (PE)" - }, - { - "value": "dex", - "expanded": "Dalvik Executable (DEX)" - }, - { - "value": "elf", - "expanded": "Executable Linkable Format (ELF)" - }, - { - "value": "mach-o", - "expanded": "Mach-object (Mach-O)" - }, - { - "value": "cli-assembly", - "expanded": "CLI assembly" - } - ], - "values": [ - { - "predicate": "portable-executable", - "entry": [ - { - "value": ".netshrink", - "expanded": ".netshrink" - }, - { - "value": "alienyze", - "expanded": "Alienyze" - }, - { - "value": "apack", - "expanded": "aPack" - }, - { - "value": "apk-protect", - "expanded": "APK Protect" - }, - { - "value": "armadillo", - "expanded": "Armadillo" - }, - { - "value": "aspack", - "expanded": "ASPack" - }, - { - "value": "aspr-asprotect", - "expanded": "ASPR (ASProtect)" - }, - { - "value": "autoit", - "expanded": "AutoIT" - }, - { - "value": "bero", - "expanded": "BeRo EXE Packer" - }, - { - "value": "boxedapp-packer", - "expanded": "BoxedApp Packer" - }, - { - "value": "cexe", - "expanded": "CExe" - }, - { - "value": "code-virtualizer", - "expanded": "Code Virtualizer" - }, - { - "value": "dexguard", - "expanded": "DexGuard" - }, - { - "value": "dexprotector", - "expanded": "DexProtector" - }, - { - "value": "dotbundle", - "expanded": "dotBundle" - }, - { - "value": "enigma-protector", - "expanded": "Enigma Protector" - }, - { - "value": "exe-bundle", - "expanded": "EXE Bundle" - }, - { - "value": "exe-stealth", - "expanded": "EXE Stealth" - }, - { - "value": "expressor", - "expanded": "eXPressor" - }, - { - "value": "fsg", - "expanded": "FSG" - }, - { - "value": "gzexe", - "expanded": "GzExe" - }, - { - "value": "kkrunchy", - "expanded": "Kkrunchy" - }, - { - "value": "liapp", - "expanded": "LIAPP" - }, - { - "value": "mew", - "expanded": "MEW" - }, - { - "value": "mpress", - "expanded": "MPRESS" - }, - { - "value": "nspack", - "expanded": "NSPack" - }, - { - "value": "obsidium", - "expanded": "Obsidium" - }, - { - "value": "pecompact", - "expanded": "PECompact" - }, - { - "value": "pelock", - "expanded": "PELock" - }, - { - "value": "peshield", - "expanded": "PEShield" - }, - { - "value": "pespin", - "expanded": "PESpin" - }, - { - "value": "petite", - "expanded": "PEtite" - }, - { - "value": "rlpack-basic", - "expanded": "RLPack Basic" - }, - { - "value": "smart-packer-pro", - "expanded": "Smart Packer Pro" - }, - { - "value": "themida", - "expanded": "Themida" - }, - { - "value": "upack", - "expanded": "UPack" - }, - { - "value": "upx", - "expanded": "UPX" - }, - { - "value": "vmprotect", - "expanded": "VMProtect" - }, - { - "value": "xcomp-xpack", - "expanded": "XComp/XPack" - }, - { - "value": "yoda-crypter", - "expanded": "Yoda's Crypter" - }, - { - "value": "yoda-protector", - "expanded": "Yoda's Protector" - }, - { - "value": "zprotect", - "expanded": "ZProtect" - } - ] - } - ] -} +{ + "namespace": "runtime-packer", + "description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.", + "version": 1, + "predicates": [ + { + "value": "pe", + "expanded": "Portable Executable (PE)" + }, + { + "value": "dex", + "expanded": "Dalvik Executable (DEX)" + }, + { + "value": "elf", + "expanded": "Executable Linkable Format (ELF)" + }, + { + "value": "mach-o", + "expanded": "Mach-object (Mach-O)" + }, + { + "value": "cli-assembly", + "expanded": "CLI assembly" + } + ], + "values": [ + { + "predicate": "portable-executable", + "entry": [ + { + "value": ".netshrink", + "expanded": ".netshrink" + }, + { + "value": "acprotect", + "expanded": "ACProtect" + }, + { + "value": "alienyze", + "expanded": "Alienyze" + }, + { + "value": "apack", + "expanded": "aPack" + }, + { + "value": "apk-protect", + "expanded": "APK Protect" + }, + { + "value": "armadillo", + "expanded": "Armadillo" + }, + { + "value": "aspack", + "expanded": "ASPack" + }, + { + "value": "asprotect", + "expanded": "ASProtect" + }, + { + "value": "autoit", + "expanded": "AutoIT" + }, + { + "value": "bero", + "expanded": "BeRo EXE Packer" + }, + { + "value": "boxedapp-packer", + "expanded": "BoxedApp Packer" + }, + { + "value": "cexe", + "expanded": "CExe" + }, + { + "value": "code-virtualizer", + "expanded": "Code Virtualizer" + }, + { + "value": "dexguard", + "expanded": "DexGuard" + }, + { + "value": "dexprotector", + "expanded": "DexProtector" + }, + { + "value": "dotbundle", + "expanded": "dotBundle" + }, + { + "value": "enigma-protector", + "expanded": "Enigma Protector" + }, + { + "value": "enigma-virtual-box", + "expanded": "Enigma Virtual Box" + }, + { + "value": "exe-bundle", + "expanded": "EXE Bundle" + }, + { + "value": "exe-stealth", + "expanded": "EXE Stealth" + }, + { + "value": "exe32pack", + "expanded": "EXE32Pack" + }, + { + "value": "expressor", + "expanded": "eXPressor" + }, + { + "value": "fsg", + "expanded": "FSG" + }, + { + "value": "gzexe", + "expanded": "GzExe" + }, + { + "value": "hxor-packer", + "expanded": "hXOR Packer" + }, + { + "value": "jdpack", + "expanded": "JDPack" + }, + { + "value": "kkrunchy", + "expanded": "Kkrunchy" + }, + { + "value": "liapp", + "expanded": "LIAPP" + }, + { + "value": "mew", + "expanded": "MEW" + }, + { + "value": "midgetpack", + "expanded": "MidgetPack" + }, + { + "value": "molebox", + "expanded": "MoleBox" + }, + { + "value": "morphine", + "expanded": "Morphine" + }, + { + "value": "mpress", + "expanded": "MPRESS" + }, + { + "value": "muncho", + "expanded": "Muncho" + }, + { + "value": "neolite", + "expanded": "Neolite" + }, + { + "value": "netcrypt", + "expanded": "NetCrypt" + }, + { + "value": "nspack", + "expanded": "NSPack" + }, + { + "value": "obsidium", + "expanded": "Obsidium" + }, + { + "value": "packman", + "expanded": "Packman" + }, + { + "value": "pakkero", + "expanded": "Pakkero" + }, + { + "value": "pecompact", + "expanded": "PECompact" + }, + { + "value": "pelock", + "expanded": "PELock" + }, + { + "value": "pepacker", + "expanded": "PE Packer" + }, + { + "value": "peshield", + "expanded": "PEShield" + }, + { + "value": "pespin", + "expanded": "PESpin" + }, + { + "value": "petite", + "expanded": "PEtite" + }, + { + "value": "rlpack-basic", + "expanded": "RLPack Basic" + }, + { + "value": "shiva", + "expanded": "Shiva" + }, + { + "value": "smart-packer-pro", + "expanded": "Smart Packer Pro" + }, + { + "value": "squishy", + "expanded": "Squishy" + }, + { + "value": "telock", + "expanded": "Telock" + }, + { + "value": "themida", + "expanded": "Themida" + }, + { + "value": "thinstall", + "expanded": "Thinstall" + }, + { + "value": "upack", + "expanded": "UPack" + }, + { + "value": "upx", + "expanded": "UPX" + }, + { + "value": "vmprotect", + "expanded": "VMProtect" + }, + { + "value": "xcomp-xpack", + "expanded": "XComp/XPack" + }, + { + "value": "yoda-crypter", + "expanded": "Yoda's Crypter" + }, + { + "value": "yoda-protector", + "expanded": "Yoda's Protector" + }, + { + "value": "zprotect", + "expanded": "ZProtect" + } + ] + } + ] +}