Skip to content

Packing & Crypters

Runtime packers, compression, crypters and self-modifying loaders that hide the real payload.

Packing & Cryptersbeginner
Bundling malware inside a compiled AutoIt executable, where the interpreter stub carries the obfuscated script and payload as appended resources.
windows
Packing & Cryptersadvanced
Code virtualization, mutation, and anti-dump layers from commercial protectors like Themida and VMProtect, abused by malware to turn whole functions into bytecode for a custom virtual machine.
windows
Packing & Cryptersadvanced
Stacking multiple packers and stages so each unpacking step only reveals the next packed layer, forcing analysts to recurse to the real payload.
windowslinuxmacos
Packing & Cryptersintermediate
A small unpacking stub that decrypts the real payload into freshly allocated RWX memory and transfers control to the reconstructed original entry point.
windowslinux
Packing & Cryptersintermediate
Corrupting the UPX magic, version, or l_info fields so the standard `upx -d` refuses to unpack, while the runtime stub still decompresses normally.
windowslinux
Packing & Cryptersintermediate
Compressing a payload with aPLib's LZ-based codec so the real code is unreadable on disk until a tiny depacker inflates it in memory at runtime.
windowslinux
Packing & Cryptersintermediate
Destroying or hiding the original Import Address Table so static tools see an empty or tiny import list, while the packer reconstructs the real API pointers at runtime.
windows
Packing & Cryptersintermediate
Compressing an ELF binary with UPX or a modified packer so its code only materialises after a self-decompressing stub runs at load time on Linux.
linux
Packing & Cryptersbeginner
Hiding an encrypted second-stage payload inside the PE .rsrc section, loaded at runtime via FindResource/LoadResource and decrypted before execution.
windows
Packing & Cryptersintermediate
Malware registers Thread Local Storage callbacks that execute before the PE entry point, running anti-debug or unpacking logic that most debuggers miss at startup.
windows
Packing & Cryptersadvanced
Code that rewrites its own instructions at runtime — decrypting or generating the real logic on the fly so a static disassembly never sees the bytes that actually execute.
windowslinux
Packing & Cryptersbeginner
Compressing an executable with UPX so its real code and strings are only revealed after a self-unpacking stub runs at load time, defeating naive static analysis.
windowslinuxmacos
Packing & Cryptersintermediate
An open-source .NET protector that compresses the assembly into a packed module, then anti-tampers and decrypts constants and methods at runtime.
windows
Packing & Cryptersbeginner
An encrypted or compressed payload appended after the last section of a PE file — the overlay — that the loader never maps but the stub reads from disk and unpacks at runtime.
windows
Packing & Cryptersbeginner
Wrapping malware inside a Nullsoft (NSIS) installer so the payload ships as compressed data the setup stub extracts and runs at install time.
windows