Jump to content

UPX

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 157.52.6.188 (talk) at 18:12, 15 November 2016 (I was only able to find one reference to what rtm32/PE was, so I think it bears mentioning here. Also, actually cite the UPX manpage for tmt/adam.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

UPX
Initial releaseMay 26, 1998; 26 years ago (1998-05-26)
Stable release
3.09.1 (aka. 3.91) / September 30, 2013; 11 years ago (2013-09-30)
Repository
Written inC++, Assembly
Operating systemMicrosoft Windows, Linux, Mac OS X, DOS, Atari
Platformi386, MIPS, AMD64, ARM, PowerPC, m68k
Available inEnglish
TypeExecutable compression
LicenseGPL with exception for compressed executables[1]
Websiteupx.github.io

UPX (Ultimate Packer for Executables) is a free and open source executable packer supporting a number of file formats from different operating systems.[2][3]

Compression

UPX uses a data compression algorithm called UCL,[4] which is an open source implementation of portions of the proprietary NRV (Not Really Vanished[5]) algorithm.[6]

UCL has been designed to be simple enough that a decompressor can be implemented in just a few hundred bytes of code. UCL requires no additional memory to be allocated for decompression, a considerable advantage that means that a UPX packed executable usually requires no additional memory.

UPX (since 2.90 beta) can use LZMA on most platforms; however, this is disabled by default for 16-bit due to slow decompression speed on older computers (use --lzma to force it on).

Starting with version 3.91, UPX also supports 64-Bit (x64) executable files on the Windows platform.[7] This feature is currently declared as experimental.

Decompression

UPX supports two mechanisms for decompression: an in-place technique and extraction to temporary file.

The in-place technique, which decompresses the executable into memory, is not possible on all supported platforms. The rest use extraction to temporary file. This procedure involves additional overhead and other disadvantages; however, it allows any executable file format to be packed.

The extraction to temporary file method has several disadvantages:

  • Special permissions are ignored, such as suid.
  • argv[0] will not be meaningful.
  • Multiple running instances of the executable are unable to share common segments.

Unmodified UPX packing is often detected and unpacked by antivirus software scanners. UPX also has a built-in feature for unpacking unmodified executables packed with itself. The default license for the existing stubs explicitly forbids modification that prevent manual unpacking.[8] Most antivirus products will raise an alarm when UPX header is detected.[citation needed]

Supported formats

UPX does not currently support PE files containing CIL code intended to run on the .NET Framework.

Notes

  1. ^ The facility to compress DOS .COM-style files can be utilized also to compress other binary executable files. Some FreeDOS and EDR-DOS kernel files are known to be UPX-compressible this way.
  2. ^ The facility to compress DOS .COM-style files can be utilized also to compress non-executable binary data files, if the driver/application using these files has been enhanced to detect UPX-compressed files and jump to the decompressor embedded in the file. FreeDOS is known to utilize this for .CPX files, UPX-compressed .CPI font files.
  3. ^ a b c For the DOS targets, UPX supports a special option -8086 in order to force the embedded decompressor to become compatible with 8088/8086 processors, so that the compressed files can be executed and decompressed even on the earliest PCs running DOS.

References

  1. ^ https://upx.github.io/upx-license.html
  2. ^ Marak, Victor (2015). Windows Malware Analysis Essentials. Packt Publishing. p. 188. ISBN 978-1-78528-151-8. Retrieved November 22, 2015. Packers such as Ultimate Packer for Executables (UPX) are more of executable compressors as size reduction is the primary goal, not obfuscation, which can be a byproduct ...
  3. ^ Blunden, Bill (2013). The Rootkit Arsenal (Second ed.). Jones & Bartlett Learning. pp. 353–355. ISBN 978-1-4496-2636-5. Retrieved November 22, 2015. One of the most prolific executable packers is UPX (the Ultimate Packer for executables). Not only does it handle dozens of different executable formats, but also its source code is available online.
  4. ^ http://www.oberhumer.com/opensource/ucl/
  5. ^ http://www.oberhumer.com/products/nrv/
  6. ^ https://github.com/upx/upx/blob/master/README.SRC
  7. ^ https://upx.github.io/upx-news.txt
  8. ^ https://upx.github.io/upx-license.html
  9. ^ http://www.vogons.org/viewtopic.php?t=25997
  10. ^ https://linux.die.net/man/1/upx