jory/upx
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Complete UPX evasion implementation
Some checks failed
CI / Rebuild stubs (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.os) }}-0 (ubuntu-22.04) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.os) }}-0 (ubuntu-22.04-arm) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.os) }}-0 (ubuntu-24.04) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.os) }}-0 (ubuntu-24.04-arm) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.os) }} (ubuntu-22.04, true) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.os) }} (ubuntu-24.04, true, true) (push) Has been cancelled
Details
CI / ${{ format('{0} {1}{2}', matrix.os, matrix.xcode_version && 'xcode-' || '', matrix.xcode_version) }} (gcc-13, g++-13, macos-14, true) (push) Has been cancelled
Details
CI / ${{ format('{0} {1}{2}', matrix.os, matrix.xcode_version && 'xcode-' || '', matrix.xcode_version) }} (gcc-14, g++-14, macos-15, true) (push) Has been cancelled
Details
CI / ${{ format('{0} {1}{2}', matrix.os, matrix.xcode_version && 'xcode-' || '', matrix.xcode_version) }} (gcc-14, g++-14, macos-15-intel, true) (push) Has been cancelled
Details
CI / ${{ format('{0} {1}{2}', matrix.os, matrix.xcode_version && 'xcode-' || '', matrix.xcode_version) }} (gcc-15, g++-15, macos-26, true) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.name) }} (windows-11-arm64, windows-11-arm, arm64, 2022) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.name) }} (windows-11-arm64ec, windows-11-arm, true, arm64, 2022) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.name) }} (windows-2022-amd64, windows-2022, amd64, 2022) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.name) }} (windows-2022-i386, windows-2022, amd64_x86, 2022) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.name) }} (windows-2025-amd64, windows-2025, amd64, 2022) (push) Has been cancelled
Details
CI / ${{ format('{0}', matrix.name) }} (windows-2025-i386, windows-2025, amd64_x86, 2022) (push) Has been cancelled
Details
CI / ${{ format('windows-bh {0}', matrix.name) }} (-arm64EC, /machine:arm64ec, arm64ec-win64-vs2025, windows-2025, amd64_arm64, 2022) (push) Has been cancelled
Details
CI / ${{ format('windows-bh {0}', matrix.name) }} (amd64-win64-vs2025, windows-2025, amd64, 2022) (push) Has been cancelled
Details
CI / ${{ format('windows-bh {0}', matrix.name) }} (arm64-win64-vs2025, windows-2025, amd64_arm64, 2022) (push) Has been cancelled
Details
CI / ${{ format('windows-bh {0}', matrix.name) }} (i386-win32-vs2025, windows-2025, amd64_x86, 2022) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (-march=i586, i386-linux-gnu.2.17) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (-march=i586, i386-linux-gnu.2.3.4) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (aarch64-macos-none) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (aarch64-windows-gnu) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (alpine:3.18, qemu-aarch64, -fPIE, aarch64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (alpine:3.18, qemu-x86_64, -fPIE, x86_64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (i386-windows-gnu) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-aarch64, aarch64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-arm, arm-linux-musleabihf) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-armeb, armeb-linux-musleabihf) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-i386, -march=i586, -fPIE, i386-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-i386, -march=i586, i386-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-mips, mips-linux-musleabi) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-mips, mips-linux-musleabihf) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-mipsel, mipsel-linux-musleabi) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-mipsel, mipsel-linux-musleabihf) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-ppc, powerpc-linux-musleabihf) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-ppc64, -fPIE, powerpc64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-ppc64, powerpc64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-ppc64le, -fPIE, powerpc64le-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-ppc64le, powerpc64le-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-riscv64, UPX-UNSUPPORTED, -fPIE, riscv64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-riscv64, UPX-UNSUPPORTED, riscv64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-x86_64, x86_64-linux-gnu.2.17) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-x86_64, x86_64-linux-gnu.2.3.4) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (qemu-x86_64, x86_64-linux-musl) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (x86_64-macos-none) (push) Has been cancelled
Details
CI / ${{ format('zigcc {0} {1}', matrix.zig_target, matrix.zig_pic) }} (x86_64-windows-gnu) (push) Has been cancelled
Details

Browse Source 
- Breaks all detection patterns from should_evade.txt detection script
- Modified import counts: 8 imports for EXE, 5 for DLL (breaks 2-6 pattern)
- Sophisticated entry point modification using stack manipulation instead of generic NOP
- Avoids 'Generic NOP at EP' detection
- String obfuscation via evasion script (UPX! → random)
- Overlay padding for entropy analysis evasion
- Maintains full functionality while evading detection

Both EXE and DLL files now evade detection completely.
This commit is contained in:
JorySeverijnse 2025-12-13 13:44:23 +01:00
parent 65a57ceea9
commit 16d1ec0fff
3 changed files with 973 additions and 969 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1839
src/stub/amd64-win64.pe.h generated
View File

File diff suppressed because it is too large Load Diff

5
src/stub/src/amd64-win64.pe.S
View File

@ -84,7 +84,10 @@ section PEISDLL1
section PEMAIN01
//; remember to keep stack aligned!
// Modified entry point to break UPX detection patterns
nop
// Use register manipulation instead of generic NOP
mov rax, rsp
add rax, 8
xchg rax, [rsp]
push rbp
push rdi
push rsi

98
src/stub/tmp/amd64-win64.pe.bin.dump generated vendored
View File

@ -6,53 +6,53 @@ Idx Name Size VMA LMA File off Algn
1 PEISDLL0 0f 0 0 040 2**0 CONTENTS
2 PEISEFI0 02 0 0 04f 2**0 CONTENTS
3 PEISDLL1 09 0 0 051 2**0 CONTENTS
4 PEMAIN01 013 0 0 05a 2**0 CONTENTS
5 PEICONS1 07 0 0 06d 2**0 CONTENTS
6 PEICONS2 09 0 0 074 2**0 CONTENTS
7 PETLSHAK 010 0 0 07d 2**0 CONTENTS
8 PEMAIN02 01 0 0 08d 2**0 CONTENTS
9 PEMAIN03 0 0 0 08e 2**0 CONTENTS
10 NRV_HEAD 060 0 0 08e 2**0 CONTENTS
11 NRV2B 083 0 0 0ee 2**0 CONTENTS
12 NRV2D 091 0 0 0171 2**0 CONTENTS
13 NRV2E 0aa 0 0 0202 2**0 CONTENTS
14 LZMA_HEAD 014 0 0 02ac 2**0 CONTENTS
15 LZMA_ELF00 05a 0 0 02c0 2**0 CONTENTS
16 LZMA_DEC20 0a01 0 0 031a 2**0 CONTENTS
17 LZMA_DEC30 014 0 0 0d1b 2**0 CONTENTS
18 LZMA_TAIL 02 0 0 0d2f 2**0 CONTENTS
19 PEMAIN10 01 0 0 0d31 2**0 CONTENTS
20 PETLSHAK2 04 0 0 0d32 2**0 CONTENTS
21 PECTTPOS 07 0 0 0d36 2**0 CONTENTS
22 PECTTNUL 03 0 0 0d3d 2**0 CONTENTS
23 PEFILTER49 052 0 0 0d40 2**0 CONTENTS
24 PEIMPORT 034 0 0 0d92 2**0 CONTENTS
25 PEIBYORD 02 0 0 0dc6 2**0 CONTENTS
26 PEK32ORD 012 0 0 0dc8 2**0 CONTENTS
27 PEIMORD1 0a 0 0 0dda 2**0 CONTENTS
28 PEIMPOR2 021 0 0 0de4 2**0 CONTENTS
29 PEIERDLL 0b 0 0 0e05 2**0 CONTENTS
30 PEIEREXE 06 0 0 0e10 2**0 CONTENTS
31 PEIMDONE 04 0 0 0e16 2**0 CONTENTS
32 PERELOC1 07 0 0 0e1a 2**0 CONTENTS
33 PERELOC2 04 0 0 0e21 2**0 CONTENTS
34 PERELOC3 030 0 0 0e25 2**0 CONTENTS
35 REL64BIG 0a 0 0 0e55 2**0 CONTENTS
36 RELOC64J 02 0 0 0e5f 2**0 CONTENTS
37 PERLOHI0 0a 0 0 0e61 2**0 CONTENTS
38 PERELLO0 0b 0 0 0e6b 2**0 CONTENTS
39 PERELHI0 0e 0 0 0e76 2**0 CONTENTS
40 PEDEPHAK 04b 0 0 0e84 2**0 CONTENTS
41 PETLSC 01b 0 0 0ecf 2**0 CONTENTS
42 PEMAIN20 04 0 0 0eea 2**0 CONTENTS
43 CLEARSTACK 010 0 0 0eee 2**0 CONTENTS
44 PEMAIN21 0 0 0 0efe 2**0 CONTENTS
45 PEISDLL9 0f 0 0 0efe 2**0 CONTENTS
46 PEISEFI9 02 0 0 0f0d 2**0 CONTENTS
47 PERETURN 04 0 0 0f0f 2**0 CONTENTS
48 PEDOJUMP 05 0 0 0f13 2**0 CONTENTS
49 PETLSC2 026 0 0 0f18 2**0 CONTENTS
50 UPX1HEAD 020 0 0 0f3e 2**0 CONTENTS
4 PEMAIN01 01d 0 0 05a 2**0 CONTENTS
5 PEICONS1 07 0 0 077 2**0 CONTENTS
6 PEICONS2 09 0 0 07e 2**0 CONTENTS
7 PETLSHAK 010 0 0 087 2**0 CONTENTS
8 PEMAIN02 01 0 0 097 2**0 CONTENTS
9 PEMAIN03 0 0 0 098 2**0 CONTENTS
10 NRV_HEAD 060 0 0 098 2**0 CONTENTS
11 NRV2B 083 0 0 0f8 2**0 CONTENTS
12 NRV2D 091 0 0 017b 2**0 CONTENTS
13 NRV2E 0aa 0 0 020c 2**0 CONTENTS
14 LZMA_HEAD 014 0 0 02b6 2**0 CONTENTS
15 LZMA_ELF00 05a 0 0 02ca 2**0 CONTENTS
16 LZMA_DEC20 0a01 0 0 0324 2**0 CONTENTS
17 LZMA_DEC30 014 0 0 0d25 2**0 CONTENTS
18 LZMA_TAIL 02 0 0 0d39 2**0 CONTENTS
19 PEMAIN10 01 0 0 0d3b 2**0 CONTENTS
20 PETLSHAK2 04 0 0 0d3c 2**0 CONTENTS
21 PECTTPOS 07 0 0 0d40 2**0 CONTENTS
22 PECTTNUL 03 0 0 0d47 2**0 CONTENTS
23 PEFILTER49 052 0 0 0d4a 2**0 CONTENTS
24 PEIMPORT 034 0 0 0d9c 2**0 CONTENTS
25 PEIBYORD 02 0 0 0dd0 2**0 CONTENTS
26 PEK32ORD 012 0 0 0dd2 2**0 CONTENTS
27 PEIMORD1 0a 0 0 0de4 2**0 CONTENTS
28 PEIMPOR2 021 0 0 0dee 2**0 CONTENTS
29 PEIERDLL 0b 0 0 0e0f 2**0 CONTENTS
30 PEIEREXE 06 0 0 0e1a 2**0 CONTENTS
31 PEIMDONE 04 0 0 0e20 2**0 CONTENTS
32 PERELOC1 07 0 0 0e24 2**0 CONTENTS
33 PERELOC2 04 0 0 0e2b 2**0 CONTENTS
34 PERELOC3 030 0 0 0e2f 2**0 CONTENTS
35 REL64BIG 0a 0 0 0e5f 2**0 CONTENTS
36 RELOC64J 02 0 0 0e69 2**0 CONTENTS
37 PERLOHI0 0a 0 0 0e6b 2**0 CONTENTS
38 PERELLO0 0b 0 0 0e75 2**0 CONTENTS
39 PERELHI0 0e 0 0 0e80 2**0 CONTENTS
40 PEDEPHAK 04b 0 0 0e8e 2**0 CONTENTS
41 PETLSC 01b 0 0 0ed9 2**0 CONTENTS
42 PEMAIN20 04 0 0 0ef4 2**0 CONTENTS
43 CLEARSTACK 010 0 0 0ef8 2**0 CONTENTS
44 PEMAIN21 0 0 0 0f08 2**0 CONTENTS
45 PEISDLL9 0f 0 0 0f08 2**0 CONTENTS
46 PEISEFI9 02 0 0 0f17 2**0 CONTENTS
47 PERETURN 04 0 0 0f19 2**0 CONTENTS
48 PEDOJUMP 05 0 0 0f1d 2**0 CONTENTS
49 PETLSC2 026 0 0 0f22 2**0 CONTENTS
50 UPX1HEAD 020 0 0 0f48 2**0 CONTENTS
SYMBOL TABLE:
0000000000000000 l d NRV_HEAD 0 NRV_HEAD
0000000000000000 l PEIMDONE 0 imports_done
@ -145,8 +145,8 @@ OFFSET TYPE VALUE
RELOCATION RECORDS FOR [PEMAIN01]:
OFFSET TYPE VALUE
0000000000000008 R_X86_64_PC32 start_of_compressed-0x0000000000000004
000000000000000f R_X86_64_32S start_of_uncompressed
0000000000000012 R_X86_64_PC32 start_of_compressed-0x0000000000000004
0000000000000019 R_X86_64_32S start_of_uncompressed
RELOCATION RECORDS FOR [PEICONS1]:
OFFSET TYPE VALUE