Challenge 34: Custom Packer / Crypter

Hard Packer & PE Evasion Target: Rule 9

Objective

Use a custom packer or crypter with normal section names and no known signatures to completely evade both Rule 6 (hash check) and Rule 9 (packer detection).

Prerequisites

edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill

Scanner Behavior

Rule 9 relies on two weak indicators:

  1. Section name matching: Only checks a hardcoded list of known packer names
  2. RWX section detection: Checks for sections with IMAGE_SCN_MEM_READ | WRITE | EXECUTE

There is no entropy analysis — a section full of encrypted data with a normal name like .text is invisible to the scanner.

Rules

  • Write or use a custom packer that does not use known section names
  • Avoid creating sections with RWX permissions (use VirtualProtect at runtime instead)
  • The packed binary must successfully unpack and execute its payload
  • Both Rule 6 and Rule 9 must not trigger

Hints

Hint 1 A minimal packer: XOR-encrypt the payload, store it in a .data section, add a stub in .text that decrypts and jumps to it.
Hint 2 Use RW for the encrypted data section, then VirtualProtect to add execute permission at runtime. The static analysis never sees RWX.
Hint 3 The EDR has no entropy analysis. A .text section with Shannon entropy of 7.99 (near-random encrypted data) looks identical to a normal .text section to this scanner.