Challenge 34: Custom Packer / Crypter
Objective
Use a custom packer or crypter with normal section names and no known signatures to completely evade both Rule 6 (hash check) and Rule 9 (packer detection).
Prerequisites
edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill
Scanner Behavior
Rule 9 relies on two weak indicators:
- Section name matching: Only checks a hardcoded list of known packer names
- RWX section detection: Checks for sections with
IMAGE_SCN_MEM_READ | WRITE | EXECUTE
There is no entropy analysis — a section full of encrypted data with a normal name like .text is invisible to the scanner.
Rules
- Write or use a custom packer that does not use known section names
- Avoid creating sections with RWX permissions (use
VirtualProtectat runtime instead) - The packed binary must successfully unpack and execute its payload
- Both Rule 6 and Rule 9 must not trigger
Hints
Hint 1
A minimal packer: XOR-encrypt the payload, store it in a.data section, add a stub in .text that decrypts and jumps to it.
Hint 2
UseRW for the encrypted data section, then VirtualProtect to add execute permission at runtime. The static analysis never sees RWX.
Hint 3
The EDR has no entropy analysis. A.text section with Shannon entropy of 7.99 (near-random encrypted data) looks identical to a normal .text section to this scanner.
MostShittyEDR