Root > Advanced topics > Using EurekaLog with other software > EXE packers, EXE cryptors, EXE protectors

EXE packers, EXE cryptors, EXE protectors

Previous pageReturn to chapter overviewNext page   

Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it. In most cases this happens transparently so the compressed executable can be used in exactly the same way as the original. Examples of executable packer tools: UPX, ASPack, Smart Pack Pro, etc.

 

Executable cryptor and protector tools transforms executable file in order to protect it against disassembling and reverse engineering. This usually involves many different techniques: encryption, packing, VM code, using hook/redirections, detecting debuggers, etc. Examples of protector tools: ASProtect, Themida, VMProtect, etc.

 

Using packers and protectors tools with exception tracer tool (such as EurekaLog) is a tricky task. That's because using exception tracer basically means "intercept exceptions", and protectors means "do not allow to mess with this process". Therefore, exception tracer wants to install hook (modify running process), protectors wants to prevent hooks. Clearly these two goals are in direct conflict with each other.

 

You may encounter the following issues:

(EXE file changes) Packer/protector tool may detect injecting EurekaLog's data during post-processing. The solution is to inject EurekaLog's data first and then post-process executable with packer/protector.
(Running process changes) Packer/protector tool may detect code hooks installed by EurekaLog. The solution is to avoid installing hooks when possible.
(Breaking code <-> debug info corresponding) Packer/protector tool may alter executable code in such way so it will be incompatible with debug information. There is no solution to this issue. However, most software is trying to preserve original code after unpacking.
(Conflicting tricks) Protector tools may use different kinds of tricks for protection. Some of these techniques may conflict with exception tracer. Such issues can usually be solved by adjusting options.

 

You can disable the following options in EurekaLog:

 

Important note: it's highly recommended to keep "Enable extended memory manager" option turned on (you can disable other memory checking options if you want to). Installing filter on memory manager will allow EurekaLog to track life-time of exceptions objects without need to install code hooks.

 

See also: Using EurekaLog and 3rd party shared memory manager.

 

Alternatively, you can also try to use the following options in your packer/protector tool:

Do not touch resources (if possible)
Avoid using VM (if possible)
Protect file instead of running process (if possible)
Disable debugger/hooks detection (if possible)
Disable virtualization of OS functions (if possible)

 

Generally, if your packer/protector tool has some options to integrate with digital signatures - it would be a good idea to enable these options for using with EurekaLog too.

 

 

General information

Many protector tools allow you to wrap blocks of code into some sort of markers to indicate that such code block should be protected/encrypted/virtualized (by replacing it with VM code). Some code will be dynamically generated. Such modifications will break binary code <-> source code interoperability (via debug information). Therefore, EurekaLog will not be able to show meaningful information about such code. Heavy usage of VM/dynamical code in your application will significantly weaken features of EurekaLog. Use only a minimally possible amount of such code.

 

There are difference in using IDE and environments. The best option is to use Windows XP or later, Delphi 2009 or later, and Win64 platform.

Windows XP allows EurekaLog-enabled application to use VEH (Vectored Exception Handling) to capture CPU state for exceptions. Older systems require using low-level hooks for that task (which may have problem with protectors and anti-virus software).
Delphi 2009 and above has extended exceptions support. A better integration with exception tracer tool is possible. EurekaLog can integrate with RTL without using any hooks on Delphi 2009+.
Win64 platform is different from Win32 platform because there is no reliable method to build a call stack on Win32 (so each method uses heuristic to guess possible code locations), but each function on Win64 must contain a stack frame (i.e. declare itself). Therefore, stack tracing is always accurate on Win64 even if dynamic code is used.

 

"Check file corruption" option should be turned off, as almost each packer/protector already contain the same functionality. However, it's not strictly necessary. This option uses standard CRC checksum field in PE header. Normally packer and protector tools will update this field to reflect changes. However, even though this option still may work after packing/protecting - it may be not needed, because this work will be done by packer/protector integrity checks. Unlike digital signatures, packer and protector will refuse to run modified executable.

 

"Use low-level hooks" and "Code hooks" options installs hooks on routines in code. This may cause problems with integrity checks in protectors. Disable these options to avoid it. Low-level hooks can be replaced by using Windows XP+ and Delphi 2009+. Code hooks may be replaced with manual invoke of exception manager. See also practical examples below.

 

"Use speed optimizations" options caches kernel information to speed up stack tracing process. This feature may be in conflict with different protector's tricks. Disable this options to avoid it.

 

The common rule of thumb is not to blindly disable each possible EurekaLog options. Each EurekaLog option allows you to use certain feature. If you disable each option without checking if this was needed at all - you may encounter unexpected behavior (like missed feature behavior).  This is especially true for such options as "Handle every SafeCall exception", "Catch handled exceptions", memory manager options. Therefore the best way is to disable options one-by-one and checking work status on each step:

2. Try to compile your application with EurekaLog and packer/protector. You can use build events to invoke external tool automatically when building the project.
3. If this doesn't work - open EurekaLog project options and go to "External tools" page.
4. Turn off one single option and repeat testing.
5. If this doesn't work - turn off more options.
6. Repeat this process until you get working solution.

 

 

Example: using EurekaLog with UPX

1. Create or open the project.
2. Enable and configure EurekaLog.
3. Open build events page and place a call to UPX to post-build event (success): UPX.exe -9 "%_IDETarget%"
4. Build your project.

 

Notes:

Do not confuse post-build's success and failure events. You need to insert call to post-build success event, not into post-build failure event.
You may need to specify full file path for tool's .exe file (like C:\Tools\upx.exe).
Do not forget about surrounding double quotes for files with spaces in path.
Delphi/C++ Builder 2007+ also have build events. Do not place call to UPX to IDE's build events. Build events of IDE are executed as part of compilation - thus, IDE's post-build event will fire before EurekaLog will be able to do its post-processing. This means that EurekaLog's post-processing will try to modify already packed executable. Therefore, you should use EurekaLog's post-build events to call packer only after compilation and post-processing.
There are no special requirements for options, but you may also want to try to disable the above mentioned options (if you've encountered any issue). "Check file corruption" option is a good candidate to be turned off (even if it's not strictly necessary).
You may want to use UPX's options like --compress-resources=0 or --keep-resources=list to exclude EurekaLog's data from being compressed (EurekaLog's data is already compressed).
You may try to use UPX's option --compress-exports=0 to avoid changing exports table.

 

 

Example: using EurekaLog with ASProtect

ASProtect tool is awared of Delphi/C++ Builder IDE and will ask you for .map file. Therefore, it must be enabled in options and "Delete service files after compilation" option must be turned off.

 

1. Create or open the project.
2. Enable and configure EurekaLog.
a. Set "Linking / Map file" = "Detailed" (Delphi) or "Detailed segment map" (C++ Builder). Be sure that "Map with mangled names" option is turned off (if it's present).
b. Enable "Linking / Debug information" (new Delphi), "Include TD32 debug info" (old Delphi) or "Full debug information" (C++ Builder). Be sure that "Place debug information in separate TDS file" option is turned on (if it's present).
c. Enable "Stack frames", "Debug information", "Use Debug DCUs" and (optionally) "Range checking" options on "Compiling" page (Delphi only).
d. Enable "Debug information" and "Debug line number information" options on "C++ Compiler"/"Debugging" page (C++ Builder only).
4. Open EurekaLog project options:
d. Disable all "Code Hooks" options. Note: your application type will be converted to "Custom settings / Unsupported type". This is normal/expected behavior.
e. Enable extended memory manager. You can enable only extended memory manager without any additional options.
5. Add EExceptionManager unit to uses clause of your main form's unit.
6. Place TApplicationEvents component on your main form.
7. Create new OnException event handler for TApplicationEvents component.
8. Place a "ExceptionManager.Handle(E)" call inside event handler for OnException event.
9. Build your application and check that it's working as you expect it to work.
10. Build your project with ASProtect. You can use post-build event to automatically invoke ASProtect on each compilation: ASProtect.exe -process Project1.aspr2

 

Notes:

Do not confuse post-build's success and failure events. You need to insert call to post-build success event, not into post-build failure event.
You may need to specify full file path for tool's .exe file (like C:\Tools\ASProtect.exe).
Do not forget about surrounding double quotes for files with spaces in path.
Delphi/C++ Builder 2007+ also have build events. Do not place call to ASProtect to IDE's build events. Build events of IDE are executed as part of compilation - thus, IDE's post-build event will fire before EurekaLog will be able to do its post-processing. This means that EurekaLog's post-processing will modify already protected executable. Therefore, you should use EurekaLog's post-build events to call protector tool only after compilation and post-processing.

 

 

Example: using EurekaLog with Themida

1. Create or open the project.
2. Enable and configure EurekaLog.
a. Set "Linking / Map file" = "Detailed" (Delphi) or "Detailed segment map" (C++ Builder). Be sure that "Map with mangled names" option is turned off (if it's present).
b. Enable "Linking / Debug information" (new Delphi), "Include TD32 debug info" (old Delphi) or "Full debug information" (C++ Builder). Be sure that "Place debug information in separate TDS file" option is turned on (if it's present).
c. Enable "Stack frames", "Debug information", "Use Debug DCUs" and (optionally) "Range checking" options on "Compiling" page (Delphi only).
d. Enable "Debug information" and "Debug line number information" options on "C++ Compiler"/"Debugging" page (C++ Builder only).
4. Open EurekaLog project options:
c. Disable all "Code Hooks" options. Note: your application type will be converted to "Custom settings / Unsupported type". This is normal/expected behavior.
d. Enable extended memory manager. You can enable only extended memory manager without any additional options.
5. Add EExceptionManager unit to uses clause of your main form's unit.
6. Place TApplicationEvents component on your main form.
7. Create new OnException event handler for TApplicationEvents component.
8. Place a "ExceptionManager.Handle(E)" call inside event handler for OnException event.
9. Build your application and check that it's working as you expect it to work.
10. Build your project with Themida. You can use post-build event to automatically invoke Themida on each compilation: Themida.exe /protect Project1.tmd

 

Notes:

Do not confuse post-build's success and failure events. You need to insert call to post-build success event, not into post-build failure event.
You may need to specify full file path for tool's .exe file (like C:\Tools\Themida.exe).
Do not forget about surrounding double quotes for files with spaces in path.
Delphi/C++ Builder 2007+ also have build events. Do not place call to Themida to IDE's build events. Build events of IDE are executed as part of compilation - thus, IDE's post-build event will fire before EurekaLog will be able to do its post-processing. This means that EurekaLog's post-processing will modify already protected executable. Therefore, you should use EurekaLog's post-build events to call protector tool only after compilation and post-processing.

 

 

See also:




Send feedback... Build date: 2018-11-26
Last edited: 2018-06-14
PRIVACY STATEMENT
The documentation team uses the feedback submitted to improve the EurekaLog documentation. We do not use your e-mail address for any other purpose. We will remove your e-mail address from our system after the issue you are reporting has been resolved. While we are working to resolve this issue, we may send you an e-mail message to request more information about your feedback. After the issues have been addressed, we may send you an email message to let you know that your feedback has been addressed.


Permanent link to this article: https://www.eurekalog.com/help/eurekalog/external_pack_crypt_protect.php