AD5060: DetectPackedBinary¶

Summary¶

Detects macOS/iOS Mach-O binaries that have been compressed or packed using executable packers like UPX.

Description¶

This rule detects binaries that have been compressed or packed using executable packers. Packed binaries strip or encrypt segment information, debug information, and symbol tables that security analysis tools rely on. When a packer is detected, other analysis results should be treated as potentially unreliable.

For Mach-O binaries, UPX is the most common packer. UPX-packed Mach-O binaries typically have: - UPX! magic bytes in the binary - Modified segment structure - Stripped symbol tables

Detected Packers¶

UPX - Ultimate Packer for eXecutables
Other packers detected by signature or heuristics

Why This Matters for Mach-O¶

Mach-O security analysis relies on: - Segment information for checking permissions - Load commands for security flags (PIE, stack execution, etc.) - DWARF debug info for compiler detection - Symbol tables for API usage analysis

Packed binaries may have these structures modified or stripped, leading to: - False negatives (missing security issues) - False positives (incorrect flags from packer stub) - Incomplete analysis

Resolution¶

UPX¶

# Decompress a UPX-packed binary
upx -d packed_binary

# Decompress to a new file
upx -d -o unpacked_binary packed_binary

# Force decompression
upx -d -f packed_binary

Scan Before Packing¶

Run security analysis on your binaries before applying any packer:

# Analyze the original binary
aldur analyze MyApp.app/Contents/MacOS/MyApp

# Then pack for distribution (if needed)
upx MyApp.app/Contents/MacOS/MyApp

Code Signing Considerations¶

On macOS, packed binaries will need to be re-signed after unpacking:

# Re-sign after unpacking
codesign --force --sign - unpacked_binary

Configuration¶

To suppress this warning:

# aldur.toml
[analysis]
exclude_rules = ["AD5060"]

Note: Even if you suppress this warning, other analysis results may be unreliable for packed binaries.