No, not really, they'll be looking (like the above tools) for signatures. Once you detect the type of packer, you can use automatic unpacker (if one is already available) or you can start manually unpacking it.Īre existing anti-virus tools good at detecting whether an executable
There's also a list here of a couple of variations of packers PEiD detects most common packers, cryptors and compilers for PE files as well as allowing for disassembly (available to download via softpedia)Ī simple signature DB checker in python for you to play with (not sure where to grab the DB from though ( try here?) RDG Packer Detector which detects specific packers based on signature checking (presumably the same way AV does it The 'most common' packer UPX and its variations are usually flagged as 'suspicious' by Anti-virus engines due to a signature detection in the EXe.
There are many known ways to identify packers. Are there known techniques for doing so? How effective are they? Is it feasible to recognize executables that have been packed with this packer? In other words, given an executable E and a packer P, I'd like to classify E as either "was packed by P" or "wasn't". Suppose I know about a particular custom packer that's being used by bad guys. I'm especially curious about the following easier variant of the problem. Are existing anti-virus tools good at detecting whether an executable has been packed with a custom packer? Is it possible to detect whether a particular executable has been packed with a custom packer? In other words, given an executable, I'd like to classify it as either "has been packed with a custom packer" or "hasn't". Bad guys often use custom packers to obfuscate their malware, to make it less likely that anti-virus will detect the malware or to make it harder for anti-virus vendors to reverse engineer the malware and figure out what it is doing. A packer is a way of obfuscating an executable program, i.e., transforming so the result is still executable and has the same effect when run, but looks different (so it won't be detected by static anti-virus).
0 kommentar(er)
