packerid icon indicating copy to clipboard operation
packerid copied to clipboard

Published 20 hours ago verified publisher icon sooshie

Doesn't detect UPX packed executable

Open zbuc opened this issue 9 years ago • 3 comments

There's an example from the book Practical Malware Analysis that is packed with UPX that isn't detected by packerid.

http://practicalmalwareanalysis.com/labs/

The example is Lab01-02.exe. packerid returns "None" when it should detect UPX.

If you examine the sections in the PE binary, you'll see that it has UPX sections and the UPX unpacker works against the file.

zbuc avatar May 20 '15 14:05 zbuc

Interesting, any thoughts on why it fails? Have you gotten it to successfully detect other UPX binaries?

david-r-cox avatar May 26 '15 17:05 david-r-cox

I haven't had a chance to look at how packerid performs detection yet.

The book called out the fact that PEid for Windows didn't detect UPX properly on the binary, so I checked how packerid fared, which also failed to detect the packing.

zbuc avatar May 26 '15 17:05 zbuc

Could be a couple of different reasons. packerid uses pefile which is based off PEiD and uses it's signatures.

The signature available could be less than great, and there are a couple of minor issues with how pefile handles PEiD signatures. I've fixed a couple, but haven't gotten around to fixing all of them yet.

Mostly unrelated. I've been working on some new ways to do packer detection that are not based off PEiD. They'll be released later this summer at Defcon, and I'll eventually get them wrangled into packerid.

sooshie avatar Jun 05 '15 15:06 sooshie