Packers

Malware is often packed. It produces a smaller version of the executable and more difficult to analyse. A malware analyst will still be able to work with a packed version for a behavioural analysis but for static analysis, an unpacked version may be necessary.

Packing/Unpacking
The unpacking stub unpacks the original executable into memory, resolves imports, and
transfers execution to the OEP

Identifying packers

  • Opening a packed executable with tools like OllyDbg and IDA-Pro will produce a warning that the executable may be packed.

  • Packed programs have very few imports (usually LoadLibrary and GetProcAddress), or no import at all.

  • Many packers leave text signatures inside the packed binary.

  • In some cases, the file command will be able to identify the packer (UPX compressed, PECompact2 compressed)

  • Tools like PEiD (python version) and pev detect most common packers, cryptors and compilers for PE files.