Jump to content
Sign in to follow this  
Skitty

Determine if file is compressed / packed

Recommended Posts

Skitty

This isn't 100% accurate, it's just a concept of thought I guess.

What I was originally attempting to do was a sort of skiddy attempt at a malicious software detector and in the process I figured that I can use this to detect compressed executables.

Thanks to Trancexx for the function that I took from a script called to get the information I needed, like section names and imported functions so I can do a check on them an flag the file depending on certain imported functions found together. I'd also like to thank Mobius for some functions I learned from him.

I realize that detecting section names is a little futile since someone can just change all of that, so I tried my best at determining what compressors are used based on imported functions and the amount of imported functions found, since it seems that most executable packers attempt to hide the originally imported functions and in the process they add about 2-7 imports from kernel32 which are usually the same throughout the majority of the mainstream packers I've fiddled with.

Example.au3

Stereotype Scanner.au3

Mar 6 2012 - added hopefully better detection of UPX when someone modifies the header sections to avoid detection.

Edited by ApudAngelorum

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites
Digisoul

Good dude, I have an one question, instead of matching section names with the fix numbers of strings why don't you match them with the known or by default section names ? If any unknown section name found then it should be a Packer or some kind of Crafted PE.

One more thing also add some checking of Section Characteristics flags, it will rise the chances of detection.

There are many other things you can add :oops:, e.g: Incorrect Section Alignment, AddressOfEntryPoint is not pointing Code Section, incorrect size in Data Directories, TimeDateStamp value is 0...etc etc


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites
Skitty

Good dude, I have an one question, instead of matching section names with the fix numbers of strings why don't you match them with the known or by default section names ? If any unknown section name found then it should be a Packer or some kind of Crafted PE.

I'm not sure I'm understanding this question correctly.

The script is detecting some default compressor signatures, but the variable that delivers the packer ($packer) can be overwritten in case it seems that someone purposely modified them or in another case that someone used a packer that adds bogus packer signatures or they have been overwritten/removed. In this case, it might be detected as just plain "PACKED" and won't deliver the actual packer that was used.

One more thing also add some checking of Section Characteristics flags, it will rise the chances of detection.

There are many other things you can add :oops:, e.g: Incorrect Section Alignment, AddressOfEntryPoint is not pointing Code Section, incorrect size in Data Directories, TimeDateStamp value is 0...etc etc

I was thinking about all of that when putting this together, the code I used from trancexxs script returned all the data necessary but figuring out a legitimately accurate method of determining these things with the supplied data is a little over my head at the moment, I'd need to play around with more compressors and analyzing a lot of different packed files in order to come up with an average that seems to be present throughout a majority of the targets, you know what I mean?

Any changes/improvement/advice on this is always accepted.

Edit: also forgot to mention that is a lot better for detection of UPX.

Edited by THAT1ANONYMOUSEDUDE

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×