Malware authors often seek to protect their creations from anti-malware products and from the tools that analysts use to examine malicious programs. They often accomplish this by using tools known as packers.
- Packers are tools that compress, obfuscate, encrypt, or otherwise encode the original code
- The packed program decodes the code into memory when it runs
- This safeguards the specimen from static analysis techniques
- Packed programs are also difficult to disassemble and debug
- Not all malware is packed
Malware authors have many options for packing executables
UPX — Ultimate Packer for eXecutables
- open source and common and simpler to open.
Now let’s see how we can detect that there is an upx packer in your file.
Let’s open our file in PeStudio
Then we click on the section tab from the application tabs.
As you can see, it indicates that our PeStudio file is packed on the UPX packer side.
Another way to assess the likelihood that a Windows executable might be packed is to examine the distribution of the file’s byte values. One tool that enables you to do this in a visual manner is Bytehist.Now we can try this
Bytehist generates byte-usage histograms, showing you the frequency with which each byte value occurs in the file.
Command : bytehist alixan.exe
Unpacked : Link
