5.2 Detecting File Obfuscation Using Exeinfo PE

Most legitimate executables do not obfuscate content, but some executables may do it to prevent others from examining their code. When you come across a sample that is packed, there is a high chance of it being malicious. To detect packers on Windows, you can use a freeware tool such as Exeinfo PE (http://exeinfo.atwebpages.com/); it has an easy-to-use GUI. At the time of writing this book, it uses more than 4,500 signatures (stored in userdb.txt in the same directory) to detect various compilers, packers, or cryptors utilized to build the program. In addition to detecting Packers, another interesting feature of Exeinfo PE is that it gives information/references on how to unpack the sample.

Loading the packed Spybot malware sample into Exeinfo PE shows that it is packed with UPX, and it also gives a hint on which command to use to decompress the obfuscated file; this can make your analysis much easier:

Other CLI and GUI tools that can help you with packer detections include TrID (http://mark0.net/soft-trid-e.html), TRIDNet (http://mark0.net/soft-tridnet-e.html), Detect It Easy (http://ntinfo.biz/), RDG Packer Detector (http://www.rdgsoft.net/), packerid.py (https://github.com/sooshie/packerid), and PEiD (http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml).

Table of Contents for 5.2 Detecting File Obfuscation Using Exeinfo PE

Create new playlist

Sign In

Sign Up

Table of Contents for
5.2 Detecting File Obfuscation Using Exeinfo PE