- 8 Nis 2020
- 221
- 73
Packed Malware Detection
- Malware authors often seek to protect their creations from anti-malware products and from the tools that analysts use to examine malicious programs. They often accomplish this by using tools known as packers.- Packers are tools that compress, obfuscate, encrypt, or otherwise encode the original code
- The packed program decodes the code into memory when it runs
- This safeguards the specimen from static analysis techniques
- Packed programs are also difficult to disassemble and debug
- Not all malware is packed
UPX — Ultimate Packer for eXecutables
- open source and common and simpler to open.
![1*PzVlCCfJ1DLTWbZWL1CKRA.png](https://cdn-images-1.medium.com/max/1000/1*PzVlCCfJ1DLTWbZWL1CKRA.png)
- Then we click on the section tab from the application tabs.
![1*mao_-wDHnJF2AgV8EN_V0g.png](https://cdn-images-1.medium.com/max/1000/1*mao_-wDHnJF2AgV8EN_V0g.png)
- As you can see, it indicates that our PeStudio file is packed on the UPX packer side.
- Another way to assess the likelihood that a Windows executable might be packed is to examine the distribution of the file’s byte values. One tool that enables you to do this in a visual manner is Bytehist.Now we can try this
- Bytehist generates byte-usage histograms, showing you the frequency with which each byte value occurs in the file.
Command :
bytehist alixan.exe
![1*JabwqFINn0uXzAYzuNVmVQ.png](https://cdn-images-1.medium.com/max/1000/1*JabwqFINn0uXzAYzuNVmVQ.png)
![1*Qa0ngdyqwRiOrwtVf3IpcA.png](https://cdn-images-1.medium.com/max/1000/1*Qa0ngdyqwRiOrwtVf3IpcA.png)