[unisog] identifying packed executables

Michael Holstein michael.holstein at csuohio.edu
Fri May 6 20:57:36 GMT 2005


... I should clarify :

before everyone blasts me for not reading "UNIX for Dummies", I know 
what '/usr/bin/file' is for. There are bots being compressed with tools 
for which header sigs are NOT in '/etc/magic'

On that note .. anyone have a better copy of /etc/magic than what comes 
with Slackware? I know BSD's protocols and services files are better ...

~Mike.

Michael Holstein wrote:
> I know I've read an article which discusses a UNIX tool that can 
> (attempt) to identify what a particular file was packed with. Just can't 
> seem to make Google find it for me.
> 
> This is of obvious use when doing virus/bot research.
> 
> The standard UNIX 'file' command will always say "win32 executable" -- 
> what I need is a tool that can tell me if the first layer of compression 
> is UPX or whatever -- without having to try and un[upx|rar|zip|etc] it 
> with every tool in the belt.
> 
> Anyone know the name of such a gem?
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 


More information about the unisog mailing list