[unisog] identifying packed executables

Huba Leidenfrost huba at uidaho.edu
Fri May 6 21:08:02 GMT 2005

PE iDentifier by Snaker, Qwerton & Jibz is one that I've used and someone on
a useful IRC channel pointed out to me.  The last version I downloaded was
v0.92 and a website to look for it at is:  http://peid.has.it.

Have fun,
Huba Leidenfrost
huba at uidaho.edu
ITS Security Analyst
University of Idaho

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Michael Holstein
Sent: Friday, May 06, 2005 11:34 AM
To: unisog at lists.sans.org
Subject: [unisog] identifying packed executables

I know I've read an article which discusses a UNIX tool that can
(attempt) to identify what a particular file was packed with. Just can't
seem to make Google find it for me.

This is of obvious use when doing virus/bot research.

The standard UNIX 'file' command will always say "win32 executable" -- what
I need is a tool that can tell me if the first layer of compression is UPX
or whatever -- without having to try and un[upx|rar|zip|etc] it with every
tool in the belt.

Anyone know the name of such a gem?


Michael Holstein CISSP GCIA
Cleveland State University
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list