[unisog] identifying packed executables

Brandon Enright bmenrigh at ucsd.edu
Fri May 6 21:14:48 GMT 2005


I've always used a HEX editor and looked.  Just examining the first and last 1kb
of a file generally give you the exact information you need to move on with
analysis.

For example, ZIP files first two bytes are "PK" while RARs are "Rar".  If it is
an executable you are looking at, every packer I've come across has the name of
the packer in the PE header.  UPX, FSG, AsPack, and Petit are a few that come to
mind.

Hope that helps,

Brandon


----------------------------
Brandon Enright
UCSD ACS/Network Operations
bmenrigh at ucsd.edu

> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On
> Behalf Of Michael Holstein
> Sent: Friday, May 06, 2005 11:34 AM
> To: unisog at lists.sans.org
> Subject: [unisog] identifying packed executables
> 
> I know I've read an article which discusses a UNIX tool that can
> (attempt) to identify what a particular file was packed with. Just can't
> seem to make Google find it for me.
> 
> This is of obvious use when doing virus/bot research.
> 
> The standard UNIX 'file' command will always say "win32 executable" --
> what I need is a tool that can tell me if the first layer of compression
> is UPX or whatever -- without having to try and un[upx|rar|zip|etc] it
> with every tool in the belt.
> 
> Anyone know the name of such a gem?
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list