Determine if file is compressed / packed

[Skitty]

This isn't 100% accurate, it's just a concept of thought I guess.

What I was originally attempting to do was a sort of skiddy attempt at a malicious software detector and in the process I figured that I can use this to detect compressed executables.

Thanks to Trancexx for the function that I took from a script called to get the information I needed, like section names and imported functions so I can do a check on them an flag the file depending on certain imported functions found together. I'd also like to thank Mobius for some functions I learned from him.

I realize that detecting section names is a little futile since someone can just change all of that, so I tried my best at determining what compressors are used based on imported functions and the amount of imported functions found, since it seems that most executable packers attempt to hide the originally imported functions and in the process they add about 2-7 imports from kernel32 which are usually the same throughout the majority of the mainstream packers I've fiddled with.

Example.au3

Stereotype Scanner.au3

Mar 6 2012 - added hopefully better detection of UPX when someone modifies the header sections to avoid detection.

Edited April 5, 2012 by ApudAngelorum

[Digisoul]

Good dude, I have an one question, instead of matching section names with the fix numbers of strings why don't you match them with the known or by default section names ? If any unknown section name found then it should be a Packer or some kind of Crafted PE.

One more thing also add some checking of Section Characteristics flags, it will rise the chances of detection.

There are many other things you can add , e.g: Incorrect Section Alignment, AddressOfEntryPoint is not pointing Code Section, incorrect size in Data Directories, TimeDateStamp value is 0...etc etc

[Skitty]

Good dude, I have an one question, instead of matching section names with the fix numbers of strings why don't you match them with the known or by default section names ? If any unknown section name found then it should be a Packer or some kind of Crafted PE.

I'm not sure I'm understanding this question correctly.

The script is detecting some default compressor signatures, but the variable that delivers the packer ($packer) can be overwritten in case it seems that someone purposely modified them or in another case that someone used a packer that adds bogus packer signatures or they have been overwritten/removed. In this case, it might be detected as just plain "PACKED" and won't deliver the actual packer that was used.

One more thing also add some checking of Section Characteristics flags, it will rise the chances of detection.

There are many other things you can add , e.g: Incorrect Section Alignment, AddressOfEntryPoint is not pointing Code Section, incorrect size in Data Directories, TimeDateStamp value is 0...etc etc

I was thinking about all of that when putting this together, the code I used from trancexxs script returned all the data necessary but figuring out a legitimately accurate method of determining these things with the supplied data is a little over my head at the moment, I'd need to play around with more compressors and analyzing a lot of different packed files in order to come up with an average that seems to be present throughout a majority of the targets, you know what I mean?

Any changes/improvement/advice on this is always accepted.

Edit: also forgot to mention that is a lot better for detection of UPX.

Edited March 8, 2012 by THAT1ANONYMOUSEDUDE