Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

cylance/PyPackerDetect

BranchesTags
Open more actions menu

Repository files navigation

PyPackerDetect

A small python script/library to detect whether an executable is packed.

This is one of many tools we use for dataset curation within the ARG team at Cylance. Accuracy is not perfect, but is sufficient in accomplishing what we need.

Tested and devloped using Python 3.

pefile is used for PE parsing, found in ./deps/libpefile.

PEID Signatures are also used. There are two signature collections compiled from multiple online sources, found in ./deps/peid.

Multiple other hueristics are used for detection, and those are found in *Detector.py files, with the base class in PackerDetector.py.

Usage

Example usage is in DetectPacker.py. Can be run via command line.

Detection Mechanisms

  • PEID signatures
  • Known packer section names
  • Entrypoint in non-standard section
  • Threshhold of non-standard sections reached
  • Low number of imports
  • Overlapping entrypoint sections

Resources

Big thanks to Hexacorn, a good portion of the known PE section names come from there.

About

A malware dataset curation tool which helps identify packed samples.

Topics

pefile security packer malware peid

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

32 stars

Watchers

8 watching

Forks

20 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
Morty Proxy This is a proxified and sanitized view of the page, visit original site.