Executable Packing

(December 2021)

(January 2016)

(May 2018)

(November 2015)

(October 2024)

(December 2008)

(November 2011)

(April 2016)

(August 2018)

(December 2009)

(April 2018)

(November 2009)

(June 2016)

(November 2022)

(September 2010)

Code for our DLS'21 paper - BODMAS: An Open Dataset for Learning based Temporal Analysis of PE Malware.

Compilation of packed ELF samples.

Sanitized version of the original dataset, PackingData, removing packed samples from the Notpacked folder but also samples in packer folders that failed to be packed (having a same hash as the original unpacked executable).

Collection of features from PE files that serve as a benchmark dataset for researchers.

Update to the EMBER2017 and EMBER2018 datasets.

Make datasets like FFRI Dataset.

Curated dataset of malware and benign Windows executable samples for malware researchers containing 1,044,394 Windows executable binaries and corresponding image representations with 864,669 labelled as malware and 179,725 as benign.

Malware samples, analysis exercises and other interesting resources.

Original dataset with sample PE files packed with a large variety of packers, including ASPack, BeRoEXEPacker, exe32pack, eXpressor, FSG, JDPack, MEW, Molebox, MPRESS, Neolite, NSPack, Pckman, PECompact, PEtite, RLPack, UPX, WinUpack, Yoda's Crypter and Yoda's Protector.

Datasets and codes that are needed to reproduce the experiments in the paper "When Malware is Packing Heat".

Crackme's, keygenme's, serialme's ; the "tuts4you" folder contains many packed binaries.

Sophos-ReversingLabs 20 Million dataset.

Project created to make the possibility of malware analysis open and available to the public.

Build identical machine images for multiple platforms from a single source configuration.

Position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS).

Packer utility for compressing and complicating reversing compiled native code (native files), protecting resources, adding DRM, and packing into an optimized loader.

Low-level mutator (Headers/EP obfuscator) for native Windows PE files (x32/x64).

Protection tool using the second generation Android Hardening Protection, loading the encrypted DEX file from memory dynamically.

An open-source, free protector for .NET applications.

Compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.

Encrypts 64-bit elf files that decrypt at runtime.

Simple Polymorphic x86_64 Runtime Code Segment Cryptor.

Simple ELF crypter using RC4 encryption.

A collection of programs that access and manipulate ELF files.

ELF packer for i386 original version from sk2 by sd.

This is a packer for exe under win32.

A Simple Linux ELF Runtime Crypter.

PE packer with Huffman compression and XOR encryption.

Just a modern packer for elf binaries ( works on Linux executables only ).

ELF binary packer, such as burneye, upx or other tools.

A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.

Library for ELF obfuscation ; it uses PRESENT and blake244 to encrypt your payload on the fly.

Packer compressing .net assemblies, (ab)using the PE format for data storage.

Binary packer for the Mach-O file format.

Binary packer written in Go made for fun and educational purpose.

In-memory packer for macOS Mach-O bundles.

Permissively-licensed packer for ELF executables using LZMA Zstandard or Deflate compression.

Simple packer for Windows 32-bits PE files.

A PE file packer.

Open-Source Shellcode & PE Packer.

Naive Proof of Concept Crypter for GNU/Linux ELF64.

Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry.

Create packed ELF files to run on the PS2.

Silent Packer is an ELF / PE packer written in pure C.

Simple PE32 Packer with aPLib compression library.

A very simple windows EXE packing tool for learning or investigating PE structure.

Windows x86 PE Packer In C++.

Ultimate Packer for eXecutables.

Obfuscation method using virtual machine.

Simple implementation of an ELF packer that creates stealthy droppers for loading malicious ELFs in-memory.

ELF packer - encrypt and inject self-decryption code into executable ELF binary target.

Simple packer working with all PE files which cipher your exe with a XOR implementation.

A modular ELF64 packer for Linux x86_64 featuring 22 compression codecs, ML-based codec selection, and support for both static and PIE binaries.

Presented at Defcon 22: Android Hacker Protection Level 0.

Platform-agnostic binary analysis framework.

Android application Identifier for packers, protectors, obfuscators and oddities - PEiD for Android.

Universal and automated unpacking system suitable for both Dalvik and ART.

Python tools to tag / label malware samples.

Prototype analysis tool that estimates the likelihood that a binary file contains compressed or encrypted bytes.

Open-source tool to identify capabilities in PE, ELF or .NET executable files.

Tool to find code cave in PE image (x86 / x64) - Find empty space to place code in PE files.

.NET deobfuscator and unpacker.

JavaScript Deobfuscator and Unpacker.

DataSet File Format for exchanging datasets and converting to ARFF (for use with Weka), CSV or Packing-Box's dataset structure.

Fast detector for executable PE files.

Fast Universal Unpacker.

This is a malware manipulation environment for OpenAI's gym.

Interactive Delphi Reconstructor.

Library to Instrument Executable Formats ; Python package for parsing PE, ELF, Mach-O and DEX formats, modifying and rebuilding executables.

Dynamic unpacker based on PE-sieve.

Robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth.

List of .NET Deobfuscators and Unpackers.

Attack tool for altering packed samples so that they evade static packing detection.

A Python framework that uses machine learning algorithms to implement the metadata recovery attack against obfuscated programs.

Collection of OllyDbg scripts for unpacking many different packers.

Tool that uses memory and code hooks to detect packers.

Adaptive unpacking tool for tracking packing bahaviors and unpacking Android packed apps.

Fork of packerid.py using PEid signatures and featuring additional output types, formats, digital signature extraction, and disassembly support.

Packer identification multiplatform tool/library using the same database syntax as PEiD.

Docker image gathering many packing-related tools and for making datasets of packed executables for use with machine learning.

Platform for Architecture-Neutral Dynamic Analysis.

Dynamic packing detection solution built on top of PANDA.

Freeware reversing tool for PE files aimed to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.

Multi-platform Python module to parse and work with Portable Executable files.

Tool for performing static analysis on PE malware and generic suspicious files.

Python implementation of PEiD featuring an additional tool for making new signatures.

Yet another implementation of PEiD with yara.

PE file manipulation library.

PE file packer detection tool, part of the Unix package "pev".

Old-school reverse engineering tool (with a long history since 2002) for manipulating PE files.

Unpacker for PE files exploiting the capabilities of PIN.

Implemention attempt of the general approach for extracting the original hidden code of PE files without any heuristic assumptions.

Java library for static malware analysis of PE files with a focus on PE malformation robustness and anomaly detection.

Small Python script/library to detect whether an executable is packed.

A complete refactoring of the original project to a Python package with a console script to detect whether an executable is packed.

Yet another implementation of PEiD with yara-python.

Free decompiler for machine code binaries.

Packing detection tool based on the entropy value of the entry point section and the WRITE attribute.

Retargetable machine-code decompiler based on LLVM.

Create adversarial attacks against machine learning Windows malware detectors.

Tool to help malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods.

An index of Windows binaries, including download links for executables such as EXE, DLL and SYS files.

Generator for YARA rules - The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files.

Automatic and platform-independent unpacker for Windows binaries based on emulation.

Set of tools for analyzing virtualized binary code ; now only supports 32 bit traces.

Dynamic binary analysis library.

Detect It Easy ; Program for determining types of files.

Set of tools for analyzing virtualized binary code ; now only supports 32 bit traces.

Fast detector for executable PE files.

Tool for the automatic analysis of malware behavior (recorded from malicious software in a sandbox environment).

Tool for the automatic analysis of malware behavior (recorded from malicious software in a sandbox environment).

Utility for extracting 119 features from a PE file for use with machine learning algorithms.

Free decompiler for machine code binaries.

(December 2014)

(December 2021)

(January 2018)

(April 2021)

(December 2021)

(July 2017)

(May 2021)

(August 2022)

(February 2019)

(March 2016)

(September 2022)

(December 2021)

(June 2018)