Executable Packing
Packing and unpacking executable formats.
Contents
Literature
Documentation
(September 2010)
(December 2021)
(January 2016)
(May 2018)
(November 2015)
(October 2024)
(September 2010)
(December 2008)
(November 2011)
(April 2016)
(August 2018)
(December 2009)
(April 2018)
List of Publications
Datasets
Code for our DLS'21 paper - BODMAS: An Open Dataset for Learning based Temporal Analysis of PE Malware.
Compilation of packed ELF samples.
Sanitized version of the original dataset, PackingData, removing packed samples from the Notpacked folder but also samples in packer folders that failed to be packed (having a same hash as the original unpacked executable).
Collection of features from PE files that serve as a benchmark dataset for researchers.
Update to the EMBER2017 and EMBER2018 datasets.
Make datasets like FFRI Dataset.
Curated dataset of malware and benign Windows executable samples for malware researchers containing 1,044,394 Windows executable binaries and corresponding image representations with 864,669 labelled as malware and 179,725 as benign.
Malware samples, analysis exercises and other interesting resources.
Original dataset with sample PE files packed with a large variety of packers, including ASPack, BeRoEXEPacker, exe32pack, eXpressor, FSG, JDPack, MEW, Molebox, MPRESS, Neolite, NSPack, Pckman, PECompact, PEtite, RLPack, UPX, WinUpack, Yoda's Crypter and Yoda's Protector.
Datasets and codes that are needed to reproduce the experiments in the paper "When Malware is Packing Heat".
Crackme's, keygenme's, serialme's ; the "tuts4you" folder contains many packed binaries.
Sophos-ReversingLabs 20 Million dataset.
Project created to make the possibility of malware analysis open and available to the public.
:package: Packers
Packers
After 2010
Position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS).
Packer utility for compressing and complicating reversing compiled native code (native files), protecting resources, adding DRM, and packing into an optimized loader.
Low-level mutator (Headers/EP obfuscator) for native Windows PE files (x32/x64).
Protection tool using the second generation Android Hardening Protection, loading the encrypted DEX file from memory dynamically.
An open-source, free protector for .NET applications.
Compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.
Encrypts 64-bit elf files that decrypt at runtime.
Simple Polymorphic x86_64 Runtime Code Segment Cryptor.
Simple ELF crypter using RC4 encryption.
A collection of programs that access and manipulate ELF files.
ELF packer for i386 original version from sk2 by sd.
This is a packer for exe under win32.
A Simple Linux ELF Runtime Crypter.
PE packer with Huffman compression and XOR encryption.
Just a modern packer for elf binaries ( works on Linux executables only ).
ELF binary packer, such as burneye, upx or other tools.
A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.
Library for ELF obfuscation ; it uses PRESENT and blake244 to encrypt your payload on the fly.
Packer compressing .net assemblies, (ab)using the PE format for data storage.
Binary packer for the Mach-O file format.
Binary packer written in Go made for fun and educational purpose.
In-memory packer for macOS Mach-O bundles.
Permissively-licensed packer for ELF executables using LZMA Zstandard or Deflate compression.
Simple packer for Windows 32-bits PE files.
A PE file packer.
Simple PE Packer Which Encrypts .text Section I release a simple PE file packer which encrypts the .text section and adds a decryption stub to the end of the last section.
Open-Source Shellcode & PE Packer.
Naive Proof of Concept Crypter for GNU/Linux ELF64.
Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry.
Create packed ELF files to run on the PS2.
Silent Packer is an ELF / PE packer written in pure C.
Simple PE32 Packer with aPLib compression library.
A very simple windows EXE packing tool for learning or investigating PE structure.
Windows x86 PE Packer In C++.
Ultimate Packer for eXecutables.
Obfuscation method using virtual machine.
Simple implementation of an ELF packer that creates stealthy droppers for loading malicious ELFs in-memory.
ELF packer - encrypt and inject self-decryption code into executable ELF binary target.
Simple packer working with all PE files which cipher your exe with a XOR implementation.
A modular ELF64 packer for Linux x86_64 featuring 22 compression codecs, ML-based codec selection, and support for both static and PIE binaries.
:wrench: Tools
Presented at Defcon 22: Android Hacker Protection Level 0.
Platform-agnostic binary analysis framework.
Android application Identifier for packers, protectors, obfuscators and oddities - PEiD for Android.
Universal and automated unpacking system suitable for both Dalvik and ART.
Python tools to tag / label malware samples.
Prototype analysis tool that estimates the likelihood that a binary file contains compressed or encrypted bytes.
Open-source tool to identify capabilities in PE, ELF or .NET executable files.
Tool to find code cave in PE image (x86 / x64) - Find empty space to place code in PE files.
.NET deobfuscator and unpacker.
JavaScript Deobfuscator and Unpacker.
DataSet File Format for exchanging datasets and converting to ARFF (for use with Weka), CSV or Packing-Box's dataset structure.
Fast detector for executable PE files.
Fast Universal Unpacker.
This is a malware manipulation environment for OpenAI's gym.
Interactive Delphi Reconstructor.
Library to Instrument Executable Formats ; Python package for parsing PE, ELF, Mach-O and DEX formats, modifying and rebuilding executables.
Tool for the automatic analysis of malware behavior (recorded from malicious software in a sandbox environment).
Dynamic unpacker based on PE-sieve.
Robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth.
List of .NET Deobfuscators and Unpackers.
Attack tool for altering packed samples so that they evade static packing detection.
A Python framework that uses machine learning algorithms to implement the metadata recovery attack against obfuscated programs.
Collection of OllyDbg scripts for unpacking many different packers.
Tool that uses memory and code hooks to detect packers.
Adaptive unpacking tool for tracking packing bahaviors and unpacking Android packed apps.
Fork of packerid.py using PEid signatures and featuring additional output types, formats, digital signature extraction, and disassembly support.
Packer identification multiplatform tool/library using the same database syntax as PEiD.
Docker image gathering many packing-related tools and for making datasets of packed executables for use with machine learning.
Platform for Architecture-Neutral Dynamic Analysis.
Dynamic packing detection solution built on top of PANDA.
Freeware reversing tool for PE files aimed to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
Multi-platform Python module to parse and work with Portable Executable files.
Tool for performing static analysis on PE malware and generic suspicious files.
Python implementation of PEiD featuring an additional tool for making new signatures.
Yet another implementation of PEiD with yara.
PE file manipulation library.
PE file packer detection tool, part of the Unix package "pev".
Old-school reverse engineering tool (with a long history since 2002) for manipulating PE files.
Unpacker for PE files exploiting the capabilities of PIN.
Implemention attempt of the general approach for extracting the original hidden code of PE files without any heuristic assumptions.
Java library for static malware analysis of PE files with a focus on PE malformation robustness and anomaly detection.
Small Python script/library to detect whether an executable is packed.
A complete refactoring of the original project to a Python package with a console script to detect whether an executable is packed.
Yet another implementation of PEiD with yara-python.
Packing detection tool based on the entropy value of the entry point section and the WRITE attribute.
Retargetable machine-code decompiler based on LLVM.
Create adversarial attacks against machine learning Windows malware detectors.
Tool to help malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods.
An index of Windows binaries, including download links for executables such as EXE, DLL and SYS files.
Generator for YARA rules - The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files.
Automatic and platform-independent unpacker for Windows binaries based on emulation.
Dynamic binary analysis library.
Detect It Easy ; Program for determining types of files.
Utility for extracting 119 features from a PE file for use with machine learning algorithms.
Free decompiler for machine code binaries.
Set of tools for analyzing virtualized binary code ; now only supports 32 bit traces.