Well currently I'm trying to identify packers as generic as possible.
The file to test goes through several test and earns points on each. If a file gets a high enough number of points it is considered packed.
Currently I'll test
And to give a quick look at this project:
(matrix.exe and getinstalledprogs.exe are unpacked)
The file to test goes through several test and earns points on each. If a file gets a high enough number of points it is considered packed.
Currently I'll test
-The last section is executable (+ 10 Points)I plan to test
-The first section is writeable (+ 10 Points)
-The raw size of the first section is 0 (+ 10 Points)
-Entrypoint in last section (This seems to unreliable. MSVC++ complied progs. have this and some packers keep it this way while e.g UPX changes it) (- 5 Points)
-Any section is write & executable (+ 15 points)
-Suspicious section names (".aspack", ".adata", ".Upack", ".petite", "UPX0", ".vmp", ".loader", "MEW") (+ 30 points) (ok that isn't very generic...)
-Double section names (example: http://img683.imageshack.us/img683/5233 ... mefail.png. Some packers try to "hide" their new sections by naming them like legitimate. Seems like there are AVs that check only if the EP is in a section named ".code" :shock: )
-No strings in data section (+ 15 points)Do you got any suggestions how I could improve this? And maybe also link me to interesting packed files?
-Suspicious Imports (VirtualProtect, WriteProcessMemory, LoadLibrary, ...) (+ 5 points for each entry)
-Only LoadLibrary and GetProcAdress imported (+INFINTE points)
And to give a quick look at this project:
(matrix.exe and getinstalledprogs.exe are unpacked)
