littlewisp/awesome-executable-packing

A curated list of awesome resources related to executable packing

Awesome Executable Packing

A curated list of resources related to executable packing (including Portable Executable, Executable and Linkable Format and others). Contains books, papers, blog posts, and other written resources but also packers and tools for detecting and unpacking executables.

Contents

• Bibliography
• Datasets
• Packers
• Tools

📚 Bibliography

• 📃 Absent extreme learning machine algorithm with application to packed executable identification (January 2016)
• 📃 An Accurate Packer Identification Method Using Support Vector Machine (January 2014)
• 📓 Adaptive Unpacking of Android Apps (May 2017)
• 📃 All-in-One Framework for Detection, Unpacking, and Verification for Malware Analysis (January 2019)
• 📃 Analysis of machine learning approaches to packing detection (May 2021)
• 📊 Android Packers: Separating from the Pack (June 2014)
• 📊 API Deobfuscator: Resolving Obfuscated API Functions in Modern Packers (July 2015)
• 📓 Application of string kernel based support vector machine for malware packer identification (August 2013)
• 📓 AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware (November 2015)
• 📊 The Art of Unpacking (September 2015)
• 📓 Automatic Static Unpacking of Malware Binaries (October 2009)
• 📃 BareUnpack: Generic Unpacking on the Bare-Metal Operating System (December 2018)
• 📃 Binary-Code Obfuscations in Prevalent Packer Tools (October 2013)
• 📃 BinStat Tool for Recognition of Packed Executables (September 2010)
• 📓 BitBlaze: A New Approach to Computer Security via Binary Analysis (December 2008)
• 📓 Boosting Scalability in Anomaly-Based Packed Executable Filtering (November 2011)
• 🎓 Building a smart and automated tool for packed malware detections using machine learning (June 2020)
• 📓 ByteWise: A case study in neural network obfuscation identification (January 2018)
• 📓 Challenging anti-virus through evolutionary malware obfuscation (April 2016)
• 📃 Classification of packed executables for accurate computer virus detection (October 2008)
• 📓 Classifying Packed Programs as Malicious Software Detected (December 2016)
• 📌 Cloak and Dagger: Unpacking Hidden Malware Attacks (December 2016)
• 📓 Collective Classification for Packed Executable Identification (June 2012)
• 📓 A Comparative Analysis of Classifiers in the Recognition of Packed Executables (November 2019)
• 📓 A Comparative Assessment of Malware Classification Using Binary Texture Analysis and Dynamic Analysis (September 2011)
• 📓 Comparing Malware Samples for Unpacking: A Feasibility Study (August 2016)
• 📃 A Consistently-Executing Graph-Based Approach for Malware Packer Identification (April 2019)
• 📓 A control flow graph-based signature for packer identification (October 2017)
• 📓 Countering entropy measure attacks on packed software detection (January 2012)
• 📓 Denial-of-Service Attacks on Host-Based Generic Unpackers (December 2009)
• 🎓 Deobfuscation of Packed and Virtualization-Obfuscation Protected Binaries (June 2011)
• 📓 Design and development of a new scanning core engine for malware detection (October 2012)
• 📓 Design and Performance Evaluation of Binary Code Packing for Protecting Embedded Software against Reverse Engineering (May 2010)
• 📓 Detecting Packed Executable File: Supervised or Anomaly Detection Method? (August 2016)
• 📃 Detecting packed executables based on raw binary data (June 2010)
• 📓 Detecting packed executables using steganalysis (December 2014)
• 📓 Detection of metamorphic malware packers using multilayered LSTM networks (November 2020)
• 📓 Detection of packed executables using support vector machines (July 2011)
• 📓 Detection of Packed Malware (August 2012)
• 📓 DexHunter: Toward Extracting Hidden Code from Packed Android Applications (September 2015)
• 📓 Dynamic Binary Instrumentation for Deobfuscation and Unpacking (November 2009)
• 📓 Dynamic classification of packing algorithms for inspecting executables using entropy analysis (October 2013)
• 📃 Effective, efficient, and robust packing detection and classification (January 2018)
• 📓 Efficient and Automatic Instrumentation for Packed Binaries (June 2009)
• 📃 Efficient automatic original entry point detection (January 2019)
• 📃 An efficient block-discriminant identification of packed malware (August 2015)
• 📓 Efficient Malware Packer Identification Using Support Vector Machines with Spectrum Kernel (July 2013)
• 📃 Efficient SVM Based Packer Identification with Binary Diffing Measures (July 2019)
• 📃 ELF-Miner: Using structural knowledge and data mining methods to detect new (Linux) malicious executables (March 2012)
• 📓 An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation (September 2011)
• 📓 Encoded Executable File Detection Technique via Executable File Header Analysis (April 2009)
• 📓 Entropy analysis to classify unknown packing algorithms for malware detection (May 2016)
• 📓 ESCAPE: Entropy Score Analysis of Packed Executable (October 2012)
• 📓 Ether: Malware analysis via hardware virtualization extensions (2008)
• 📓 Eureka: A Framework for Enabling Static Malware Analysis (October 2008)
• 📓 Experimental Comparison of Machine Learning Models in Malware Packing Detection (September 2020)
• 📓 An Experimental Study on Identifying Obfuscation Techniques in Packer (June 2016)
• 📓 A Fast Flowgraph Based Classification System for Packed and Polymorphic Malware on the Endhost (April 2010)
• 📓 Feature set reduction for the detection of packed executables (June 2014)
• 📓 A Fine-Grained Classification Approach for the Packed Malicious Code (October 2012)
• 📓 A Generic Approach to Automatic Deobfuscation of Executable Code (May 2015)
• 📃 Generic Packing Detection using Several Complexity Analysis for Accurate Malware Detection (January 2014)
• 📓 Generic unpacker of executable files (April 2015)
• 📓 Generic Unpacking Method Based on Detecting Original Entry Point (November 2013)
• 📃 Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs (May 2009)
• 📓 Generic unpacking techniques (February 2009)
• 📓 Generic unpacking using entropy analysis (October 2010)
• 📓 Gunpack: un outil générique d'unpacking de malwares (June 2016)
• 📓 A heuristic approach for detection of obfuscated malware (June 2009)
• 📃 A Heuristics-based Static Analysis Approach for Detecting Packed PE Binaries (October 2013)
• 📓 An Implementation of a Generic Unpacking Method on Bochs Emulator (September 2009)
• 📜 Implementing your own generic unpacker (October 2015)
• 📓 Information Theoretic Method for Classification of Packed and Encoded Files (September 2015)
• 📓 Instructions-Based Detection of Sophisticated Obfuscation and Packing (October 2014)
• 📃 A learning model to detect maliciousness of portable executable using integrated feature set (January 2017)
• 🎓 Maitland: Analysis of Packed and Encrypted Malware via Paravirtualization Extensions (June 2012)
• 📓 Mal-EVE: Static detection model for evasive malware (August 2015)
• 📃 Mal-Flux: Rendering hidden code of packed binary executable (March 2019)
• 📃 Mal-XT: Higher accuracy hidden-code extraction of packed binary executable (November 2018)
• 📃 Mal-Xtract: Hidden Code Extraction using Memory Analysis (January 2017)
• 📃 Malware Analysis using Multiple API Sequence Mining Control Flow Graph (July 2017)
• 📃 Malware analysis using visualized images and entropy graphs (February 2015)
• 📓 Malware obfuscation techniques: A brief survey (November 2010)
• 📓 Malware obfuscation through evolutionary packers (July 2015)
• 📃 Malwise - An Effective and Efficient Classification System for Packed and Polymorphic Malware (June 2013)
• 📓 McBoost: Boosting scalability in malware collection and analysis using statistical classification of executables (December 2008)
• 📓 Memory behavior-based automatic malware unpacking in stealth debugging environment (October 2010)
• 📓 Modern linux malware exposed (June 2018)
• 📓 MutantX-S: Scalable malware clustering based on static features (June 2013)
• 📓 The new signature generation method based on an unpacking algorithm and procedure for a packer detection (February 2011)
• 📃 Obfuscation: The Hidden Malware (August 2011)
• 📓 Obfuscation: Where are we in anti-DSE protections? (a first attempt) (December 2019)
• 📓 OmniUnpack: Fast, Generic, and Safe Unpacking of Malware (December 2007)
• 📃 On the adoption of anomaly detection for packed executable filtering (June 2014)
• 📊 One packer to rule them all: Empirical identification, comparison and circumvention of current Antivirus detection techniques (July 2014)
• 📜 One packer to rule them all: Empirical identification, comparison and circumvention of current Antivirus detection techniques (July 2014)
• 📓 OPEM: A Static-Dynamic Approach for Machine-Learning-Based Malware Detection (September 2012)
• 📃 An Original Entry Point Detection Method with Candidate-Sorting for More Effective Generic Unpacking (January 2015)
• 📃 Packed Malware Detection using Entropy Related Analysis: A Survey (November 2015)
• 📃 Packed malware variants detection using deep belief networks (March 2020)
• 📓 Packed PE File Detection for Malware Forensics (December 2009)
• 📃 Packer Analysis Report Debugging and Unpacking the NsPack 3.4 and 3.7 Packer (June 2010)
• 📓 Packer Classifier Based on PE Header Information (April 2015)
• 📃 Packer Detection for Multi-Layer Executables Using Entropy Analysis (March 2017)
• 📓 Packer Identification Based on Metadata Signature (December 2017)
• 📓 Packer identification method based on byte sequences (November 2018)
• 📃 Packer identification using Byte plot and Markov plot (September 2015)
• 📓 Packer Identification Using Hidden Markov Model (November 2017)
• 🎓 Packer-Complexity Analysis in PANDA (January 2018)
• 🎓 Pandora’s Bochs: Automatic Unpacking of Malware (January 2008)
• 📓 Pattern Recognition Techniques for the Classification of Malware Packers (July 2010)
• 📃 PE File Features in Detection of Packed Executables (January 2012)
• 📓 PE File Header Analysis-Based Packed PE File Detection Technique (PHAD) (October 2008)
• 📓 PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables (June 2009)
• 📓 PEAL - Packed Executable AnaLysis (January 2012)
• 📜 PinDemonium: a DBI-based generic unpacker for Windows executables (July 2016)
• 📓 PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware (December 2006)
• 📓 Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem (February 2020)
• 📓 RAMBO: Run-Time Packer Analysis with Multiple Branch Observation (July 2016)
• 🎓 REFORM: A framework for malware packer analysis using information theory and statistical methods (April 2010)
• 📓 Renovo: A Hidden Code Extractor for Packed Executables (November 2007)
• 📓 RePEconstruct: reconstructing binaries with self-modifying code and import address table destruction (October 2016)
• 📓 Research and Implementation of Compression Shell Unpacking Technology for PE File (May 2009)
• 📃 Revealing Packed Malware (September 2008)
• 📓 Reverse Engineering Self-Modifying Code: Unpacker Extraction (October 2010)
• 📊 Runtime Packers Testing Experiences (May 2008)
• 📊 Runtime Packers: The Hidden Problem? (July 2006)
• 📓 SATURN - software deobfuscation framework based on LLVM (November 2019)
• 📃 SCORE: Source Code Optimization & REconstruction (July 2020)
• 📓 SE-PAC: A self-evolving PAcker classifier against rapid packers evolution (April 2021)
• 📃 Secure and advanced unpacking using computer emulation (August 2007)
• 📓 Semi-supervised learning for packed executable detection (September 2011)
• 📓 Semi-supervised Learning for Unknown Malware Detection (April 2011)
• 📃 Sensitive system calls based packed malware variants detection using principal component initialized MultiLayers neural networks (September 2018)
• 📓 SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers (May 2015)
• 📓 SPADE: Signature Based PAcker DEtection (August 2012)
• 📓 A Static, Packer-Agnostic Filter to Detect Similar Malware Samples (July 2012)
• 📓 Structural Feature Based Anomaly Detection for Packed Executable Identification (June 2011)
• 📓 The study of evasion of packed PE from static detection (June 2012)
• 📓 A Study of the Packer Problem and Its Solutions (September 2008)
• 📓 Survey on malware evasion techniques: State of the art and challenges (February 2012)
• 📓 Syntia: Synthesizing the Semantics of Obfuscated Code (August 2017)
• 📓 Things You May Not Know About Android (Un) Packers: A Systematic Study based on Whole-System Emulation. (February 2018)
• 📓 Thwarting Real-Time Dynamic Unpacking (January 2011)
• 📊 TitanMist: Your First Step to Reversing Nirvana (July 2010)
• 📓 Toward Generic Unpacking Techniques for Malware Analysis with Quantification of Code Revelation (August 2009)
• 📓 Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost (October 2018)
• 📃 Two Techniques for Detecting Packed Portable Executable Files (June 2013)
• 🎓 Unpacking Framework for Packed Malicious Executables (July 2013)
• 📃 Unpacking Techniques and Tools in Malware Analysis (September 2012)
• 📓 Unpacking Virtualization Obfuscators (August 2009)
• 📃 UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program (July 2018)
• 📃 Using Entropy Analysis to Find Encrypted and Packed Malware (March 2007)
• 📓 VMAttack: Deobfuscating Virtualization-Based Packed Binaries (August 2017)
• 📊 WaveAtlas: Surfing Through the Landscape of Current Malware Packers (September 2015)
• 📊 We Can Still Crack You! General unpacking method for Android Packer(NO ROOT) (September 2015)
• 📊 When malware is packing heat (January 2018)
• 📌 Writing a Packer (2021)
• 📌 Writing a simple PE Packer in detail (March 2019)
• 📃 WYSINWYX: What you see is not what you EXecute (August 2010)
• 📃 x64Unpack: Hybrid Emulation Unpacker for 64-bit Windows Environments and Detailed Analysis Results on VMProtect 3.4 (July 2020)

📑 Datasets

• Ember

  The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers. The EMBER2017 dataset contained features from 1.1 million PE files scanned in or before 2017 and the EMBER2018 dataset contains features from 1 million PE files scanned in or before 2018. This repository makes it easy to reproducibly train the benchmark models, extend the provided feature set, or classify new PE files with the benchmark models.

• Malfease

• MalShare

  A free Malware repository providing researchers access to samples, malicious feeds, and Yara results.

• OARC

  3,467 samples ; semi-public and available to qualified academic and industry researchers upon request ; captured in the wild from September 2005 to January 2006 by mail traps, user submissions, honeypots and other sources aggregated by the OARC

• Offensive Computing

• PackingData

  Original dataset with sample PE files packed with a large variety of packers, including ASPack, BeRoEXEPacker, exe32pack, eXpressor, FSG, JDPack, MEW, Molebox, MPRESS, Neolite, NSPack, Pckman, PECompact, PEtite, RLPack, UPX, WinUpack, Yoda's Crypter and Yoda's Protector.

• PackingData (sanitized)

  Sanitized version of the original dataset, removing packed samples from the Notpacked folder but also samples in packer folders that failed to be packed (having a same hash as the original unpacked executable).

• Packware

  This repository provides datasets and codes that are needed to reproduce the experiments in the paper When Malware is Packin’ Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features.

• Runtime Packers Testset

  10 common Malware files, packed with about 40 different runtime packers in over 500 versions and options => Over 5000 files 2941 still running correct which were used for the test

• SOREL

  Sophos-ReversingLabs 20 Million dataset. The code included in this repository produced the baseline models available at s3://sorel-20m/09-DEC-2020/baselines This code depends on the SOREL dataset available via Amazon S3 at s3://sorel-20m/09-DEC-2020/processed-data/ ; to train the lightGBM models you can use the npz files available at s3://sorel-20m/09-DC-2020/lightGBM-features/ or use the scripts included here to extract the required files from the processed data. If you use this code or this data in your own research, please cite our paper: "SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection " found at https://arxiv.org/abs/2012.07634

• theZoo

  theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.

• VirusShare

  Please login to search and download. System currently contains 43,141,350 malware samples.

• VX Heaven

• WildList

  This is a cooperative listing of malwares reported as being in the wild by security professionals. The basis for these reports are incidents where a sample was received, and positively identified by the participants listed in the bottom part of this list.

📦 Packers

• 20to4

  Executable compressor that is able to stuff about 20k of finest code and data into less than 4k.

• 32Lite

• 624

  624 is a COM program packer. You can compress COM program shorter than 25000 bytes. The compression rate is fantastic.

• ACProtect

  ACProtect is an application that allows you to protect Windows executable files against piracy,using public keys encryption algorithms (RSA) to create and verify the registration keys and unlock some RSA key locked code,it has embedded cryptor against dump and unpacker.it also has many anti debug tricks. And you can use it to create evaluation and trial application versions. with specialized API system, mutual communication between loader and application is also can be achieved.

• AHPack

• AinEXE

• Alienyze

• Alternate EXE Packer

  This program is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed. Relies on UPX 3.96.

• Amber

  Amber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation SGN encoder. Amber uses CRC32_API and IAT_API for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners.

• Andromeda

• Anti007

• aPack

• APKProtect

• Application Protector

• Armadillo

• ASPack

• ASProtect 32

• ASProtect 64

• AT4RE Protector

• AverCryptor

• AVPack

• AXE

• AxProtector

• BangCle

• Beria

• Bero

  Bero EXE Packer (BEP)

• BIN-crypter

• BJFNT

• BoxedApp Packer

• Bundle EXE

• BurnEye

  Burneye ELF encryption program, x86-linux binary.

• CauseWay Compressor

• CEXE

• Code Virtualizer

  Code Virtualizer is a powerful code obfuscation system for Windows, Linux and Mac OS X applications that helps developers to protect their sensitive code areas against Reverse Engineering with very strong obfuscation code, based on code virtualization.

• ComPAck

• ConfuserEx

  An open-source, free protector for .NET applications.

• Crinkler

• Cryptic

• DalKrypt

• DarkCrypt

• DEPack

• DexGuard

• DexProtector

• Diet

• DotBundle

• DotNetZ

  .NETZ is a straightforward and lightweight, command-line piece of software written in C that allows you to compress and pack Microsoft .NET Framework executable files to ensure they consume as little space on your computer's hard drive as possible.

• DotProtect

• DragonArmor

• DXPack

• ELFuck

  ELF packer for i386 original version from sk2 by sd.

• Enigma

• Enigma Protector

• Enigma Virtual Box

• EP Protector

• EPack

• EPPort

• Eronona-Packer

  This is a packer for exe under win32. You can use it to pack any 32-bit exe file.

• Excalibur

• EXE Bundle

• EXE Guarder

• EXE Stealth

• EXE Wrapper

• Exe32Pack

• EXECrypt

• EXECryptor

  EXECryptor is the strongest and most innovative software security system available. From program protection and cracking avoidance to preventing reverse engineering, analysis, and modifications, EXECryptor has it all. It uses new and unique security technology and provides software developers and publishers with an un-presented level of protection to significantly increase their revenues.

• EXEPack.NET

• eXPressor

  Used as a compressor this tool can compress EXE files to half their normal size. Once compressed, the files execute just like normal. As a protector It is designed to protect applications against crackers; also can help developers in creation of uncrackable registration keys, and implementation of trial version for protected software.

• Ezip

• Ezuri

  A Simple Linux ELF Runtime Crypter. An unpacker by f0wl can be found at f0wl/ezuri_unpack.

• FSG

  FSG - F[ast] S[mall] G[ood] Perfect compressor for small exes, eg. 4k intros, asm appz etc. (upx sux) Features:

  • luvs TASM & MASM exes
  • small loader (351 bytes with import table)
  • advanced sections merging
  • maximum code squeeze
  • import handling
  • resource compression
  • no section align (Petite patent)
  • aPLib v0.34 compression Bugs:
  • cannot handle most of big PE EXE files
  • no TLS support (does not support Delphi exes)
  • no DLL support
  • not tested under XP

• GzExe

  The gzexe utility allows you to compress executables in place and have them automatically uncompress and execute when you run them (at a penalty in performance). Note that the compressed executable is a shell script. This may create some security holes. In particular, the compressed executable relies on the PATH environment variable to find gzip and some standard utilities (basename, chmod, ln, mkdir, mktemp, rm, sleep, and tail).

• HASP Envelope

• HidePE

• HmimysPack

• hXOR-Packer

• Ijiami

• JDPack

• JDProtect

• Kbys

• Kkrunchy

  Kkrunchy is a small exe packer primarily meant for 64k intros.

• Krypton

• LameCrypt

• LGLZ

• LIAPP

• LM-X License Manager

  LM-X License Manager lets you protect your products against piracy by enforcing various levels of security, save time, and reduce business risks. When coupled with License Activation Center (LAC), LM-X provides a complete license management solution that greatly simplifies license creation and activation. With one of the widest ranges of platform and language support, LM-X License Manager allows ISVs to quickly and effortlessly reach new markets and customers, driving sales and increasing revenue.

• LxLite

• LzExe

• m0dern_p4cker

  Just a modern packer for elf binaries ( works on linux executables only )

• MaskPE

• Megalite

• MEW

• MidgetPack

  Midgetpack is a binary packer for ELF binaries, such as burneye, upx or other tools. Its goal is to protect your assets (tools, exploits) when using them on untrusted systems (e.g on a monitored customer's system during a pentest). Midgetpack contains two modes of operation: password and curve25519 key exchange.

• MKFPack

• MoleBox

• Morphine

• mPack

  mPack - mario PACKersimple Win32 PE Executable compressor

• MPRESS

• MSLRH

• Mucki

• Muncho

  Mac OS X executable packer. (TODO) this is a Mac OS X executable ; requires Darling installed.

• NakedPacker

• NCPH

• NeLite

• Neolite

• NetCrypt

  A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.

• NPack

• NSPack

• NTPacker

• Obsidium

• ORiEN

• Origami

  Packer compressing .net assemblies, (ab)using the PE format for data storage.

• PACK

• Pack Master

• PackItBitch

• PackMan

• Pakkero

  Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and intrusion.

• PangXie

• Papaw

• PC-Guard

• PCShrinker

• PE Cryptor

• PE-Armor

• PE-Packer

  Simple packer for Windows 32-bits PE files. The new PE file after packing can obstruct the process of reverse engineering. It will transform the original import table, encrypt sections, clear section names and installing the shell-entry. When running a packed PE file, the shell-entry will decrypt and load the original program by decrypting sections, initializing the original import table and relocation.

• PE-Protector

• PE-Toy

  A PE file packer.

• PEBundle

• PECompact

• PEDiminisher

• PELock

• PEncrypt

• PENinja

• PEPack

• PePacker

  Simple PE Packer Which Encrypts .text Section I release a simple PE file packer which encrypts the .text section and adds a decryption stub to the end of the last section. The encryption is a simple xor encryption which can easily be developed to something more stronger.

• PEShield

  PE-SHiELD is a program, which encrypts 32-bit Windows EXE files, leaving them still executable. The previous version was over a year in the wild and there is still no unpacker for it.

• PESpin

• PEtite

  Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor.

• PEX

• PEzor

  Open-Source Shellcode & PE Packer.

• PK-Smart

• PKlite

• PMode

• PMWLITE

• PolyCrypt

• PolyEne

• Polymorph Crypter

• PolyPack

• Private EXE Protector

• Pro-Pack

• Qihoo

• RCryptor

• RJCrush

• RLPack

  Relies on aPLib 0.43

• Rubbish

• RUCC

• SDProtector

• SecuPack

• sePACKER

  Simple Executable Packer is compressing executables' code section inorder to decrease size of binary files. It's using UCL compression library.

• Shiva

  Shiva is a tool to encrypt ELF executables under Linux. Shiva can be used to wrap an executable in such a way that though it continues to run as it did before it is very difficult to debug or reverse engineer. Shiva can be used to password protect critical programs, including setuid programs, or simply to obfuscate sensitive data stored within programs.

• Shrinker

• Silent-Packer

  Silent_Packer is an ELF / PE packer written in pure C. This program can be used to obfuscate a binary. This packer supports PIE binaries.

• Simple-PE32-Packer

  Simple PE32 Packer with aPLib compression library. DllMain has packing/unpacking functions. Need aplib.h/aplib.lib/aplib.dll in order to work. Main is a program that uses DllMain. Need DllMain/aplib in order to work. Release is a compiled program that can pack/unpack executables. This program is made with Win32 API only. I wish this program helps you to make packer.

• Smart Packer

• SPack

• ST Protector

• StealthPE

• SVK Protector

• SysPack

  Device drivers compressor.

• T-Pack

• tElock

  Telock is a practical tool that intends to help developers who want to protect their work and reduce the size of the executable files. The application is designed to encode your files in order to make them impossible or at least hard to reverse engineer. NB: This can rename sections to match random known packers (e.g. UPX or ASPack)

• theArk

  Windows x86 PE Packer In C++.

• Themida

  From Renovo paper: Themida converts the original x86 instructions into virtual instructions in its own randomized instruction set, and then interpret these virtual instructions at run-time.

• TinyProg

• Trojan Protect

• TTProtect

• UPack

• UPC

• UPolyX

• UPX

  Ultimate Packer for eXecutables

• V2Packer

• Vacuum

• VMProtect

  VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.

• Ward

  This is a simple implementation of an ELF packer that creates stealthy droppers for loading malicious ELFs in-memory. Useful for red teamers trying to proliferate a payload while evading detection.

• WinCrypt

• Winkrypt

• WinUpack

• WWPack

• XComp

• XE

• xorPacker

  A simple packer working with all PE files which cipher your exe with a XOR implementation.

• XPA

• XPack

• Yoda Protector

  Yoda's Protector is a free, open source, Windows 32-bit software protector.

• Yoda's Crypter

  Now yoda's Crypter was made with Visual C++ 7.0 after 3 years of released 1.2 Version. The last version was created by using Masm32. But Now every thing was built by last version of Visual C++ and 90 per cent of codes was translate to C++. This Software was modified to support C++ builder and Delphi PE header. Moreover The Encryption and Decryption methods were improved by the aided C code.

  Protection features:

  • Polymorphic encryption
  • Softice detection
  • Anti Debug API's
  • Erase PE Header
  • Anti Dumping
  • CRC checking
  • Import Table encryption/destruction
  • API Redirection

• ZProtect

  Zprotect goes beyond traditional obfuscation methods. In addition to renaming your metadata entities, it also supports advanced obfuscation methods that will harden your overall protection scheme and foil reverse engineering altogether. See more details below.

🔧 Tools

• Android Unpacker

  Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0.

• aPLib

  aPLib is a compression library based on the algorithm used in aPACK. It is an easy-to-use alternative to many of the heavy-weight compression libraries available.

• AppSpear

  AppSpear is a universal and automated unpacking system suitable for both Dalvik and ART. It can solve most mainstream Android packers, such Alibaba, Baidu, Bangcle, Ijiami, Qihoo360, Naga, NetQin, LIAPP, and so on.

• Bintropy

  Prototype analysis tool that estimates the likelihood that a binary file contains compressed or encrypted bytes. Based on the original tool from the related paper.

• BitBlaze

  The BitBlaze Binary Analysis Platform features a novel fusion of static and dynamic analysis techniques, mixed concrete and symbolic execution, and whole-system emulation and binary instrumentation, all to facilitate state-of-the art research on real security problems. Two of the most important components in BitBlaze are Vine, the static analysis component that provides an intermediate language for analyzing machine code, and TEMU, the dynamic analysis component that provides whole-system emulation and dynamic binary instrumentation including taint analysis.

• Clamscan Unpacker

  This is a packer derived from ClamAV open source project for unpacking packed files like UPX, NSPACK , UPACK ,ASPACK etc.

• de4js

  JavaScript Deobfuscator and Unpacker.

• DIE

  Detect It Easy, or abbreviated "DIE" is a program for determining types of files.

• Ether

  EtherUnpack: Precision universal automated unpacker EtherTrace: Examine trace logs for expected actions (file, registry)

  The basic installation outline is roughly the following:

  • Start with a fresh bare-metal install of Debian Lenny.
  • Install Xen 3.1.0 from source and verify the Xen install works.
  • Patch the Xen hypervisor with the Ether patches.
  • Install the Ether userspace.
  • Install Windows XP SP2 domUs.
  • Analyze malware!

• Eureka

  Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. For each uploaded binary, the Eureka service will attempt to unpack and (for Eureka I, disassemble; for Eureka II (not yet available), decompile) the binary, and will produce an annotated callgraph, subroutine/data index page, strings summary, and a list of embedded DNS entries.

• EXEInfo-PE

  Fast detector for executable PE files.

• EXETools (Packers)

  Repository of packers.

• EXETools (Unpackers)

  Repository of unpackers.

• FUU

  Fast Universal Unpacker

• GUnpacker

  GUnpacker-assisted shell tool is that it has two main functions:

  • OEP positioning
  • Dump been decrypted code and data can be used to repair the follow-up of PE

• IDA-Pro Disassembler

  IDA, the second-to-none and indispensable disassembler in the toolbox of any serious software and malware analyst or binary reverse engineer.

• Justin

• List of .NET Deobfuscators and Unpackers

• Manalyze

  Manalyze is a robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth. It can :

  • Identifies a PE's compiler
  • Detects packed executables
  • Applies ClamAV signatures
  • Searches for suspicious strings
  • Looks for malicious import combinations (i.e. WriteProcessMemory + CreateRemoteThread)
  • Detects cryptographic constants (just like IDA's findcrypt plugin)
  • Can submit hashes to VirusTotal
  • Verifies authenticode signatures (on Windows only)

• OEPdet

• OmniUnpack

• PackerAttacker

• PackerBreaker

  PackerBreaker is yet another universal unpacker tool to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc. It uses advanced emulation technology to unpack packed programs.

• PackerGrind

  An adaptive unpacking tool for tracking packing bahaviors and unpacking Android packed apps.

• PackerID

  Fork of packerid.py. Used to check PEid databases against files in Python. Additional output types, and formats, digital signature extraction, and disassembly support. Added a userdb.txt that I put together because who doesn't need another one.

• Packing-Box

  This Docker image aims to regroup multiple common executable packers and make datasets of packed executables.

• Pandora’s Bochs

  Extension to he Bochs PC eumlator to enable it to monitor execution of the unpacking stubs that are used by runtime-packed binaries to extract the original code into virtual memory.

• PEFrame

  peframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, macro and much more information about the suspicious files.

• PEiD

  Packed Executable iDentifier

  v0.93 (30 Jan 2005) v0.94 (10 May 2006) v0.95 is available at https://github.com/wolfram77web/app-peid with an updated version of userdb.txt

• PEiD (reborn)

  Implementation in Python of the Packed Executable iDentifier (PEiD) in the scope of packing detection for Windows PE files based on signatures. It relies on pefile for abstracting PE files and reading signatures databases. The main tool checks the input executable against the embedded or user-defined signatures database. The second tool allows to create and integrate new signatures.

• PEiD (yara)

  Yet another implementation of PEiD with yara.

• PeLib

  PE file manipulation library. This repository is no longer alive. Its sources were moved directly to the main RetDec repository. It will be removed altogether after some transitional period.

• PEPack (part of PEV)

  PE file packer detection tool. Part of Unix package "pev" (http://pev.sourceforge.net, https://launchpad.net/ubuntu/hirsute/+package/pev), a text-based tool to analyze PE files host on GitHub (https://github.com/merces/pev).

• PINdemonium

• PolyUnpack

  From Renovo paper: PolyUnpack is a general approach for extracting the original hidden code without any heuristic assumptions. PolyUnpack takes advantage of the intrinsic nature of packed executables where the hidden code is generated and executed at run-time, and thus it is not present in the code section of the packed executable. As a pre-analysis step, PolyUnpack disassembles the packed executable to partition it into the code and data sections, Then it executes the binary instruction by instruction, checking whether the instruction sequence from the current point is in the code section identified in the pre-analysis step. The authors have implemented this approach and have shown that it can successfully identify and extract the hidden code in malware samples in the wild. However, in terms of performance, disassembling a program and single-step executing a binary significantly increase the computational complexity of its analysis.

• PortEx

  PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at Java applications.

• PyPackerDetect

  A small python script/library to detect whether an executable is packed. This is one of many tools we use for dataset curation within the ARG team at Cylance. Accuracy is not perfect, but is sufficient in accomplishing what we need.

• PyPackerDetect (refactored)

  A complete refactoring of the original project to a Python package with a console script to detect whether an executable is packed. pefile is used for PE parsing. peid is used as implementation of PEiD.

• PyPeid

  Yet another implementation of PEiD with yara-python.

• Quick Unpack

• RapidEXE

  RapidEXE is a simple and efficient way to convert your script to a standalone executable. You can create command line tools with all the power of modern scripting languages and share it with others, even if they don't have the runtime environment.

• RDG Packer Detector

• REMINDer

• Renovo

  Built on top of TEMU (dynamic analysis component of BitBlaze) Its basic idea is to detect the execution of newly-generated code by monitoring memory writes after the program starts. It maintains a shadow memory and flags each byte with 0 (clean) or 1 (dirty). It combines two main component ; the Execution Monitor and the Extraction Engine. Advantages of its approach :

  • we assume nothing about the packing methods (cfr problem with signatures)
  • can determine the exact memory regions accommodating the code or data generated at run-time (cfr dynamic analysis)
  • does not rely on any information on the code and data sections of the binary (on the contrary of static analysis and some approaches of dynamic analysis) This approach can handle multi-layers packing.

• RetDec

  RetDec is a retargetable machine-code decompiler based on LLVM. The decompiler is not limited to any particular target architecture, operating system, or executable file format:

  • Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code
  • Supported architectures:
    • 32-bit: Intel x86, ARM, MIPS, PIC32, and PowerPC
    • 64-bit: x86-64, ARM64 (AArch64)

• SymPack

• Unipacker

• UnpacMe

  UNPACME is an automated malware unpacking service. Submissions to UNPACME are analyzed using a set of custom unpacking processes maintained by OpenAnalysis. These processes extract all encrypted or packed payloads from the submission and return a unique set of payloads to the user. In short, UNPACME automates the first step in your malware analysis process.

• Unpckarc

  This identifies packed executables and their OEP by using several heuristics. Universal PE Unpacker assumes that GetProcAddress is always called to setup the import table after the original program is unpacked and before the program counter reaches the OEP. It is not intended to be an automated unpacking tool because it must be given a priori knowledge about the the possible range of the OEP.

• Uunp (IDA Pro plugin)

  Universal PE unpacker debugger plug-in module automates the analysis and unpacking of packed binaries. This plug-in uses the debugger to let the program unpack itself in memory and as soon as the execution reaches the original entry point, it suspends the program. The user may then take a memory snapshot.

• VirusTotal

• VMUnpacker

Contribute

Contributions welcome! Read the contribution guidelines first.