/awesome-executable-packing

A curated list of awesome resources related to executable packing

Creative Commons Zero v1.0 UniversalCC0-1.0

Awesome Executable Packing Awesome Tweet

A curated list of resources related to executable packing (including Portable Executable, Executable and Linkable Format and others) containing references to books, papers, blog posts, and other written resources but also packers and tools for detecting packers and unpacking executables.

Packing is the action of modifying an executable in a way that does not modify its purpose. It is generally one or a combination of the following operations:

  • bundling: makes a single executable with multiple files
  • compression: compresses the executable to reduce its original size
  • encryption: obfuscates the executable by encrypting it
  • mutation: alters the executable's code so that it uses a modifided instruction set and architecture (e.g. using oligomorphism)
  • protection: makes the reversing of the executable harder (i.e. using anti-debugging, anti-tampering or other tricks)
  • virtualization: embeds a virtual machine that allows to virtualize executable's instructions

Contents

πŸ“š Literature

Documentation

Back to top

Scientific Research

Back to top

πŸ“‘ Datasets

  • CyberCrime - CΒ² tracking and malware database.
  • Dataset of Packed PE - Sanitized version of the original dataset, PackingData, removing packed samples from the Notpacked folder but also samples in packer folders that failed to be packed (having a same hash as the original unpacked executable).
  • Ember - Collection of features from PE files that serve as a benchmark dataset for researchers.
  • Malfease - Dataset of about 5,000 packed malware samples.
  • Malheur - Contains the recorded behavior of malicious software (malware) and has been used for developing methods for classifying and clustering malware behavior (see the JCS article from 2011).
  • MalShare - Free Malware repository providing researchers access to samples, malicious feeds, and Yara results.
  • MalwareGallery - Yet another malware collection in the Internet.
  • OARC Malware Dataset - Semi-public dataset of 3,467 samples captured in the wild from Sep 2005 to Jan 2006 by mail traps, user submissions, honeypots and other sources aggregated by the OARC, available to qualified academic and industry researchers upon request.
  • Open Malware - Online collection of malware samples.
  • PackingData - Original dataset with sample PE files packed with a large variety of packers, including ASPack, BeRoEXEPacker, exe32pack, eXpressor, FSG, JDPack, MEW, Molebox, MPRESS, Neolite, NSPack, Pckman, PECompact, PEtite, RLPack, UPX, WinUpack, Yoda's Crypter and Yoda's Protector.
  • Packware - Datasets and codes that are needed to reproduce the experiments in the paper "When Malware is Packing Heat".
  • Runtime Packers Testset - Dataset of 10 common Malware files, packed with about 40 different runtime packers in over 500 versions and options, with a total of about 5,000 samples.
  • SOREL - Sophos-ReversingLabs 20 Million dataset.
  • theZoo - Project created to make the possibility of malware analysis open and available to the public.
  • ViruSign - Another online malware database.
  • VirusShare - Virus online database with more thant 44 millions of samples.
  • VX Heaven - Site dedicated to providing information about computer viruses.
  • VX Underground - PL-CERT based open source MWDB python application holding a malware database containing every APT sample from 2010 and over 7.5M malicious binaries.
  • VXvault - Online malware database.
  • WildList - Cooperative listing of malwares reported as being in the wild by security professionals.

Back to top

πŸ“¦ Packers

After 2010

  • .netshrink - Executable compressor for your Windows or Linux .NET application executable file using LZMA.
  • Alienyze - Advanced software protection and security for Windows 32-bit executables.
  • Alternate EXE Packer - Compression tool for executable files (type EXE) or DLL's relying on UPX 3.96.
  • Amber - Position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS).
  • Andromeda - Custom packer used in malware campaigns using RunPE techniques for evading AV mitigation methods.
  • APKProtect - APK encryption and shell protection supporting Java and C++.
  • Armadillo - Incorporates both a license manager and wrapper system for protecting PE files.
  • ASPack - Advanced solution created to provide Win32 EXE file packing and to protect them against non-professional reverse engineering.
  • ASProtect 32 - Multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.
  • ASProtect 64 - Tool for protecting 64-bit applications and .NET applications for Windows against unauthorized use, industrial and home copying, professional hacking and analysis of software products distributed over the Internet and on any physical media.
  • AutoIT - Legitimate executable encryption service.
  • AxProtector - Encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine, best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.
  • BangCle - Protection tool using the second generation Android Hardening Protection, loading the encrypted DEX file from memory dynamically.
  • Bero - Bero EXE Packer (BEP) for 32-bit windows executables.
  • BIN-crypter - EXE protection software against crackers and decompilers.
  • Code Virtualizer - Code Virtualizer is a powerful code obfuscation system for Windows, Linux and macOS applications that helps developers to protect their sensitive code areas against Reverse Engineering with very strong obfuscation code, based on code virtualization.
  • ConfuserEx - An open-source, free protector for .NET applications.
  • Crinkler - Compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.
  • DarkCrypt - Simply and powerful plugin for Total Commander used for file encryption using 100 algorithms and 5 modes.
  • DexGuard - Android app obfuscation & security protocols for mobile app protection.
  • DexProtector - Multi-layered RASP solution that secures your Android and iOS apps against static and dynamic analysis, illegal use and tampering.
  • DotBundle - GUI tool to compress, encrypt ad password-protect a .NET application or embed .NET libraries.
  • DotNetZ - Straightforward and lightweight, command-line piece of software written in C that allows you to compress and pack Microsoft .NET Framework executable files.
  • ElecKey - Suite of software and tools that offer a complete solution for software protection, copy protection, and license management.
  • ELFuck - ELF packer for i386 original version from sk2 by sd.
  • Enigma Protector - Professional system for executable files licensing and protection.
  • Enigma Virtual Box - Application virtualization system for Windows.
  • Eronona-Packer - This is a packer for exe under win32.
  • EXE Bundle - Bundles application files into a single PE32 file.
  • EXE Stealth - Anti-cracking protection and licensing tool for PE files featuring compression and encryption polymorphic technology.
  • Ezuri - A Simple Linux ELF Runtime Crypter.
  • GzExe - Utility that allows to compress executables as a shell script.
  • hXOR-Packer - PE packer with Huffman compression and XOR encryption.
  • LIAPP - Easiest and most powerful mobile app security solution.
  • LM-X License Manager - LM-X License Manager lets you protect your products against piracy by enforcing various levels of security, save time, and reduce business risks.
  • m0dern_p4cker - Just a modern packer for elf binaries ( works on linux executables only ).
  • MidgetPack - Midgetpack is a binary packer for ELF binaries, such as burneye, upx or other tools.
  • MPRESS - Compresses (using LZMA) and protects PE, .NET or Mach-O programs against reverse engineering.
  • NetCrypt - A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.
  • Obsidium - Feature-rich professional software protection and licensing system designed as a cost effective and easy to implement, yet reliable and non-invasive way to protect your 32- and 64-bit Windows software applications and games from reverse engineering.
  • Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage.
  • Pakkero - Pakkero is a binary packer written in Go made for fun and educational purpose.
  • Papaw - Permissively-licensed packer for ELF executables using LZMA Zstandard or Deflate compression.
  • PE-Packer - Simple packer for Windows 32-bits PE files.
  • PE-Toy - A PE file packer.
  • PELock - Software protection system for Windows executable files ; protects your applications from tampering and reverse engineering, and provides extensive support for software license key management, including support for time trial periods.
  • PePacker - Simple PE Packer Which Encrypts .text Section I release a simple PE file packer which encrypts the .text section and adds a decryption stub to the end of the last section.
  • PEShield - PE-SHiELD is a program, which encrypts 32-bit Windows EXE files, leaving them still executable.
  • PEtite - Free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor.
  • sePACKER - Simple Executable Packer is compressing executables' code section inorder to decrease size of binary files.
  • Silent-Packer - Silent Packer is an ELF / PE packer written in pure C.
  • Simple-PE32-Packer - Simple PE32 Packer with aPLib compression library.
  • Smart Packer - Packs 32 & 64bit applications with DLLs, data files, 3rd party run-time into one single executable that runs instantly, with no installs or hassles.
  • theArk - Windows x86 PE Packer In C++.
  • Themida - From Renovo paper: Themida converts the original x86 instructions into virtual instructions in its own randomized instruction set, and then interpret these virtual instructions at run-time.
  • UPX - Ultimate Packer for eXecutables.
  • Ward - This is a simple implementation of an ELF packer that creates stealthy droppers for loading malicious ELFs in-memory.
  • xorPacker - Simple packer working with all PE files which cipher your exe with a XOR implementation.
  • ZProtect - Renames metadata entities and supports advanced obfuscation methods that harden protection scheme and foil reverse engineering altogether.

Back to top

Between 2000 and 2010

  • 20to4 - Executable compressor that is able to stuff about 20k of finest code and data into less than 4k.
  • ACProtect - Application that allows to protect Windows executable files against piracy, using RSA to create and verify the registration keys and unlock code.
  • AHPack - PE and PE+ file packer.
  • Application Protector - Tool for protecting Windows applications.
  • AT4RE Protector - Very simple PE files protector programmed in ASM.
  • AverCryptor - Small and very handy utility designed to encrypt notes in which you can store any private information - it helps to hide your infection from antiviruses.
  • BurnEye - Burneye ELF encryption program, x86-linux binary.
  • ByteBoozer - Commodore 64 executable packer.
  • EXE Guarder - Licensing tool for PE files allowing to compress and specify a password notice.
  • EXE Wrapper - Protects any EXE file with a password from non-authorized execution.
  • Exe32Pack - Compresses Win32 EXEs, DLLs, etc and dynamically expands them upon execution.
  • EXECryptor - Protects EXE programs from reverse engineering, analysis, modifications and cracking.
  • eXPressor - Used as a compressor this tool can compress EXE files to half their normal size.
  • FSG - Fast Small Good, perfect compressor for small exes, eg.
  • GHF Protector - Executable packer / protector based on open source engines Morphine and AHPack.
  • Kkrunchy - Kkrunchy is a small exe packer primarily meant for 64k intros.
  • mPack - mPack - mario PACKersimple Win32 PE Executable compressor.
  • NSPack - 32/64-bits exe, dll, ocx, scr Windows program compressor.
  • NTPacker - PE file packer relying on aPlib for compression and/or XOR for encryption.
  • PECompact - Windows executable compressor featuring third-party plug-ins offering protection against reverse engineering.
  • RLPack - Compresses your executables and dynamic link libraries in a way that keeps them small and has no effect on compressed file functionality.
  • Sentinel HASP Envelope - Wrapping application that protects the target application with a secure shield, providing a means to counteract reverse engineering and other anti-debugging measures.
  • Shiva - Shiva is a tool to encrypt ELF executables under Linux.
  • Shrinker - Compresses (up to 70%) 16 and 32 bit Windows and real mode DOS programs.
  • tElock - Telock is a practical tool that intends to help developers who want to protect their work and reduce the size of the executable files.
  • TTProtect - Professional protection tool designed for software developers to protect their PE applications against illegal modification or decompilation.
  • WinLite - Compresses Windows executables (such as Pklite, Diet or Wwpack) for executables programs under DOS.
  • WinUpack - Graphical interface for Upack, a command-line program used to create self-extracting archives from Windows PE files.
  • XComp - PE32 image file packer and rebuilder.
  • Yoda Crypter - Supports polymorphic encryption, softice detection, anti-debug API's, anti-dumping, etc, encrypts the Import Table and erases PE Header.
  • Yoda Protector - Free, open source, Windows 32-bit software protector.

Back to top

Before 2000

  • 32Lite - Compression tool for executable files created with Watcom C/C++ compiler.
  • 624 - COM packer that can compress COM programs shorter than 25000 bytes.
  • AinEXE - DOS executable packer.
  • aPack - 16-bit real-mode DOS executable ( .EXE and .COM ) compressor.
  • AVPack - Encrypts EXE or COM files so that they'll be able to start on your PC only.
  • AXE - Program compression utility.
  • CEXE - Compresses an input EXE into a smaller executable (only runs on WinNT, Win2000 and above - won't run on Win95 or Win98).
  • EPack - EXE and COM file compressor ; works with DOS/Windows95 files.
  • LGLZ - DOS EXE and COM file compressor using modified LZ77.
  • LzExe - MS-DOS executable file compressor.
  • Megalite - MS-DOS executable file compressor.
  • PACK - Executable files compressor.
  • PCShrink - Windows 9x/NT executable file compressor relying on the aPLib compression library.
  • PE Diminisher - Simple PE packer relying on the aPLib compression library.
  • PE-Protector - Encrypter/protector for Windows 9x/ME to protect executable files PE against reverse engineering or cracking with a very strong protection.
  • PEBundle - Physically attaches DLL(s) to an executable, resolving dependencies in memory.
  • PEPack - PE compression tool based on the code of a newer version of PE-SHiELD.
  • Pro-Pack - DOS executable file compressor.
  • RJCrush - EXE and COM files compressor with the ability to compress overlays.
  • SecuPack - Win32 executable compressor.
  • SysPack - Device drivers compressor.
  • T-Pack - Executable COM-FILE compressor (LZ77) optimized for small files like BBS-Addys or similar files.
  • TinyProg - EXE and COM programs compressor.
  • Vacuum - Runtime Compressor for DOS32 executables.
  • VGCrypt - PE crypter for Win95/98/NT.
  • WWPack - Squeezes EXE files, compresses relocation tables, optimizes headers, protects EXE files from hacking.
  • XE - DOS executable compression utility.
  • XPA - DOS executable packer.
  • XPack - PE32 image file packer and rebuilder.

Back to top

πŸ”§ Tools

  • .NET Deobfuscator - List of .NET Deobfuscators and Unpackers.
  • Android Unpacker - Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0.
  • APKiD - Android application Identifier for packers, protectors, obfuscators and oddities - PEiD for Android.
  • aPLib - Compression library based on the algorithm used in aPACK.
  • AppSpear - Universal and automated unpacking system suitable for both Dalvik and ART.
  • Assiste (Packer) - Assiste.com's example list of packers.
  • AVClass - Python tools to tag / label malware samples.
  • Bintropy - Prototype analysis tool that estimates the likelihood that a binary file contains compressed or encrypted bytes.
  • BinUnpack - Unpacking approach free from tedious memory access monitoring, therefore introducing very small runtime overhead.
  • BitBlaze - Analysis platform that features a novel fusion of static and dynamic analysis techniques, mixed concrete and symbolic execution, and whole-system emulation and binary instrumentation, all to facilitate state-of-the art research on real security problems.
  • Clamscan Unpacker - Unpacker derived from ClamAV.
  • de4dot - .NET deobfuscator and unpacker.
  • de4js - JavaScript Deobfuscator and Unpacker.
  • Defacto2 Packers Archive - MS-DOS & Windows32 binary file packers.
  • DIE - Detect It Easy ; Program for determining types of files.
  • Emulator - Symantec Endpoint Protector (from v14) capability to create a virtual machine on the fly to identify, detonate, and eliminate malware hiding inside custom malware packers.
  • EtherUnpack - Precision universal automated unpacker (successor of PolyUnpack).
  • Eureka - Binary static analysis preparation framework implementing a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing.
  • EXEInfo-PE - Fast detector for executable PE files.
  • EXETools - Forum for reverse engineering and executale packing related topics.
  • FUU - Fast Universal Unpacker.
  • GUnpacker - Shell tool that performs OEP positioning and dumps decrypted code.
  • Justin - Just-In-Time AV scanning ; generic unpacking solution.
  • Malheur - Tool for the automatic analysis of malware behavior (recorded from malicious software in a sandbox environment).
  • MalUnpack - Dynamic unpacker based on PE-sieve.
  • Manalyze - Robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth.
  • OEPdet - Automated original-entry-point detector.
  • OllyDbg Scripts - Collection of OllyDbg scripts for unpacking many different packers.
  • OmniUnpack - New technique for fast, generic, and safe unpacking of malware by monitoring the execution in real-time and detecting the removed layers of packing.
  • PackerAttacker - Tool that uses memory and code hooks to detect packers.
  • PackerBreaker - Tool for helping unpack, decompress and decrypt most of the programs packed, compressed or encrypted using advanced emulation technology.
  • PackerGrind - Adaptive unpacking tool for tracking packing bahaviors and unpacking Android packed apps.
  • PackerID - Fork of packerid.py using PEid signatures and featuring additional output types, formats, digital signature extraction, and disassembly support.
  • Packing-Box - Docker image gathering many packing-related tools and for making datasets of packed executables for use with machine learning.
  • Pandora's Bochs - Extension to the Bochs PC eumlator to enable it to monitor execution of the unpacking stubs for extracting the original code.
  • PE Compression Test - List of packers tested on a few sample executables for comparing compressed sizes.
  • PE Detective - This GUI tool can scan single PE files or entire directories (also recursevely) and generate complete reports.
  • PE-bear - Freeware reversing tool for PE files aimed to deliver fast and flexible β€œfirst view” for malware analysts, stable and capable to handle malformed PE files.
  • Pefeats - Utility for extracting 119 features from a PE file for use with machine learning algorithms.
  • Pefile - Multi-platform Python module to parse and work with Portable Executable files.
  • PEFrame - Tool for performing static analysis on PE malware and generic suspicious files.
  • PEiD - Packed Executable iDentifier.
  • PEiD (reborn) - Python implementation of PEiD featuring an additional tool for making new signatures.
  • PEiD (yara) - Yet another implementation of PEiD with yara.
  • PeLib - PE file manipulation library.
  • PEPack - PE file packer detection tool, part of the Unix package "pev".
  • PINdemonium - Unpacker for PE files exploiting the capabilities of PIN.
  • PolyUnpack - Implemention attempt of the general approach for extracting the original hidden code of PE files without any heuristic assumptions.
  • PortEx - Java library for static malware analysis of PE files.
  • PROTECTiON iD - PE file signature-based scanner.
  • ProTools - Programmer's Tools, a web site dedicated for all kinds of tools and utitlities for the true WinBloze programmer, including packers, crypters, etc.
  • PyPackerDetect - Small python script/library to detect whether an executable is packed.
  • PyPackerDetect (refactored) - A complete refactoring of the original project to a Python package with a console script to detect whether an executable is packed.
  • PyPeid - Yet another implementation of PEiD with yara-python.
  • Quick Unpack - Generic unpacker that facilitates the unpacking process.
  • RapidEXE - Simple and efficient way to convert a PHP/Python script to a standalone executable.
  • RDG Packer Detector - Packer detection tool.
  • Red Curtain - Free software for Incident Responders that assists with the analysis of malware ; it examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria.
  • REMINDer - Packing detection tool based on the entropy value of the entry point section and the WRITE attribute.
  • Renovo - Detection tool built on top of TEMU (dynamic analysis component of BitBlaze) based on the execution of newly-generated code and monitoring memory writes after the program starts.
  • RetDec - Retargetable machine-code decompiler based on LLVM.
  • SAC - PACK: Archivers, exe-compressors, archiver shells and other related utils.
  • SymPack - Safe, portable, largely effective but not generic library for packing detection and unpacking ; part of the Norton Antivirus solution.
  • Titanium Platform - Machine learning hybrid cloud platform that harvests thousands of file types at scale, speeds threat detection through machine learning binary analysis, and continuously monitors an index of over 10B files for future threats.
  • Tuts 4 You - Non-commercial, independent community dedicated to the sharing of knowledge and information on reverse code engineering.
  • Unipacker - Automatic and platform-independent unpacker for Windows binaries based on emulation.
  • UnpacMe - Automated malware unpacking service.
  • Unpckarc - Packed executables detection tool relying on several heuristics.
  • Uunp (IDA Pro plugin) - IDA Pro debugger plug-in module automating the analysis and unpacking of packed binaries.
  • VirusTotal - File analysis Web service for detecting malware.
  • VMUnpacker - Unpacker based on the technology of virtual machine.

Back to top

Contributing

Contributions are welcome! Please read the contribution guidelines first.