PyPackerDetect

A small python script/library to detect whether an executable is packed.

This is one of many tools we use for dataset curation within the ARG team at Cylance. Accuracy is not perfect, but is sufficient in accomplishing what we need.

Tested and devloped using Python 3.

pefile is used for PE parsing, found in ./deps/libpefile.

PEID Signatures are also used. There are two signature collections compiled from multiple online sources, found in ./deps/peid.

Multiple other hueristics are used for detection, and those are found in *Detector.py files, with the base class in PackerDetector.py.

Usage

Example usage is in DetectPacker.py. Can be run via command line.

Detection Mechanisms

PEID signatures
Known packer section names
Entrypoint in non-standard section
Threshhold of non-standard sections reached
Low number of imports
Overlapping entrypoint sections

Resources

Big thanks to Hexacorn, a good portion of the known PE section names come from there.

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
deps		deps
BadEntryPointSectionDetector.py		BadEntryPointSectionDetector.py
DetectPacker.py		DetectPacker.py
LICENSE.MD		LICENSE.MD
LowImportCountDetector.py		LowImportCountDetector.py
NonStandardSectionNameDetector.py		NonStandardSectionNameDetector.py
PEIDDetector.py		PEIDDetector.py
PackerDetector.py		PackerDetector.py
PackerReport.py		PackerReport.py
PackerSectionNameDetector.py		PackerSectionNameDetector.py
README.MD		README.MD
Utils.py		Utils.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

PyPackerDetect

Usage

Detection Mechanisms

Resources

About

Releases

Packages

Languages

License

cylance/PyPackerDetect

Folders and files

Latest commit

History

Repository files navigation

PyPackerDetect

Usage

Detection Mechanisms

Resources

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages