Many (non-packed) drivers have a INIT section with the IMAGE_SCN_MEM_WRITE + IMAGE_SCN_MEM_EXECUTE flags.
Therefore, it is not an indication of a packed executable and should be excluded from the warnings.
This can be demonstrated with this code:
import pefile
from pathlib import Path
x=0
for path in Path(r"C:\Windows\System32").rglob('*.sys'):
pe = pefile.PE(path, fast_load=True)
for section in pe.sections:
if section.IMAGE_SCN_MEM_WRITE and section.IMAGE_SCN_MEM_EXECUTE:
if section.Name.rstrip(b"\x00") == b"INIT" and pe.is_driver():
x+=1
print(path.name)
print(f"Number of drivers (falsly) suspected as packed: {x}")
Side note: I have not found any evidence supporting the current exclusion (for the PAGE section).
Many (non-packed) drivers have a INIT section with the IMAGE_SCN_MEM_WRITE + IMAGE_SCN_MEM_EXECUTE flags. Therefore, it is not an indication of a packed executable and should be excluded from the warnings.
This can be demonstrated with this code:
Side note: I have not found any evidence supporting the current exclusion (for the PAGE section).