search

horsicq / Detect-It-Easy

Program for determining types of files for Windows, Linux and MacOS.
http://ntinfo.biz
MIT License
6.95k stars 695 forks source link

Inconsistencies with Amber Packer #195

Closed Gorman88 closed 2 months ago

Gorman88 commented 3 months ago

Noticed some inconsistencies with DiE being able to identify that a packed executable is actually packed when the executable was specifically packed using Amber. It also doesn't seem to be able identify that Amber is the packer being used at all but that is less of an issue for me than being able to ID whether the executable is packed or not.

I ran 12 tests with various Amber packed Windows PEs. 8 came back with positive identifications of the executable being packed, 4 did not. One thing to note is that originally I thought it was the size of the executable that was causing the problem but I ruled that out since it was able to detect strings.exe was packed (approx 320KiB) but not cmd.exe (approx 471KiB).

I used both DiE and NFD engines for testing with no discernible changes between the results of the two.

Here are some screenshots of GUI results for strings.exe and cmd.exe from both NFD and DiE engines:

Screenshot 2024-04-05 at 11 26 52 AM Screenshot 2024-04-05 at 11 26 43 AM Screenshot 2024-04-05 at 11 26 14 AM Screenshot 2024-04-05 at 11 26 02 AM

horsicq commented 3 months ago

Hello! Thanks a lot for the report! Could you please share the files? You could send me it to Telegram @horsicq

DosX-dev commented 2 months ago

Amber detection added.