Can DIE identify Custom Packed EXEs?

[Bhuvanamitra]

As far as known packers are considered, DIE seems to identify them clearly. But now a days attackers are targeting with custom packing to evade detections. How far can DIE detect an EXE if it is custom packed? Also, How can use DIE to automate the process of packer detection? Is there a way to save the output of DIE and parse it to know whether the input file is packed or not? TIA.

[adoxa]

Have a look at the entropy and that will likely tell you. Use the command line version (base\diec) with -showentropy. I'm not sure what value Hors uses, but anything >= 6 is likely packed/encrypted.

[horsicq]

Hello, as @adoxa said you could use diec and entropy. You should just parse console output. More information about entropy: http://n10info.blogspot.com/2014/06/entropy-and-distinctive-signs-of-packed.html

[Bhuvanamitra]

Have a look at the entropy and that will likely tell you. Use the command line version (base\diec) with -showentropy. I'm not sure what value Hors uses, but anything >= 6 is likely packed/encrypted.

Invalid parameter or file name: -showentropy(base) I get this phrase when i try to use options. May I know why it is showing like that?

[horsicq]

diec [FileName] -showentropy:yes For example: diec C:\Windows\regedit.exe -showentropy:yes

[Bhuvanamitra]

diec [FileName] -showentropy:yes For example: diec C:\Windows\regedit.exe -showentropy:yes

Thanks for your lightening fast response!! When I use diec/showentropy on some files I have, I am getting entropy values as high as 7.8 and 7.99 etc. But I can't see packer information (like name and version of packer used) in the result. Instead I get the information of Linker, Installer, Overlay. Does this mean that the EXE is packed but DIE do not know exactly what packer is used? Does it mean that the EXE is packed using Custom methods?

Sorry if the questions are trivial. I am new to this space and trying my best to catch up.

[hypn0chka]

Does this mean that the EXE is packed but DIE do not know exactly what packer is used? Does it mean that the EXE is packed using Custom methods?

Yes and Yes.

[Bhuvanamitra]

Thank You. Let me bug you with my last question. How can I unpack them so that I can perform my static analysis on that EXE? I've seen Unipacker which is an automatic unpacker and also platform independent. But it does not come with a friendly license. Could you please suggest if you know any robust Unpackers with commercial friendly licences? TIA.

[hypn0chka]

What do you want to unpack? There are a lot of different packers. And not everyone has automatic unpackers. Also, some protectors cannot be unpacked automatically. Show a sample of what you want to unpack.

[Bhuvanamitra]

I've got some EXEs, when tested with DIE, they show very high entropies confirming that they are packed. But the packer info is not known. Now, how can I unpack such EXEs? I have seen methods which tell to use debuggers, set breakpoints and take memory dumps. But that will be overdoing for me. So I want to know if there are tools which can do all these and dump the unpacked load for me?

[horsicq]

You could try my another tool: XVolkolak: https://forum.exetools.com/showthread.php?t=18734 But the public version does not support commercial protectors.

[Bhuvanamitra]

You could try my another tool: XVolkolak: https://forum.exetools.com/showthread.php?t=18734 But the public version does not support commercial protectors.

Sure, will check that out.

[hypn0chka]

So I want to know if there are tools which can do all these and dump the unpacked load for me?

The first step is to identify the packer. Large file entropy does not mean that it is packed. It can be an installer with an archive, as well as a regular file with compressed content in resources (images, video etc.)

[Bhuvanamitra]

You could try my another tool: XVolkolak: https://forum.exetools.com/showthread.php?t=18734 But the public version does not support commercial protectors.

my machine is Ubuntu 16.04.2 LTS 64 bit. Can I use your tool which was given for Ubuntu 18.04?

[horsicq]

my machine is Ubuntu 16.04.2 LTS 64 bit. Can I use your tool which was given for Ubuntu 18.04?

I hope so.

[Bhuvanamitra]

So I want to know if there are tools which can do all these and dump the unpacked load for me?

The first step is to identify the packer. Large file entropy does not mean that it is packed. It can be an installer with an archive, as well as a regular file with compressed content in resources (images, video etc.)

That's a good point. Then I think taking Section level entropies and may be running a ML classifier on top of them can tell us whether a file is packed or not

[hypn0chka]

Then I think taking Section level entropies and may be running a ML classifier on top of them can tell us whether a file is packed or not

I told you, place the sample in some file sharing service. I will immediately tell you what it is.

[Bhuvanamitra]

Then I think taking Section level entropies and may be running a ML classifier on top of them can tell us whether a file is packed or not

I told you, place the sample in some file sharing service. I will immediately tell you what it is.

I am not looking for a single file, I am trying to build a system which can take every incoming exe and result out whether it is packed or not. I am doing this because I have developed a ML model from static features extracted from malware and benign exes and that model is performing well as of now. I thought a 'Packer Detection' step ahead of this model would further increase the credibility of model. So I am trying to build a generic packer detection block and an automatic unpacker(atleast for known packers) and then give the unpacked payload to the model so that it can extract accuate features and give the accurate classification result.

[horsicq]

I am not looking for a single file, I am trying to build a system which can take every incoming exe and result out whether it is packed or not. I am doing this because I have developed a ML model from static features extracted from malware and benign exes and that model is performing well as of now. I thought a 'Packer Detection' step ahead of this model would further increase the credibility of model. So I am trying to build a generic packer detection block and an automatic unpacker(atleast for known packers) and then give the unpacked payload to the model so that it can extract accuate features and give the accurate classification result.

Good idea. Keep going!

[Bhuvanamitra]

Good idea. Keep going!

Thank you. May be off-topic, but asking here as I am trying for it for quite sometime now. Do you have any set of packed PE files? Whether they are packed with known packers or custom packers, I want some packed files for evaluating whatever I am doing. Any help in this regard will be highly useful.

[horsicq]

Thank you. May be off-topic, but asking here as I am trying for it for quite sometime now. Do you have any set of packed PE files? Whether they are packed with known packers or custom packers, I want some packed files for evaluating whatever I am doing. Any help in this regard will be highly useful.

Sure I have. Write me at horsicq@gmail.com and I'll send you a link. BTW you could make your own collection with DIEsort: https://www.dropbox.com/s/iz33kbz308haj4j/diesort_1.01.zip?dl=1