Abstract—Portable executable or PE file features play a key role in detection of packed executables. Packing performs a lot of changes to the internal structure of PE files in such a way that it makes it very difficult for any Reverse Engineering Technique, Anti-Virus (AV) scanner or similar kind of programs to figure out whether the executable is malware or benign. Therefore, it is very important to figure out whether a given executable is packed or non-packed before detecting it as malicious or benign. Once a binary is detected as packed, it can be unpacked and can be given to AV or similar kind of programs. In this paper we have included a brief description of Portable Executable file format as we need to know the internal structure of PE before figuring out Packed Portable Executables. We have considered the packed executable by UPX packer only, and hence mentioned the functioning of UPX packer very briefly. Our approach basically works in two phases. In the first phase, it extracts various features of portable executables and in the second phase it analyses the extracted features and comes up with best set of features, which can be used to identify whether a given binary is packed or not by UPX Packer. Experimental results are shown to the end of this paper. We figure out the key feature set with proper justifications to show differences between packed and non-packed executable by UPX packer.
Index Terms—Malware, non-packed, packed, portable executable.
Dhruwajita Devi, Sukumar Nandi, Indian Institute of Technology Guwahati, Assam India (e-mail: {dhruwajita.devi, sukumar} @ iitg.ernet.in).
Cite: Dhruwajita Devi and Sukumar Nandi, "PE File Features in Detection of Packed Executables," International Journal of Computer Theory and Engineering vol. 4, no. 3, pp. 476-478, 2012.
Copyright © 2008-2024. International Association of Computer Science and Information Technology. All rights reserved.
