Track Awesome Executable Packing Updates Daily
A curated list of awesome resources related to executable packing
🏠 Home · 🔍 Search · 🔥 Feed · 📮 Subscribe · ❤️ Sponsor · 😺 packing-box/awesome-executable-packing · ⭐ 1.2K · 🏷️ Security
Nov 12, 2024
📚 Literature / Documentation
📚 Literature / Scientific Research
- 📰 Adversarial EXEmples: A survey and experimental evaluation of practical attacks on machine learning for windows malware detection (September 2021) ⭐
- 🎓 Adversarial tool for breaking static detection of executable packing (August 2024) ⭐
- 📕 Assessing static and dynamic features for packing detection (October 2024) ⭐
- 📄 Assessing the impact of packing on machine learning-based malware detection and classification systems (October 2024) ⭐
- 🎓 Automated static analysis of virtual-machine packers (August 2013)
- 📓 Certified robustness of static deep learning-based malware detectors against patch and append attacks (November 2023) ⭐
- 📓 Collective classification for packed executable identification (September 2011)
- 🔖 A compact multi-step framework for packing identification in portable executable files for malware analysis (February 2024)
- 📄 Decoding the secrets of machine learning in malware classification: A deep dive into datasets, feature extraction, and model performance (July 2023) ⭐
- 📰 Detecting packed executables based on raw binary data (June 2010)
- 📰 Detecting unknown malicious code by applying classification techniques on opcode patterns (February 2012)
- 📓 Detection of metamorphic malware packers using multilayered LSTM networks (November 2020) ⭐
- 📰 An efficient algorithm to extract control flow-based features for ioT malware detection (April 2021)
- 📰 ERMDS: A obfuscation dataset for evaluating robustness of learning-based malware detection system (May 2023)
- 📓 Fileprints: Identifying file types by n-gram analysis (June 2005)
- 📰 Identifying malware packers through multilayer feature engineering in static analysis (February 2024) ⭐
- 📰 Improving malware detection using multi-view ensemble learning (August 2016)
- 🔖 MAB-Malware: A reinforcement learning framework for attacking static malware classifiers (April 2021)
- 📓 Malware family classification method based on static feature extraction (December 2017)
- 📓 MLxPack: Investigating the effects of packers on ML-based malware detection systems using static and dynamic traits (May 2022) ⭐
- 🔖 Novel feature extraction, selection and fusion for effective malware family classification (March 2016)
- 📰 On deceiving malware classification with section injection (August 2022)
- 🔖 On evaluating adversarial robustness (February 2019)
- 📰 Opcode sequences as representation of executables for data-mining-based unknown malware detection (May 2013)
- 📰 Opcodes as predictor for malware (January 2008)
- 📰 Original entry point detection based on graph similarity (April 2024)
- 📰 Practical attacks on machine learning: A case study on adversarial windows malware (September 2022)
- 📰 Sequential opcode embedding-based malware detection method (March 2022)
- 📓 Static analysis method on portable executable files for REMNUX based malware identification (October 2019)
- 🔖 A survey on adversarial attacks for malware analysis (January 2022)
- 📰 A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis (September 2018)
- 🔖 Transcending transcend: Revisiting malware classification in the presence of concept drift (December 2021)
- 📓 Unknown malcode detection using OPCODE representation (December 2008)
📑 Datasets / Scientific Research
- VX Underground - PL-CERT based open source MWDB python application holding a malware database containing every APT sample from 2010 and over 7.5M maliciousbinaries.
📦 Packers / After 2010
- ProtectMyTooling (⭐869) - Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry.
📦 Packers / Between 2000 and 2010
- x86.Virtualizer - x86 Virtualizer.
🔧 Tools / Before 2000
- Gym-Malware (⭐612) - This is a malware manipulation environment for OpenAI's gym.
- PEPack (⭐687) - PE file packer detection tool, part of the Unix package "pev".
- REMINDer (⭐2) - Packing detection tool based on the entropy value of the entry point section and the WRITE attribute.
- SecML Malware (⭐206) - Create adversarial attacks against machine learning Windows malware detectors.
Jul 07, 2024
📚 Literature / Scientific Research
- 📰 2-SPIFF: A 2-stage packer identification method based on function call graph and file attributes (December 2021)
- 📰 Adversarial attacks against windows PE malware detection: A survey of the state-of-the-art (December 2021)
- 📓 Adversarial malware binaries: Evading deep learning for malware detection in executables (September 2018)
- 📰 Analysis of machine learning approaches to packing detection (October 2023) ⭐
- 📰 Birds of a feature: Intrafamily clustering for version identification of packed malware (September 2020)
- 📓 A comprehensive solution for obfuscation detection and removal based on comparative analysis of deobfuscation tools (October 2021)
- 📓 A dynamic heuristic method for detecting packed malware using naive bayes (November 2019) ⭐
- 📓 Enhancing machine learning based malware detection model by reinforcement learning (November 2018)
- 📓 Experimental toolkit for manipulating executable packing (June 2024) ⭐
- 📰 Feature selection for malware detection based on reinforcement learning (December 2019)
- 📓 Generic black-box end-to-end attack against state of the art API call based malware classifiers (September 2018)
- 🔖 Intriguing properties of neural networks (February 2014)
- 🔖 Learning to evade static PE machine learning malware models via reinforcement learning (January 2018)
- 📓 MetaAware: Identifying metamorphic malware (December 2007)
- 📓 Obfuscator-LLVM: Software protection for the masses (May 2015)
- 📓 Packer identification method for multi-layer executables with k-Nearest neighbor of entropies (October 2020) ⭐
- 📰 PEzoNG: Advanced packer for automated evasion on Windows (December 2022)
- 📓 A survey on machine learning-based detection and classification technology of malware (September 2021)
- 📓 Towards static analysis of virtualization-obfuscated binaries (October 2012)
📦 Packers / After 2010
- PEzoNG - Framework for automatically creating stealth binaries that target a very low detection rate in a Windows environment.
- PEzor (⭐1.9k) - Open-Source Shellcode & PE Packer.
Jan 16, 2024
📚 Literature / Documentation
📚 Literature / Scientific Research
- 🎓 Complexity-based packed executable classification with high accuracy (December 2008)
- 📓 Deceiving portable executable malware classifiers into targeted misclassification with practical adversarial examples (March 2020)
- 📰 An improved method for packed malware detection using PE header and section table information (September 2019)
- 📰 Packer classification based on association rule mining (July 2022) ⭐
- 📓 PackGenome: Automatically generating robust YARA rules for accurate malware packer detection (November 2023) ⭐
- 📰 A survey on run-time packers and mitigation techniques (November 2023) ⭐
- 📓 Symbolic execution of obfuscated code (October 2015) ⭐
📑 Datasets / Scientific Research
- MalwareSamples - Bringing you the best of the worst files on the Internet.
📦 Packers / After 2010
- OSX_Packer - Binary packer for the Mach-O file format.
- Pakr (⭐8) - In-memory packer for macOS Mach-O bundles.
- VirtualMachineObfuscationPoC - Obfuscation method using virtual machine.
📦 Packers / Between 2000 and 2010
- Laturi - Linker and compressor intended to be used for macOS 1k, 4k and perhaps 64K intros.
🔧 Tools / Before 2000
- VMHunt (⭐173) - Set of tools for analyzing virtualized binary code ; now only supports 32 bit traces.
- yarGen (⭐1.6k) - Generator for YARA rules - The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files.
Jan 05, 2024
📚 Literature / Scientific Research
- 📓 Tutorial: An overview of malware detection and evasion techniques (December 2018)
Nov 08, 2023
📑 Datasets / Scientific Research
- The Malware Museum - The Malware Museum is a collection of malware programs, usually viruses, that were distributed in the 1980s and 1990s on home computers.
📦 Packers / After 2010
- Squishy - Modern packer developed for 64kb demoscene productions, targets 32bit and 64bit executables.
📦 Packers / Between 2000 and 2010
- CryptExec - Next-generation runtime binary encryption using on-demand function extraction.
📦 Packers / Before 2000
Jul 05, 2023
📚 Literature / Documentation
📚 Literature / Scientific Research
Apr 04, 2023
📚 Literature / Documentation
📚 Literature / Scientific Research
- 📰 Binary-code obfuscations in prevalent packer tools (October 2013) ⭐
- 📰 A close look at a daily dataset of malware samples (January 2019)
- 📓 Ether: Malware analysis via hardware virtualization extensions (October 2008)
- 📰 File packing from the malware perspective: Techniques, analysis approaches, and directions for enhancements (December 2022) ⭐
- 📓 SATURN - Software deobfuscation framework based on LLVM (November 2019)
- 📰 WYSINWYX: What you see is not what you execute (August 2010)
Jan 07, 2023
📚 Literature / Scientific Research
- 📓 A fast randomness test that preserves local detail (October 2008)
- 📓 Limits of static analysis for malware detection (December 2007)
- 📓 Metadata recovery from obfuscated programs using machine learning (December 2016)
- 📓 On the (Im)possibility of obfuscating programs (August 2001)
- 🎓 Packing detection and classification relying on machine learning to stop malware propagation (December 2021)
- 📓 PE-Miner: Mining structural information to detect malicious executables in realtime (September 2009)
- 📰 Standards and policies on packer use (October 2010)
📑 Datasets / Scientific Research
- Contagio - Contagio is a collection of the latest malware samples, threats, observations, and analyses.
- Open Malware Project - Online collection of malware samples (formerly Offensive Computing).
🔧 Tools / Before 2000
- Capa (⭐4.9k) - Open-source tool to identify capabilities in PE, ELF or .NET executable files.
- Oedipus (⭐11) - A Python framework that uses machine learning algorithms to implement the metadata recovery attack against obfuscated programs.
Dec 31, 2022
📚 Literature / Documentation
📚 Literature / Scientific Research
- 📰 Anti-emulation trends in modern packers: A survey on the evolution of anti-emulation techniques in UPA packers (May 2018)
- 📰 The application research of virtual machine in packers (August 2011)
- 📓 Classifying packed malware represented as control flow graphs using deep graph convolutional neural network (March 2020) ⭐
- 📰 A comparative analysis of software protection schemes (June 2014)
- 📓 Detecting traditional packers, decisively (October 2013)
- 📓 Evading machine learning malware detection (July 2017)
- 📰 Hashing-based encryption and anti-debugger support for packing multiple files into single executable (February 2018)
- 📰 Research and implementation of packing technology for PE files (January 2013)
- 📰 Static malware detection & subterfuge: Quantifying the robustness of machine learning and current anti-virus (June 2018)
- 📓 A unpacking and reconstruction system-agunpacker (January 2009)
📑 Datasets / Scientific Research
- MalwareTips - MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats.
📦 Packers / After 2010
- SimpleDPack (⭐108) - A very simple windows EXE packing tool for learning or investigating PE structure.
🔧 Tools / Before 2000
- DSFF (⭐2) - DataSet File Format for exchanging datasets and converting to ARFF (for use with Weka), CSV or Packing-Box's dataset structure.
- ImpREC - This can be used to repair the import table for packed programs.
Aug 27, 2022
📚 Literature / Scientific Research
- 🎓 Experimental toolkit for studying executable packing - Analysis of the state-of-the-art packing detection techniques (June 2022) ⭐
- 📓 Obfuscation-resilient executable payload extraction from packed malware (August 2021) ⭐
- 📓 PolyUnpack: Automating the hidden-code extraction of unpack-executing malware (December 2006) 🌟 🌟 🌟
- 📓 SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers (May 2015) ⭐ ⭐
- 📓 When malware is packin' heat; limits of machine learning classifiers based on static analysis features (January 2020) ⭐ ⭐
Jul 13, 2022
🔧 Tools / Before 2000
- IDR (⭐965) - Interactive Delphi Reconstructor.
- PEdump - Dump windows PE files using Ruby.
Jun 01, 2022
📚 Literature / Documentation
- 📄 Packers
📚 Literature / Scientific Research
- 📰 Effective, efficient, and robust packing detection and classification (May 2019) ⭐ ⭐ ⭐
- 📰 Efficient automatic original entry point detection (January 2019)
- 📓 Syntia: Synthesizing the semantics of obfuscated code (August 2017) ⭐
📑 Datasets / Scientific Research
- MalwareBazaar - Project operated by abuse.ch aimed to collect and share malware samples, helping IT-security researchers and threat analysts protecting their constituency and customers from cyber threats.
- SAC - Slovak Antivirus Center, non-commercial project of AVIR and ESET companies ; contains packers, detectors and unpackers.
- VirusShare - Virus online database with more than 44 millions of samples.
📦 Packers / After 2010
- NPack - Can compress 32bits and 64bits exe, dll, ocx, scr Windows program.
- VMProtect - VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software.
- Ward (⭐18) - Simple implementation of an ELF packer that creates stealthy droppers for loading malicious ELFs in-memory.
📦 Packers / Between 2000 and 2010
- ExeFog - Simple Win32 PE files packer.
- RDMC - DMC algorithm based packer.
- UPack - Compresses Windows PE file.
📦 Packers / Before 2000
- RERP - ROSE's EXE Relocation Packer.
- RJCrush - EXE and COM files compressor with the ability to compress overlays.
- Shrinker - Compresses (up to 70%) 16 and 32 bit Windows and real mode DOS programs.
- TinyProg - EXE and COM programs compressor.
- WinLite - Compresses Windows executables (such as Pklite, Diet or Wwpack) for executables programs under DOS.
🔧 Tools / Before 2000
- CFF Explorer - PE32/64 and .NET editor, part of the Explorer Suite.
- LordPE - PE header viewer, editor and rebuilder.
- MRC - (Mandiant Red Curtain) Free software for Incident Responders that assists with the analysis of malware ; it examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria.
- RTD - Rose Patch - TinyProt/Rosetiny Unpacker.
- RUPP - ROSE SWE UnPaCKER PaCKaGE (for DOS executables only).
- StudPE - PE viewer and editor (32/64 bit).
- UU - Universal Unpacker.
- Uundo - Universal Undo - Universal Unpacker.
- UUP - Universal exe-file UnPacker.
May 22, 2022
📚 Literature / Scientific Research
- 📓 Towards paving the way for large-scale Windows malware analysis: Generic binary unpacking with orders-of-magnitude performance boost (October 2018) ⭐
- 📰 x64Unpack: Hybrid emulation unpacker for 64-bit Windows Environments and detailed analysis results on VMProtect 3.4 (July 2020) ⭐
🔧 Tools / Before 2000
- DynamoRIO - Runtime code manipulation system that supports code transformations on any part of a program, while it executes.
- Pin - Dynamic binary instrumentation framework for the IA-32, x86-64 and MIC instruction-set architectures that enables the creation of dynamic program analysis tools.
May 18, 2022
📚 Literature / Documentation
📑 Datasets / Scientific Research
- FFRI Dataset Scripts (⭐10) - Make datasets like FFRI Dataset.
- RCE Lab (⭐41) - Crackme's, keygenme's, serialme's ; the "tuts4you" folder contains many packed binaries.
📦 Packers / Before 2000
- Morphine (⭐289) - Application for PE files encryption.
May 10, 2022
📚 Literature / Scientific Research
- 📰 Advanced preprocessing of binary executable files and its usage in retargetable decompilation (December 2014)
📦 Packers / After 2010
- ELFCrypt (⭐93) - Simple ELF crypter using RC4 encryption.
- .netshrink - Executable compressor for your Windows or Linux .NET application executable file using LZMA.
- RapidEXE - Simple and efficient way to convert a PHP/Python script to a standalone executable.
📦 Packers / Before 2000
- $PIRIT - COM/EXE executable files polymorphic encryptor.
🔧 Tools / Before 2000
- Binutils - The GNU Binutils are a collection of binary tools for Linux (it namely includes Readelf).
- Eureka - Binary static analysis preparation framework implementing a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing.
- .NET Deobfuscator (⭐1.3k) - List of .NET Deobfuscators and Unpackers.
- PackID (⭐9) - Packer identification multiplatform tool/library using the same database syntax as PEiD.
- PExplorer - Most feature-packed program for inspecting the inner workings of your own software, and more importantly, third party Windows applications and libraries for which you do not have source code.
- PortEx (⭐496) - Java library for static malware analysis of PE files with a focus on PE malformation robustness and anomaly detection.
- PROTECTiON iD - PE file signature-based scanner.
- ProTools - Programmer's Tools, a web site dedicated for all kinds of tools and utilities for the true WinBloze programmer, including packers, crypters, etc.
- ResourceHacker - Resource editor for 32bit and 64bit Windows applications.
- Winbindex (⭐601) - An index of Windows binaries, including download links for executables such as EXE, DLL and SYS files.
Apr 22, 2022
📚 Literature / Documentation
📦 Packers / After 2010
🔧 Tools / Before 2000
- Capstone - Lightweight multi-platform, multi-architecture disassembly framework.
- PANDA (⭐2.5k) - Platform for Architecture-Neutral Dynamic Analysis.
- ShowStopper (⭐196) - Tool to help malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods.
Apr 15, 2022
📚 Literature / Documentation
📚 Literature / Scientific Research
- 🎓 Building a smart and automated tool for packed malware detections using machine learning (June 2020)
- 📓 DexHunter: Toward extracting hidden code from packed Android applications (September 2015)
- 📓 Experimental comparison of machine learning models in malware packing detection (September 2020) ⭐
- 📓 Malware obfuscation through evolutionary packers (July 2015)
- 📓 OmniUnpack: Fast, generic, and safe unpacking of malware (December 2007) ⭐
- 📓 Prevalence and impact of low-entropy packing schemes in the malware ecosystem (February 2020) ⭐
- 📓 Renovo: A hidden code extractor for packed executables (November 2007) ⭐ ⭐
- 🎓 Robust static analysis of portable executable malware (December 2014)
- 📰 SCORE: Source code optimization & reconstruction (July 2020)
- 📓 A study of the packer problem and its solutions (September 2008) ⭐
📑 Datasets / Scientific Research
- MaleX (⭐39) - Curated dataset of malware and benign Windows executable samples for malware researchers containing 1,044,394 Windows executable binaries and corresponding image representations with 864,669 labelled as malware and 179,725 as benign.
📦 Packers / Before 2000
- AINEXE - DOS executable packer (part of the AIN Archiver suite).
- Crunch - File encryptor for COM and EXE files.
🔧 Tools / Before 2000
- ChkEXE - Identifies almost any EXE/COM packer, crypter or protector.
- PEview - Provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.
- REMnux - Linux toolkit for reverse-engineering and analyzing malicious software.
- TrID - Utility for identifying file types from their binary signatures.
Apr 01, 2022
📚 Literature / Documentation
- 🌎 Defacto2
📦 Packers / Between 2000 and 2010
- RSCC - ROSE Super COM Crypt ; polymorph cryptor for files greater than 300-400B and smaller than 60kB.
- RUCC - ROSE Ultra COM Compressor ; COM and EXE compression utility based on 624.
📦 Packers / Before 2000
- COMProtector - Adds a security envelope around DOS .COM files by randomly encrypting it and adding several anti-debugging tricks.
- EXELOCK 666 - Utility for protecting .EXE files so no lamers can hack out the copyright.
- LzExe - MS-DOS executable file compressor.
- Mask - Tool that prevents COM program from being cracked by using encryption and anti-debugging tricks.
- Mess - This tool does the same as HackStop, with the exception that it is freeware for non-commercial use.
- Neolite - Compresses Windows 32-bit EXE files and DLLs.
- PKlite - Easy-to-use file compression program for compressing DOS and Windows executable files.
🔧 Tools / Before 2000
- Angr (⭐7.6k) - Platform-agnostic binary analysis framework.
- Language 2000 - Ultimate compiler detection utility.
- PEscan - CLI tool to scan PE files to identify how they were constructed.
- Triton (⭐3.5k) - Dynamic binary analysis library.
Mar 31, 2022
📚 Literature / Documentation
📚 Literature / Scientific Research
- 📓 ByteWise: A case study in neural network obfuscation identification (January 2018)
- 📓 A control flow graph-based signature for packer identification (October 2017)
- 📓 Packer identification based on metadata signature (December 2017)
- 📓 Packer identification using byte plot and Markov plot (September 2015)
- 📓 Packer identification using hidden Markov model (November 2017)
- 📰 Sensitive system calls based packed malware variants detection using principal component initialized multilayers neural networks (September 2018)
📑 Datasets / Scientific Research
- Dataset of Packed ELF (⭐17) - Dataset of packed ELF samples.
📦 Packers / Between 2000 and 2010
- HackStop - EXE and COM programs encrypter and protector.
- UPX-Scrambler - Scrambler for files packed with UPX (up to 1.06) so that they cannot be unpacked with the '-d' option.
📦 Packers / Before 2000
- ABK Scrambler - COM file scrambler and protector recoded from ABKprot.
- AEP - Addition Encode-Protective for COM and EXE file.
- BIN-Lock - COM file scrambler for preventing reverse engineering.
- BitLok - COM and EXE file protector.
- C0NtRiVER - COM file encryptor.
- CauseWay Compressor - DOS EXE compressor.
- CC Pro - COM and EXE executable file compression utility.
- CrackStop - Tool that creates a security envelope around a DOS EXE file to protect it against crackers.
- ExeGuard - DOS EXE files free protector using anti-debugging ticks to prevent hacking, analysis and unpacking.
- FSE - Final Fantasy Security Envelope freeware for protecting COM and EXE progams.
- Gardian Angel - COM and EXE encrypter and protector using a variety of anti-debugging tricks.
- JMCryptExe - DOS EXE encrypter.
- PE-Protector - Encrypter/protector for Windows 9x/ME to protect executable files PEagainst reverse engineering or cracking with a very strong protection.
- Scorpion - EXE and COM file encrypter and protector.
- TRAP - EXE and COM files encrypter and protector.
- WWPack - Squeezes EXE files, compresses relocation tables, optimizes headers, protects EXE files from hacking.
- XE - PE32 image file packer and rebuilder.
- XorCopy - COM file XOR-based encrypter.
- XORER - COM file XOR-based encrypter.
- XPack - EXE/COM/SYS executable file compressor.
🔧 Tools / Before 2000
- COM2EXE - Free tool for converting COM files to EXE format.
- Defacto2 Analyzers Archive - Collection of 60 binary files analysers for MS-DOS and Windows32 from the 1990s and the 2000s.
- Defacto2 Packers Archive - Collection of 460 binary and data file packers for MS-DOS and Windows32 from the 1990s and 2000s.
- Defacto2 Unpackers Archive - Collection of 152 binary files unpackers for MS-DOS and Windows 32 from the 1990s and 2000s.
- ExeScan - Executable file analyzer which detects the most famous EXE/COM Protectors, Packers, Converters and compilers.
- GetTyp - File format detection program for DOS based on special strings and byte code.
- LIEF (⭐4.5k) - Library to Instrument Executable Formats ; Python package for parsing PE, ELF, Mach-O and DEX formats, modifying and rebuilding executables.
- PCjs - PCjs uses JavaScript to recreate the IBM PC experience, using original ROMs, CPUs running at their original speeds, and early IBM video cards and monitors.
- PETools (⭐1k) - Old-school reverse engineering tool (with a long history since 2002) for manipulating PE files.
- RDG Packer Detector - Packer detection tool.
- Reko (⭐2.2k) - Free decompiler for machine code binaries.
- RetDec (⭐8k) - Retargetable machine-code decompiler based on LLVM.
- SAFE - Static Analyzer For Executables (available on demand).
- Tuts 4 You - Non-commercial, independent community dedicated to the sharing of knowledge and information on reverse code engineering.
- UnpacMe - Automated malware unpacking service.
Mar 20, 2022
📚 Literature / Documentation
📚 Literature / Scientific Research
- 📰 Absent extreme learning machine algorithm with application to packed executable identification (January 2016)
- 📰 All-in-one framework for detection, unpacking, and verification for malware analysis (January 2019)
- 📰 Automatic analysis of malware behavior using machine learning (December 2011)
- 📰 BareUnpack: Generic unpacking on the bare-metal operating system (December 2018)
- 📰 BinStat tool for recognition of packed executables (September 2010)
- 📓 Classifying packed programs as malicious software detected (December 2016)
- 📰 An efficient block-discriminant identification of packed malware (August 2015)
- 📰 ELF-Miner: Using structural knowledge and data mining methods to detect new (Linux) malicious executables (March 2012)
- 📰 Generic packing detection using several complexity analysis for accurate malware detection (January 2014)
- 📰 A learning model to detect maliciousness of portable executable using integrated feature set (January 2017)
- 📰 Mal-flux: Rendering hidden code of packed binary executable (March 2019)
- 📰 Mal-xtract: Hidden code extraction using memory analysis (January 2017)
- 📰 Malware analysis using visualized images and entropy graphs (February 2015)
- 📰 Malwise - An effective and efficient classification system for packed and polymorphic malware (June 2013)
- 📰 Obfuscation: The hidden malware (August 2011)
- 📓 Obfuscation: Where are we in anti-DSE protections? (a first attempt) (December 2019)
- 📰 An original entry point detection method with candidate-sorting for more effective generic unpacking (January 2015)
- 📰 Packed malware detection using entropy related analysis: A survey (November 2015)
- 📰 Packed malware variants detection using deep belief networks (March 2020)
- 📰 Packer detection for multi-layer executables using entropy analysis (March 2017) ⭐
- 📓 Packer identification method based on byte sequences (November 2018)
- 🎓 Packer-complexity analysis in PANDA (January 2018)
- 📰 PE file features in detection of packed executables (January 2012)
- 📓 RePEconstruct: Reconstructing binaries with self-modifying code and import address table destruction (October 2016)
- 📰 Revealing packed malware (September 2008)
- 📰 Secure and advanced unpacking using computer emulation (August 2007)
- 📓 Things you may not know about Android (Un) packers: A systematic study based on whole-system emulation. (February 2018)
- 📓 Understanding linux malware (May 2018) ⭐
- 📰 Unpacking techniques and tools in malware analysis (September 2012)
- 📰 Using entropy analysis to find encrypted and packed malware (March 2007)
- 📓 VMAttack: Deobfuscating virtualization-based packed binaries (August 2017)
Mar 18, 2022
📚 Literature / Scientific Research
- 🎓 Computational-intelligence techniques for malware generation (October 2015)
- 📊 Dealing with virtualization packers (May 2008)
- 📊 Qualitative and quantitative evaluation of software packers (December 2015)
- 📊 Runtime packers testing experiences (May 2008)
- 📓 Static analysis of executables to detect malicious patterns (August 2003)
- 📊 WaveAtlas: Surfing through the landscape of current malware packers (September 2015)
📑 Datasets / Scientific Research
- Malicia - Dataset of 11,688 malicous PE files collected from 500 drive-by download servers over a period of 11 months in 2013 (DISCONTINUED).
🔧 Tools / Before 2000
- PEiD (CLI) (⭐128) - Python implementation of PEiD featuring an additional tool for making new signatures.
Mar 04, 2022
📚 Literature / Scientific Research
- 📓 Eureka: A framework for enabling static malware analysis (October 2008)
- 📓 Generic unpacking using entropy analysis (October 2010)
- 📓 PE-Probe: Leveraging packer detection and structural information to detect malicious portable executables (June 2009)
- 📓 Reverse engineering self-modifying code: Unpacker extraction (October 2010)
- 📓 Unpacking virtualization obfuscators (August 2009)
📦 Packers / After 2010
- ElecKey - Suite of software and tools that offer a complete solution for software protection, copy protection, and license management.
📦 Packers / Between 2000 and 2010
- EXE Wrapper - Protects any EXE file with a password from non-authorized execution.
- EXECryptor - Protects EXE programs from reverse engineering, analysis, modifications and cracking.
- Sentinel HASP Envelope - Wrapping application that protects the target application with a secure shield, providing a means to counteract reverse engineering and other anti-debugging measures.
📦 Packers / Before 2000
- PE Diminisher - Simple PE packer relying on the aPLib compression library.
- SecuPack - Win32 executable compressor.
🔧 Tools / Before 2000
- FUU (⭐46) - Fast Universal Unpacker.
Feb 13, 2022
📑 Datasets / Scientific Research
- VX Heaven - Site dedicated to providing information about computer viruses.
📦 Packers / After 2010
- APKProtect - APK encryption and shell protection supporting Java and C++.
- Armadillo - Incorporates both a license manager and wrapper system for protecting PE files.
- DotBundle - GUI tool to compress, encrypt ad password-protect a .NET application or embed .NET libraries.
- Enigma Protector - Professional system for executable files licensing and protection.
- Enigma Virtual Box - Application virtualization system for Windows.
- EXE Bundle - Bundles application files into a single PE32 file.
- EXE Stealth - Anti-cracking protection and licensing tool for PE files featuring compression and encryption polymorphic technology.
- hXOR-Packer (⭐58) - PE packer with Huffman compression and XOR encryption.
- LIAPP - Easiest and most powerful mobile app security solution.
- MPRESS - Compresses (using LZMA) and protects PE, .NET or Mach-O programs against reverse engineering.
- Papaw (⭐41) - Permissively-licensed packer for ELF executables using LZMA Zstandard or Deflate compression.
- ZProtect - Renames metadata entities and supports advanced obfuscation methods that harden protection scheme and foil reverse engineering altogether.
📦 Packers / Between 2000 and 2010
- EXE Guarder - Licensing tool for PE files allowing to compress and specify a password notice.
- PECompact - Windows executable compressor featuring third-party plug-ins offering protection against reverse engineering.
- TTProtect - Professional protection tool designed for software developers to protect their PE applications against illegal modification or decompilation.
- WinUpack - Graphical interface for Upack, a command-line program used to create self-extracting archives from Windows PE files.
📦 Packers / Before 2000
- aPack - 16-bit real-mode DOS executable ( .EXE and .COM ) compressor.
- EPack - EXE and COM file compressor ; works with DOS/Windows95 files.
- LGLZ - DOS EXE and COM file compressor using modified LZ77.
- Megalite - MS-DOS executable file compressor.
- PACK - Executable files compressor.
- PCShrink - Windows 9x/NT executable file compressor relying on the aPLib compression library.
- PEPack - PE compression tool based on the code of a newer version of PE-SHiELD.
- Pro-Pack - DOS executable file compressor.
- T-Pack - Executable COM-FILE compressor (LZ77) optimized for small files like BBS-Addys or similar files.
- Vacuum - Runtime Compressor for DOS32 executables.
🔧 Tools / Before 2000
- APKiD (⭐2.1k) - Android application Identifier for packers, protectors, obfuscators and oddities - PEiD for Android.
- BinUnpack - Unpacking approach free from tedious memory access monitoring, therefore introducing very small runtime overhead.
Feb 02, 2022
📚 Literature / Scientific Research
- 📓 Adaptive unpacking of Android Apps (May 2017)
- 📓 Anti-unpacker tricks (May 2008)
- 📓 Application of string kernel based support vector machine for malware packer identification (August 2013)
- 📓 Automatic static unpacking of malware binaries (October 2009)
- 📓 BitBlaze: A new approach to computer security via binary analysis (December 2008)
- 📓 Boosting scalability in anomaly-based packed executable filtering (November 2011)
- 📓 A comparative assessment of malware classification using binary texture analysis and dynamic analysis (September 2011)
- 📓 Comparing malware samples for unpacking: A feasibility study (August 2016)
- 📓 Countering entropy measure attacks on packed software detection (January 2012)
- 📓 Denial-of-service attacks on host-based generic unpackers (December 2009)
- 📓 Design and performance evaluation of binary code packing for protecting embedded software against reverse engineering (May 2010)
- 📓 Detecting packed executables using steganalysis (December 2014)
- 📓 Detection of packed malware (August 2012)
- 📓 Dynamic binary instrumentation for deobfuscation and unpacking (November 2009)
- 📓 Dynamic classification of packing algorithms for inspecting executables using entropy analysis (October 2013)
- 📓 Efficient malware packer identification using support vector machines with spectrum kernel (July 2013)
- 📓 An empirical evaluation of an unpacking method implemented with dynamic binary instrumentation (September 2011)
- 📓 ESCAPE: Entropy score analysis of packed executable (October 2012)
- 📓 A fast flowgraph based classification system for packed and polymorphic malware on the endhost (April 2010)
- 📓 A fine-grained classification approach for the packed malicious code (October 2012)
- 📓 Generic unpacker of executable files (April 2015)
- 📓 Generic unpacking method based on detecting original entry point (November 2013)
- 📓 Generic unpacking techniques (February 2009)
- 📓 Gunpack: Un outil générique d'unpacking de malwares (June 2016)
- 📓 A heuristic approach for detection of obfuscated malware (June 2009)
- 📓 An implementation of a generic unpacking method on Bochs Emulator (September 2009)
- 📓 Information theoretic method for classification of packed and encoded files (September 2015)
- 📓 Mal-EVE: Static detection model for evasive malware (August 2015)
- 📓 Malware obfuscation techniques: A brief survey (November 2010)
- 📓 McBoost: Boosting scalability in malware collection and analysis using statistical classification of executables (December 2008)
- 📓 Modern linux malware exposed (June 2018)
- 📓 The new signature generation method based on an unpacking algorithm and procedure for a packer detection (February 2011)
- 📓 OPEM: A static-dynamic approach for machine-learning-based malware detection (September 2012)
- 📓 Packed PE file detection for malware forensics (December 2009)
- 📓 Packer classifier based on PE header information (April 2015)
- 🎓 Pandora's Bochs: Automatic unpacking of malware (January 2008)
- 📓 PEAL - Packed executable analysis (January 2012)
- 📓 RAMBO: Run-Time packer analysis with multiple branch observation (July 2016) ⭐
- 🎓 REFORM: A framework for malware packer analysis using information theory and statistical methods (April 2010)
- 📓 Semi-supervised learning for packed executable detection (September 2011)
- 📓 Semi-supervised learning for unknown malware detection (April 2011)
- 📓 SPADE: Signature based packer detection (August 2012)
- 📓 The study of evasion of packed PE from static detection (June 2012)
- 📓 Survey on malware evasion techniques: State of the art and challenges (February 2012)
- 📓 Thwarting real-time dynamic unpacking (January 2011)
- 📓 Toward generic unpacking techniques for malware analysis with quantification of code revelation (August 2009)
- 🎓 Unpacking framework for packed malicious executables (July 2013)
📑 Datasets / Scientific Research
- CyberCrime - C² tracking and malware database.
- Dataset of Packed PE (⭐29) - Sanitized version of the original dataset, PackingData, removing packed samples from the Notpacked folder but also samples in packer folders that failed to be packed (having a same hash as the original unpacked executable).
- Malfease - Dataset of about 5,000 packed malware samples.
- Malheur - Contains the recorded behavior of malicious software (malware) and has been used for developing methods for classifying and clustering malware behavior (see the JCS article from 2011).
- OARC Malware Dataset - Semi-public dataset of 3,467 samples captured in the wild from Sep 2005 to Jan 2006 by mail traps, user submissions, honeypots and other sources aggregated by the OARC, available to qualified academic and industry researchers upon request.
- Packware (⭐83) - Datasets and codes that are needed to reproduce the experiments in the paper "When Malware is Packing Heat".
- Runtime Packers Testset - Dataset of 10 common Malware files, packed with about 40 different runtime packers in over 500 versions and options, with a total of about 5,000 samples.
- ViruSign - Another online malware database.
- VXvault - Online malware database.
📦 Packers / After 2010
- Alienyze - Advanced software protection and security for Windows 32-bit executables.
- Alternate EXE Packer - Compression tool for executable files (type EXE) or DLL's relying on UPX 3.96.
- Amber (⭐1.2k) - Position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS).
- ASPack - Advanced solution created to provide Win32 EXE file packing and to protect them against non-professional reverse engineering.
- ASProtect 32 - Multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.
- ASProtect 64 - Tool for protecting 64-bit applications and .NET applications for Windows against unauthorized use, industrial and home copying, professional hacking and analysis of software products distributed over the Internet and on any physical media.
- AutoIT - Legitimate executable encryption service.
- AxProtector - Encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine, best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.
- BangCle (⭐389) - Protection tool using the second generation Android Hardening Protection, loading the encrypted DEX file from memory dynamically.
- Bero - Bero EXE Packer (BEP) for 32-bit windows executables.
- Code Virtualizer - Code Virtualizer is a powerful code obfuscation system for Windows, Linux and macOS applications that helps developers to protect their sensitive code areas against Reverse Engineering with very strong obfuscation code, based on code virtualization.
- ConfuserEx (⭐2.4k) - An open-source, free protector for .NET applications.
- Crinkler (⭐1.1k) - Compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.
- DarkCrypt - Simply and powerful plugin for Total Commander used for file encryption using 100 algorithms and 5 modes.
- DexGuard - Android app obfuscation & security protocols for mobile app protection.
- DexProtector - Multi-layered RASP solution that secures your Android and iOS apps against static and dynamic analysis, illegal use and tampering.
- DotNetZ - Straightforward and lightweight, command-line piece of software written in C that allows you to compress and pack Microsoft .NET Framework executable files.
- Eronona-Packer (⭐46) - This is a packer for exe under win32.
- Ezuri (⭐223) - A Simple Linux ELF Runtime Crypter.
- GzExe - Utility that allows to compress executables as a shell script.
- NetCrypt (⭐58) - A proof-of-concept packer for .NET executables, designed to provide a starting point to explain the basic principles of runtime packing.
- Origami (⭐164) - Packer compressing .net assemblies, (ab)using the PE format for data storage.
- Pakkero (⭐250) - Pakkero is a binary packer written in Go made for fun and educational purpose.
- PELock - Software protection system for Windows executable files ; protects your applications from tampering and reverse engineering, and provides extensive support for software license key management, including support for time trial periods.
- PePacker (⭐49) - Simple PE Packer Which Encrypts .text Section I release a simple PE file packer which encrypts the .text section and adds a decryption stub to the end of the last section.
- PEShield - PE-SHiELD is a program, which encrypts 32-bit Windows EXE files, leaving them still executable.
- PEtite - Free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor.
- Smart Packer - Packs 32 & 64bit applications with DLLs, data files, 3rd party run-time into one single executable that runs instantly, with no installs or hassles.
- Themida - From Renovo paper: Themida converts the original x86 instructions into virtual instructions in its own randomized instruction set, and then interpret these virtual instructions at run-time.
📦 Packers / Between 2000 and 2010
- 20to4 - Executable compressor that is able to stuff about 20k of finest code and data into less than 4k.
- ACProtect - Application that allows to protect Windows executable files against piracy, using RSA to create and verify the registration keys and unlock code.
- AHPack - PE and PE+ file packer.
- Application Protector - Tool for protecting Windows applications.
- AT4RE Protector - Very simple PE files protector programmed in ASM.
- AverCryptor - Small and very handy utility designed to encrypt notes in which you can store any private information - it helps to hide your infection from antiviruses.
- BurnEye - Burneye ELF encryption program, x86-linux binary.
- ByteBoozer - Commodore 64 executable packer.
- Exe32Pack - Compresses Win32 EXEs, DLLs, etc and dynamically expands them upon execution.
- eXPressor - Used as a compressor this tool can compress EXE files to half their normal size.
- FSG - Fast Small Good, perfect compressor for small exes, eg.
- GHF Protector - Executable packer / protector based on open source engines Morphine and AHPack.
- Kkrunchy - Kkrunchy is a small exe packer primarily meant for 64k intros.
- mPack - mPack - mario PACKersimple Win32 PE Executable compressor.
- NSPack - 32/64-bits exe, dll, ocx, scr Windows program compressor.
- NTPacker - PE file packer relying on aPlib for compression and/or XOR for encryption.
- RLPack - Compresses your executables and dynamic link libraries in a way that keeps them small and has no effect on compressed file functionality.
- sePACKER - Simple Executable Packer is compressing executables' code section inorder to decrease size of binary files.
- Shiva - Shiva is a tool to encrypt ELF executables under Linux.
- tElock - Telock is a practical tool that intends to help developers who want to protect their work and reduce the size of the executable files.
- XComp - PE32 image file packer and rebuilder.
- Yoda Crypter - Supports polymorphic encryption, softice detection, anti-debug API's, anti-dumping, etc, encrypts the Import Table and erases PE Header.
📦 Packers / Before 2000
- 32Lite - Compression tool for executable files created with Watcom C/C++ compiler.
- 624 - COM packer that can compress COM programs shorter than 25000 bytes.
- AVPack - Encrypts EXE or COM files so that they'll be able to start on your PC only.
- AXE - Program compression utility.
- CEXE - Compresses an input EXE into a smaller executable (only runs on WinNT, Win2000 and above - won't run on Win95 or Win98).
- PEBundle - Physically attaches DLL(s) to an executable, resolving dependencies in memory.
- SysPack - Device drivers compressor.
- VGCrypt - PE crypter for Win95/98/NT.
- XPA - DOS executable packer.
🔧 Tools / Before 2000
- Assiste (Packer) - Assiste.com's example list of packers.
- AVClass (⭐464) - Python tools to tag / label malware samples.
- de4dot (⭐7k) - .NET deobfuscator and unpacker.
- DIE (⭐2.4k) - Detect It Easy ; Program for determining types of files.
- Emulator - Symantec Endpoint Protector (from v14) capability to create a virtual machine on the fly to identify, detonate, and eliminate malware hiding inside custom malware packers.
- EtherUnpack - Precision universal automated unpacker (successor of PolyUnpack).
- EXETools - Forum for reverse engineering and executale packing related topics.
- Justin - Just-In-Time AV scanning ; generic unpacking solution.
- Malheur (⭐368) - Tool for the automatic analysis of malware behavior (recorded from malicious software in a sandbox environment).
- MalUnpack (⭐657) - Dynamic unpacker based on PE-sieve.
- OEPdet - Automated original-entry-point detector.
- OllyDbg Scripts (⭐9) - Collection of OllyDbg scripts for unpacking many different packers.
- OmniUnpack - New technique for fast, generic, and safe unpacking of malware by monitoring the execution in real-time and detecting the removed layers of packing.
- PackerID (⭐42) - Fork of packerid.py using PEid signatures and featuring additional output types, formats, digital signature extraction, and disassembly support.
- Pandora's Bochs - Extension to the Bochs PC eumlator to enable it to monitor execution of the unpacking stubs for extracting the original code.
- PE Compression Test - List of packers tested on a few sample executables for comparing compressed sizes.
- PE Detective - This GUI tool can scan single PE files or entire directories (also recursevely) and generate complete reports.
- PE-bear (⭐767) - Freeware reversing tool for PE files aimed to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.
- Pefeats (⭐2) - Utility for extracting 119 features from a PE file for use with machine learning algorithms.
- Pefile (⭐1.9k) - Multi-platform Python module to parse and work with Portable Executable files.
- Renovo - Detection tool built on top of TEMU (dynamic analysis component of BitBlaze) based on the execution of newly-generated code and monitoring memory writes after the program starts.
- SymPack - Safe, portable, largely effective but not generic library for packing detection and unpacking ; part of the Norton Antivirus solution.
- Titanium Platform - Machine learning hybrid cloud platform that harvests thousands of file types at scale, speeds threat detection through machine learning binary analysis, and continuously monitors an index of over 10B files for future threats.
- Unpckarc - Packed executables detection tool relying on several heuristics.
Jan 13, 2022
📑 Datasets / Scientific Research
- Ember (⭐945) - Collection of features from PE files that serve as a benchmark dataset for researchers.
- MalShare - Free Malware repository providing researchers access to samples, malicious feeds, and Yara results.
- MalwareGallery - Yet another malware collection in the Internet.
- PackingData (⭐11) - Original dataset with sample PE files packed with a large variety of packers, including ASPack, BeRoEXEPacker, exe32pack, eXpressor, FSG, JDPack, MEW, Molebox, MPRESS, Neolite, NSPack, Pckman, PECompact, PEtite, RLPack, UPX, WinUpack, Yoda's Crypter and Yoda's Protector.
- SOREL (⭐637) - Sophos-ReversingLabs 20 Million dataset.
- theZoo (⭐11k) - Project created to make the possibility of malware analysis open and available to the public.
- VirusTotal - File analysis Web service for detecting malware.
- WildList - Cooperative listing of malwares reported as being in the wild by security professionals.
📦 Packers / After 2010
- Andromeda - Custom packer used in malware campaigns using RunPE techniques for evading AV mitigation methods.
- BIN-crypter - EXE protection software against crackers and decompilers.
- ELFuck (⭐32) - ELF packer for i386 original version from sk2 by sd.
- LM-X License Manager - LM-X License Manager lets you protect your products against piracy by enforcing various levels of security, save time, and reduce business risks.
- m0dern_p4cker (⭐42) - Just a modern packer for elf binaries ( works on linux executables only ).
- MidgetPack (⭐197) - Midgetpack is a binary packer for ELF binaries, such as burneye, upx or other tools.
- Obsidium - Feature-rich professional software protection and licensing system designed as a cost effective and easy to implement, yet reliable and non-invasive way to protect your 32- and 64-bit Windows software applications and games from reverse engineering.
- PE-Packer (⭐326) - Simple packer for Windows 32-bits PE files.
- PE-Toy (⭐9) - A PE file packer.
- Silent-Packer (⭐80) - Silent Packer is an ELF / PE packer written in pure C.
- Simple-PE32-Packer (⭐10) - Simple PE32 Packer with aPLib compression library.
- theArk (⭐52) - Windows x86 PE Packer In C++.
- UPX - Ultimate Packer for eXecutables.
- xorPacker (⭐14) - Simple packer working with all PE files which cipher your exe with a XOR implementation.
📦 Packers / Between 2000 and 2010
- Yoda Protector - Free, open source, Windows 32-bit software protector.
🔧 Tools / Before 2000
- Android Unpacker (⭐1.1k) - Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0.
- aPLib - Compression library based on the algorithm used in aPACK.
- AppSpear (⭐42) - Universal and automated unpacking system suitable for both Dalvik and ART.
- Bintropy (⭐42) - Prototype analysis tool that estimates the likelihood that a binary file contains compressed or encrypted bytes.
- BitBlaze - Analysis platform that features a novel fusion of static and dynamic analysis techniques, mixed concrete and symbolic execution, and whole-system emulation and binary instrumentation, all to facilitate state-of-the art research on real security problems.
- Clamscan Unpacker - Unpacker derived from ClamAV.
- de4js (⭐1.3k) - JavaScript Deobfuscator and Unpacker.
- EXEInfo-PE (⭐750) - Fast detector for executable PE files.
- GUnpacker - Shell tool that performs OEP positioning and dumps decrypted code.
- Manalyze (⭐1k) - Robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth.
- PackerAttacker (⭐268) - Tool that uses memory and code hooks to detect packers.
- PackerBreaker - Tool for helping unpack, decompress and decrypt most of the programs packed, compressed or encrypted using advanced emulation technology.
- PackerGrind (⭐34) - Adaptive unpacking tool for tracking packing bahaviors and unpacking Android packed apps.
- Packing-Box (⭐49) - Docker image gathering many packing-related tools and for making datasets of packed executables for use with machine learning.
- PEFrame (⭐610) - Tool for performing static analysis on PE malware and generic suspicious files.
- PEiD - Packed Executable iDentifier.
- PEiD (yara) (⭐17) - Yet another implementation of PEiD with yara.
- PeLib (⭐63) - PE file manipulation library.
- PINdemonium (⭐227) - Unpacker for PE files exploiting the capabilities of PIN.
- PolyUnpack (⭐12) - Implemention attempt of the general approach for extracting the original hidden code of PE files without any heuristic assumptions.
- PyPackerDetect (⭐29) - Small python script/library to detect whether an executable is packed.
- PyPackerDetect (refactored) (⭐21) - A complete refactoring of the original project to a Python package with a console script to detect whether an executable is packed.
- PyPeid (⭐6) - Yet another implementation of PEiD with yara-python.
- Quick Unpack - Generic unpacker that facilitates the unpacking process.
- Unipacker (⭐653) - Automatic and platform-independent unpacker for Windows binaries based on emulation.
- Uunp (IDA Pro plugin) - IDA Pro debugger plug-in module automating the analysis and unpacking of packed binaries.
- VMUnpacker - Unpacker based on the technology of virtual machine.