Doesn't detect UPX packed executable

[zbuc]

There's an example from the book Practical Malware Analysis that is packed with UPX that isn't detected by packerid.

http://practicalmalwareanalysis.com/labs/

The example is Lab01-02.exe. packerid returns "None" when it should detect UPX.

If you examine the sections in the PE binary, you'll see that it has UPX sections and the UPX unpacker works against the file.

[david-r-cox]

Interesting, any thoughts on why it fails? Have you gotten it to successfully detect other UPX binaries?

[zbuc]

I haven't had a chance to look at how packerid performs detection yet.

The book called out the fact that PEid for Windows didn't detect UPX properly on the binary, so I checked how packerid fared, which also failed to detect the packing.

[sooshie]

Could be a couple of different reasons. packerid uses pefile which is based off PEiD and uses it's signatures.

The signature available could be less than great, and there are a couple of minor issues with how pefile handles PEiD signatures. I've fixed a couple, but haven't gotten around to fixing all of them yet.

Mostly unrelated. I've been working on some new ways to do packer detection that are not based off PEiD. They'll be released later this summer at Defcon, and I'll eventually get them wrangled into packerid.