Abstract

Executable packer is a kind of software protecting tools originally designed to pack the information of important programs against malicious reverse engineering. However, packing has also become one of the code obfuscation means prevailing among malware society. Using compression and encryption tactics, packers are able to alter the appearance of malware to confuse detection mechanisms such as pattern matching and heuristics analysis. Therefore, a generic packing detection framework (PDF) is proposed in this study. This framework first statically examines the Portable Executable (PE) file of each executable to gather a set of executable-related raw attributes. After running a subsequent attribute refinement process provided by PDF, valued attributes are extracted and then used to train a two-class support vector machines learning classifier to recognize whether a executable is packed. By evaluating on 1,056 non-packed and 3,784 packed executables, the resulting performances demonstrated that our PDF is promising in packing detection.