See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/269838084

PE File Features in Detection of Packed Executables

Article in International Journal of Computer Theory and Engineering · January 2012

DOI: 10.7763/IJCTE.2012.V4.512

CITATIONS READS

23 1,907

2 authors, including:

Sukumar Nandi
Indian Institute of Technology Guwahati
449 PUBLICATIONS 5,289 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Aloe: Fault tolerant SDN View project

Power distribution network analysis and optimization View project

All content following this page was uploaded by Sukumar Nandi on 11 January 2016.

The user has requested enhancement of the downloaded file.

 International Journal of Computer Theory and Engineering, Vol. 4, No. 3, June 2012

PE File Features in Detection of Packed Executables

Dhruwajita Devi and Sukumar Nandi

 Here, in this paper section II briefly describes the Portable

Abstract— Portable executable or PE file features play a key Executable file format. Section III explains functioning of
role in detection of packed executables. Packing performs a lot UPX packer in a nutshell. Section IV describes our approach
of changes to the internal structure of PE files in such a way that followed by section V that includes the experimental part.
it makes it very difficult for any Reverse Engineering
Technique, Anti-Virus (AV) scanner or similar kind of
Section VI finally concludes the paper which is followed by
programs to figure out whether the executable is malware or various references.
benign. Therefore, it is very important to figure out whether a
given executable is packed or non-packed before detecting it as
malicious or benign. Once a binary is detected as packed, it can II. PORTABLE EXECUTABLE FILE STRUCTURE
be unpacked and can be given to AV or similar kind of
programs. In this paper we have included a brief description of Before going to experimental section, here we give a very
Portable Executable file format as we need to know the internal brief description about the portable executable file structure.
structure of PE before figuring out Packed Portable We know that the PE layout itself is a huge structure. But
Executables. We have considered the packed executable by briefly it is given as follows.
UPX packer only, and hence mentioned the functioning of UPX This section starts out with familiar MS dos header
packer very briefly. Our approach basically works in two
followed by PE header. The PE Header itself contains three
phases. In the first phase, it extracts various features of portable
executables and in the second phase it analyses the extracted sections namely File header, Optional header and Section
features and comes up with best set of features, which can be header, as in [5], [6], [7]. Code and Data sections are for
used to identify whether a given binary is packed or not by UPX holding the code of the program and initialized data. Import
Packer. Experimental results are shown to the end of this paper. is for importing functions needed by programs at the time of
We figure out the key feature set with proper justifications to run time. Some of the most common resources are Icons,
show differences between packed and non-packed executable by
Version information, GUI resources etc.
UPX packer.
At a minimum, a PE file will have two sections, one for
Index Terms—Malware, non-packed, packed, portable code and the other for data. The predefined and the most
executable. commonly present sections for an application of Windows
NT are: Executable Code Section, named .text, Data Sections,
named .data, .rdata, or .bss, Resources Section, named .rsrc,
I. INTRODUCTION Export Data Section, named .edata, Import Data Section,
Pcking technique makes it easier for the writer of the named .idata, Debug Information Section, named .debug, as
malicious softwares to hide their malicious code from in [8]. Moreover, two more sections which are common in
Anti-Virus or similar kind of a program. This is one of the most of the times are .reloc for Relocation information
most popular obfuscation techniques among all obfuscation and .tls section, which stands thread local storage. Windows
techniques available, as in [1]. It is easier to collect packer supports this special storage class in which a data object is
softwares since several open source and commercial not a stack variable, but is still local to each individual thread
executables packers are available in the market. In a very that runs the code. Therefore, each thread can maintain a
simple way, we can define packing as an executable inside different value for a variable declared by using TLS.
another executable. A Packer is basically a software which All the above mentioned sections are called standard sections.
produces a number of data blocks that form the compressed If there are sections rather than the standard sections, are
and/or encrypted version of the original executable, as in [2]. called nonstandard sections, as in [9]. Each and every section
A packer always inserts one unpacker stub inside the has its own header structure. The data items of the structures
resultant executable itself to unpack the packed original are the key feature for analyzing any executable as packed or
executable at the time of runtime, as in [1]. The packing non-packed.
techniques vary from packer to packer. It is because different
types of writer have different types of motivation for writing
source code of his/her own packer. III. FUNCTIONING OF UPX PACKER IN A NUTSHELL
Some of the packers uses more sophisticated technique to UPX is the most popular among all the packer softwares.
eavade detection. Multilayer-packing, Anti-unpacking are Compression and/or Encryption techniques of all the packers
some of these techniques, as in [3]. Examples of such packers vary based on the code of their writers. UPX packer packs all
are Enigma, as in [3], Themida, as in [4] etc. the sections present in the input binary into a single section
called packed data. It also includes unpacker code along with
the packed data forming one nonstandard section in the
Manuscript received March 8, 2012; revised May 10, 2012.
resulting binary called UPX1. UPX0 is one more section in
Dhruwajita Devi, Sukumar Nandi, Indian Institute of Technology
Guwahati, Assam India (e-mail: {dhruwajita.devi, sukumar} @ iitg.ernet.in). the resulting output binary. It is empty and reserves an

476
 International Journal of Computer Theory and Engineering, Vol. 4, No. 3, June 2012

address range. The address range is needed by the packed with a feature set of four main features which can be used to
data when it gets unpacked by the unpacker code at the time figure out packed executables by UPX packer. These features
of runtime. If the input binary possessed a .rsrc section, the are given in table.
resulting output binary will also have one .rsrc or resource TABLE I: LIST OF FEATURES
section and if the input binary did not have a .rsrc section, the
output binary also would not have it, as in [3]. 1 2 3 4
Entropy Size Of Size Of Headers Size of Raw Data
(ENTP) Uninitialized (SOH) (SORD)
Data (SOUID)
IV. OUR APPROACH
We can devide our approach into two phases basically.
The graphical representation of the difference between
First phase is feature extraction and second is the analysis
the executables packed and non-packed by UPX packer are
phase. Based on our extraction mechanism and observation,
also shown along with the justification of the features.
we come up with the best set of features with which we can
definitely differentiate the executables Packed and A. Entropy (ENTP)
non-Packed by UPX Packer. The pictorial representation of Entropy can be considered as one of the major feature in
our approach is as follows : classification of packed and non-packed executables. It is a
measure of the inherent randomness in a probability
distribution. Packing method conceals malicious
executables’ string, data and code. These methods transform
some or all of the original bytes into a series of
random-looking data bytes. That is why entropy of a packed
executable is always higher than a non-packed executable.

Fig. 1. Pictorial representation of our approach

We can visualize our approach by looking at the figure

given above. It is basically comprised of two steps Feature
Fig. 2. Entropy
Extraction and Analysis as mentioned.
B. Size of Uninitialized Data (SOUID):
Compressed sections usually have the UNINITIALIZED
V. EXPERIMENTS DATA flag enabled. It is because of the null size on disk. The
Initially we did manual extraction of features to have an loader takes the compressed sections and unpacks them to
idea about the features. We examine each of the portable their original memory locations at the time of execution.
executables we had after and before packing by UPX packer.
For this purpose, we dump the files using Dumpbin Gui, as in
[10], which is freely available. We collected UPX packer, as
in [11] to pack the executable we collected.
We develop a C language program to extract features from
the portable executable files. We collected 4095 executables
files. Among them 2992 were malicious programs
downloaded from http://offensivecomputing.net/. 1103 were Fig. 3. Size of uninitialized data.
benign executables collected from a newly installed windows C. Size of Headers (SOH):
machine and some other common software applications. We UPX packer wraps the whole exe into the packed data
extract a lot many features from the executables before and along with the unpacker code in UPX1. We know that the
after packed by UPX packer. size of the header contains the size of the PE Header and the
Windows is mostly written in C and C++. Therefore it is section table. That is why the size of header of the resultant
easier to extract the features of the portable executable files. PE after packed by UPX is generally greater than or
We have extracted most of the features through our program. sometimes equal to the size of exe not packed by UPX.
16 features from DOS Header are extracted. PE header
comprised of three parts, namely File header, optional header
and Section header. We extracted 6, 29 features from file
header and optional header respectively. Again, 10 features
from each section in the section header. We also calculate the
entropy of each and every file, after and before packing the
same.
After a lot many observations and analysis, we come up
Fig. 4. Size of headers.

477
 International Journal of Computer Theory and Engineering, Vol. 4, No. 3, June 2012

D. Size of Raw Data (SORD): unpack it, we can give it to antivirus or equivalent softwares
UPX packer changes the RAWSIZE of each packed to detect whether the file is malicious or benign. Hence, we
section to 0. The size in memory remains unchanged, because can conclude that it is making life easier for traditional
the program still has to execute normally and be unpacked at signature-based softwares to detect malicious executables.
its original location. If the RAWSIZE is null, it means the
section is non-existent on disk. ACKNOWLEDGMENT
The authors would like to thank Mr. Neminath Hubballi
for his contribution during discussion related to this work.

REFERENCES
[1] R. Lyda and J. Hamrock, “Using Entropy Analysis to Find Encrypted
and Packed Malware,” IEEE Security and Privacy, March/April 2007.
[2] M. Howard, “Revealing Packed malware,” IEEE Security and Privacy,
September/October 2008.
Fig. 5. Size of raw data (SORD). [3] F. Guo, P. Ferrie, and T. Chiueh, “A Study of the Packer Problem and
Its Solutions,” RAID 2008, LNCS 5230, pp. 98–115.
Different packers have different key features. The features [4] L. Sun, S. Versteeg, S. Boztas, and T. Yann, “Pattern Recognition
vary packer to packer as it depends on the implementation Techniques for the Classification of Malware Packers,” ACISP 2010,
LNCS 6168, pp. 370–390.
and the platform it is running on. [5] M. Pietrek, Peering Inside the PE: A Tour of the Win32 Portable
Executable File Format, 25th of Nov 2010.
[6] G. Erdelyi, Reverse Engineering III: PE Format.
[7] Loading a DLL from memory. [Online]. Available:
VI. CONCLUSION http://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/
In this paper, we present four features of portable [8] Goppit, Portable Executable File Format – A Reverse Engineer View,
2006.
executable which are key feature to differentiate executables [9] R. Perdisci, A. Lanzi, and W. Lee, “Classification of Packed
packed and non-packed by UPX packer. It is always tedious Executables for Accurate Computer Virus Detection,” Elsevier, vol. 25
to figure out malicious or benign executable once a PE is got June 2008.
[10] DumpbinGUI. [Online]. Available:
packed. Therefore, our approach makes it easier to figure out
http://www.cheztabor.com/dumpbinGUI/
whether an executables is packed or not by UPX just by [11] Softpedia. [Online]. Available:
extracting the feature set comprised of these four. Once an http://www.softpedia.com/dyn-postdownload.php?p=90710andt=4and
executable is detected as packed, we can unpack using i=1
universal unpacker for e.g. PolyUnpack. As soon as we

478

View publication stats