Detecting Packed PE Files : Executable file analysis for the Windows operating system

Abstract

Malware authors invent new methods regularly to hide and obfuscate their code. One of these methods is known as packing. An entire program is hidden inside another executable program; however, the hidden program is usually encrypted or obfuscated such that antivirus software cannot detect its real intent without unpacking it. This thesis will look into common PE packers and describe the development of an application used to detect packed PE binaries using static analysis. This thesis is useful for reverse engineers and antivirus developers; it will give some insight into the world of packing binaries, compression methods, and encryption methods. The thesis will also gather some statistics around packed PE binaries, using a prototype to analyze 225K viruses.